Bloodhound

Neo4j

docker run \
    --publish=7474:7474 --publish=7687:7687 \
    --volume=$HOME/neo4j/data:/data \
    neo4j:4.4.13

Run Remote Bloodhound Script

# Display help output
bloodhound-python

# Collect all information on the domain (requires credential)
# If LDAPS run with --use-ldaps
bloodhound-python -c All -u username -p password -d domain.tld -ns domain-controller-ip

# Collect all information on the domain via post-compromise proxy
# If LDAPS run with --use-ldaps
proxychains -q bloodhound-python -c All -u username -p password -d domain.tld -ns omain-controller-ip --dns-tcp

https://github.com/NH-RED-TEAM/RustHound Better collector

Custom queries

Get owned

MATCH (o {owned: TRUE}) RETURN o

Find computers that allow unconstrained delegation that aren’t domain controllers.

MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2:Computer {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2

List all computers which are local admins on other computer

MATCH p=(m:Computer)-[r:AdminTo]->(n:Computer) RETURN p

Troubleshooting

./BloodHound --disable-gpu-sandbox

Import owned principals

GitHub - xalicex/import-owned-users-bloodhound: script to import owned users in bloodhoundGitHub

PreviousRusthound NextACL

Last updated 1 month ago