Bloodhound

Neo4j

docker run \
    --publish=7474:7474 --publish=7687:7687 \
    --volume=$HOME/neo4j/data:/data \
    neo4j:4.4.13

Run Remote Bloodhound Script

# Display help output
bloodhound-python

# Collect all information on the domain (requires credential)
# If LDAPS run with --use-ldaps
bloodhound-python -c All -u username -p password -d domain.tld -ns domain-controller-ip

# Collect all information on the domain via post-compromise proxy
# If LDAPS run with --use-ldaps
proxychains -q bloodhound-python -c All -u username -p password -d domain.tld -ns omain-controller-ip --dns-tcp

https://github.com/NH-RED-TEAM/RustHound Better collector

Custom queries

Get owned

MATCH (o {owned: TRUE}) RETURN o

Find computers that allow unconstrained delegation that aren’t domain controllers.

MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2:Computer {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2

List all computers which are local admins on other computer

MATCH p=(m:Computer)-[r:AdminTo]->(n:Computer) RETURN p

Troubleshooting

./BloodHound --disable-gpu-sandbox

Import owned principals

GitHub - xalicex/import-owned-users-bloodhound: script to import owned users in bloodhoundGitHub

PreviousRusthound NextACL

Last updated 3 months ago

hashtagNeo4j

hashtagRun Remote Bloodhound Script

hashtagCustom queries

hashtagGet owned

hashtagFind computers that allow unconstrained delegation that aren’t domain controllers.

hashtagList all computers which are local admins on other computer

hashtagTroubleshooting

hashtagImport owned principals

Neo4j

Run Remote Bloodhound Script

Custom queries

Get owned

Find computers that allow unconstrained delegation that aren’t domain controllers.

List all computers which are local admins on other computer

Troubleshooting

Import owned principals