# 3.3.2 - BloodHound

## **BloodHound** <a href="#bloodhound" id="bloodhound"></a>

Most famous tool that provides GUI for AD entities and relationship for the data collected. It utilzies graph theory mapping shortest path for interesting things like Domain Admins, and contains built-in queries for more interesting path.

There two free versions of BloodHound:

* BloodHound Legacy (present into C:\AD\Tools): <https://github.com/BloodHoundAD/BloodHound>
* BloodHound CE (Community Edition): <https://github.com/SpecterOps/BloodHound>

<div align="left"><figure><img src="https://3295003978-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F0VoFkXlcamRW1EV8XKU7%2Fuploads%2FLbHsPZX9oGcNqW1NYVE9%2Fimage.png?alt=media&#x26;token=19e97013-bc82-408c-9de8-66dbc73a9020" alt="" width="200"><figcaption></figcaption></figure></div>

### BloodHound Installation <a href="#bloodhound-installation" id="bloodhound-installation"></a>

Steps to do on attacker machine (Kali)

1\) `apt-get install bloodhound`

2\) `neo4j console`

3\) open browser and go to URL indicated by neo4j console (usually: [http://localhost:7474](http://localhost:7474/))

In this certification is provided BloodHound WebUI to solve labs.

insert default credentials -> neo4j:neo4j and click to connect.

<figure><img src="https://dev-angelist.gitbook.io/~gitbook/image?url=https%3A%2F%2F677614291-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FrRWtuMw6xkkeDjZfkcWC%252Fuploads%252FFKxVRkXw5IuHzJZ5E5hK%252Fimage.png%3Falt%3Dmedia%26token%3D5306a709-ef24-4b88-9096-a8018f5f4053&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=cb2af27f&#x26;sv=2" alt=""><figcaption></figcaption></figure>

### Collecting Data

[SharpHound Documentation](https://bloodhound.readthedocs.io/en/latest/data-collection/sharphound.html)

#### BloodHound CE using SharpHound.exe and .ps1

**CRTP Lab**

```powershell
C:\AD\Tools\Loader.exe -Path C:\AD\Tools\Sharphound\SharpHound.exe -args --collectionmethods All
```

**Other Lab**

**`Using SharpHound.ps1`**

* Download and upload `SharpHound.ps1` to the target.
* Run:

  ```powershell
  Import-Module .\SharpHound.ps1
  Invoke-BloodHound -CollectionMethod All
  ```

**Using `SharpHound.exe`**

* Run directly:

  ```powershell
  .\SharpHound.exe -c all
  ```

**Using `bloodhound.py`**

```bash
python3 bloodhound.py -u 'jdoe' -p 'Password123' -d DC.LOCAL -ns 192.168.1.1 --zip -c All
```

### Collect Data in Stealthy Mode

#### SharpHound

The process of collection info/data isn't more stealthy, than in particular contest can be useful to remove noisy methods like RDP, DCOM, PSRemote and LocalAdmin (using flag `--excludedcs`)

```powershell
C:\AD\Tools\Loader.exe -Path C:\AD\Tools\Sharphound\SharpHound.exe -args --collectionmethods Group,GPOLocalGroup,Session,Trusts,ACL,Container,ObjectProps,SPNTargets,CertServices --excludedcs
```

#### SOAPHound

A really good method to collect data in stealth mode is using SOAPHound, it talks to AD Web Services (ADWS - Port 9389) sending LDAP queries, it doesn't send network-based data detection (like MDI) and retrieve info about all objects and process taking LDAP queries.

```powershell
#Build a cache that includes basic info about domain objects
SOAPHound.exe --buildcache -c C:\AD\Tools\cache.txt
#Collect BloodHound compatible data
SOAPHound.exe -c C:\AD\Tools\cache.txt --bhdump -o C:\AD\Tools\bloodhound-output --nolaps
```

Download the resulting `.zip` file and upload it to BloodHound for analysis.

## Labs

* [Post-Exploitation Basics THM Lab](https://dev-angelist.gitbook.io/writeups-and-walkthroughs/thm/post-exploitation-basics)