Project Puchufy

Domain Data Collection using Bloodhound

Bloodhound is a data collecting tool for Active Directory environments, which helps identify attack paths left open due to misconfigurations or vulnerabilities. There is a free version of Bloodhound and there is also an enterprise version. In this post, we will be using the free version.

Pre-requisites:
Bloodhound ingestor (Python-based)
Bloodhound
Assuming you have already installed the pre-requisites and you have an AD account that have permission to query LDAP objects, we can now proceed with data collection.

Run this command from your attacker machine (inside the folder where the Bloodhound ingestor Python file is saved) to collect data from the target domain controller:

python3 bloodhound.py -u <USERNAME> -p '<PASSWORD>' -d <DOMAIN> --collectionmethod LocalAdmin --zip -ns <SERVER_IP_ADDRESS>

In this example, the collector exported the collected data as a zipped file.

Run neo4j console in the VM where you have installed it:

This is the sample output when running neo4j.

On another tab, run Bloodhound as a non-root user:

Use the UPLOAD button to upload the zipped file of the collected AD data.
Wait for it to complete the upload.

Bloodhound has an Analysis tab, which can be expanded. In this example, the analysis shows a dangerous privilege which is DCSync Rights. DCSync is an attack that allows an attacker to simulate the behavior of a domain controller and retrieve password data via domain replication. If one of these accounts are compromised, an attacker can exploit it to launch the DCSync attack.