BloodHound
BloodHound is an open source toolset to collect and analyze relational data within an Active Directory and/or Azure environment. BloodHound uses graph theory to reveal hidden and often unintended relationships within these environments to allow Attackers and Defenders to identify highly complex attack paths that would otherwise be impossible to quickly identify. BloodHound has become an industry standard tool for both Red Teams and Blue Teams to attack and defend Active Directory environments.
For additional details on how to use the BloodHound tool see BloodHound's Official Documentation.
Compatibility Note
On August 8, 2023 SpectreOps released the latest version of BloodHound as BloodHound: Community Edition. Currently, NodeZero only supports BloodHound v4.2-v4.3.1.
Installing and Setting up BloodHound
Please see BloodHound's Installation documentation:
Using Neo4j in a Docker Container
If you wish to run the Neo4j DBMS for BloodHound in a Docker container, there is an available image on dockerhub.
- Pull the docker image:
docker pull neo4j/neo4j:4.4.13
- Create a local
data
directory to which neo4j has write permissions. - Create and run the docker container:
- Volume mount the created
data
directory to/data
within the container - Publish container ports 7687 (the bolt protocol port) and optionally 7474 (the neo4j browser interface).
- Setting the
NEO4J_AUTH
environment variable to a username and password combination
- Volume mount the created
docker run --name neo --rm -v $PWD/data/:/data -e NEO4J_AUTH=neo4j/password -p 7687:7687 -p 7474:7474 neo4j:4.4.13
Once the container is running, you should be able to connect via the BloodHound GUI.
How Does NodeZero Use BloodHound?
After NodeZero discovers and verifies a domain user credential, it will utilize a BloodHound data collector to gather information on the Active Directory or Azure environment. NodeZero stores this data in a neo4j 4.4.x graph database in our ephemeral architecture during the life of the pentest, and will utilize it to identify complex attack paths that may lead to compromising the domain. After the pentest finishes, the BloodHound data is backed up and stored for a limited time. H3 customers who wish to utilize NodeZero's BloodHound collections to inform their own Red/Blue/Purple team operations can request the data from a pentest for a limited time.
Obtaining NodeZero's BloodHound Data
Note
The ability to download NodeZero's collected BloodHound data is a paid feature, unavailable to free trials. If you would like to request access to this feature, please contact H3 Customer Success.
Using a NodeZero Pentest's BloodHound Data
NodeZero provides BloodHound data in the form of a neo4j backup dump file. Users can use this file to directly load the data into the neo4j database they connect the BloodHound GUI to.
Using neo4j-admin
to Import NodeZero's BloodHound Dump to Neo4j
Neo4j provides an administrative command-line tool called neo4j-admin
to manage/administer its Database Management System (DBMS). This tool is typically located in the neo4j bin
directory. neo4j-admin
's load
command loads the archive file that NodeZero produces. The command can be run from an online or an offline neo4j DBMS. Typically, the neo4j-admin load
command should be run as the neo4j
user to ensure appropriate file permissions.
$neo4j-admin load --database=neo4j --from=<DUMP_FILE_PATH>
Reference: neo4j 4.4 - Restore a database dump
Importing NodeZero's BloodHound Dump When Running Neo4j as a Docker Container
The neo4j docker images from dockerhub do not contain the neo4j-admin
utility. Instead, you will need to pull the image for neo4j-admin
itself:
docker pull neo4j/neo4j-admin:4.4.13
Once complete, users can use the following command to extract the BloodHound data dump from NodeZero into the data folder they will mount when running the neo4j
container:
docker run --interactive --tty --rm --volume=$PWD/data:/data --volume=<ABSOLUTE_PATH_TO_BLOODHOUND_DATA_DUMP.dump>:/backups.dump neo4j/neo4j-admin:4.4.13 neo4j-admin load --database=neo4j --from=/backups.dump
docker run --name neo --rm -v $PWD/data/:/data -e NEO4J_AUTH=neo4j/password -p 7687:7687 -p 7474:7474 neo4j:4.4.13