BloodHound Fundamentals

intermediate40 minWriteup

Using BloodHound to find attack paths

Learning Objectives

  • Set up BloodHound
  • Collect AD data with SharpHound
  • Analyze attack paths
  • Identify shortest paths to DA

BloodHound is like X-ray vision for Active Directory. It visualizes attack paths by mapping relationships between users, groups, computers, and permissions. What would take days of manual enumeration, BloodHound reveals in seconds.

Created by @_wald0, @CptJesus, and @harmj0y, BloodHound uses graph theory to find privilege escalation paths. It answers the question: "How can I get from user X to Domain Admin?"

BloodHound CE vs Legacy

BloodHound Community Edition (CE) is the newer version with a web interface. Legacy BloodHound uses a desktop app. Both use the same concepts; we'll cover both where relevant.

BloodHound Architecture

1BloodHound Components:
2├── Collectors (SharpHound/AzureHound)
3│   └── Gather AD data from domain
4├── Neo4j Database
5│   └── Stores relationship graph
6└── BloodHound GUI
7    └── Visualizes and queries data
8 
9Data Flow:
10Domain --> SharpHound --> JSON files --> BloodHound --> Neo4j

Setup

Legacy BloodHound

bash
1606070;"># Install Neo4j
2sudo apt install neo4j
3 
4606070;"># Start Neo4j
5sudo neo4j console
6606070;"># Browse to http://localhost:7474
7606070;"># Default creds: neo4j:neo4j (change on first login)
8 
9606070;"># Install BloodHound
10sudo apt install bloodhound
11606070;"># Or download from GitHub releases
12 
13606070;"># Start BloodHound
14bloodhound
15606070;"># Connect to Neo4j with your credentials

BloodHound CE (Docker)

bash
1606070;"># Clone and start
2git clone https:606070;">//github.com/SpecterOps/BloodHound.git
3cd BloodHound/docker-compose
4docker-compose up -d
5 
6606070;"># Access at http://localhost:8080
7606070;"># Default creds shown in docker-compose output

Data Collection with SharpHound

powershell
1606070;"># Run SharpHound on domain-joined machine
2.\SharpHound.exe -c All
3 
4606070;"># Collection methods:
5606070;"># -c Default        Standard collection
6606070;"># -c All            Everything
7606070;"># -c Session        Session data only
8606070;"># -c LoggedOn       Logged on users
9606070;"># -c Trusts         Trust relationships
10606070;"># -c ACL            ACL data
11606070;"># -c ObjectProps    Object properties
12 
13606070;"># Stealth options
14.\SharpHound.exe -c All --stealth
15 
16606070;"># Loop collection (for sessions over time)
17.\SharpHound.exe -c Session --loop --loopduration 02:00:00
18 
19606070;"># Specific domain
20.\SharpHound.exe -c All -d corp.local
21 
22606070;"># Output to specific folder
23.\SharpHound.exe -c All --zipfilename data.zip
24 
25606070;"># PowerShell version
26Import-Module .\SharpHound.ps1
27Invoke-BloodHound -CollectionMethod All

Remote Collection (Linux)

bash
1606070;"># bloodhound-python (remote collection)
2pip install bloodhound
3 
4bloodhound-python -u user -p 606070;">#a5d6ff;">'password' -d corp.local -dc dc.corp.local -c All
5 
6606070;"># Output: JSON files ready for import

Session Collection

Run session collection multiple times during the day. Users log in and out - multiple collections increase chances of finding active admin sessions.

Importing Data

1Legacy BloodHound:
21. Open BloodHound
32. Drag & drop ZIP file to GUI
43. Wait for import to complete
5 
6BloodHound CE:
71. Login to web interface
82. Navigate to File Ingest
93. Upload ZIP file
104. Monitor import progress

Built-in Queries

Essential Queries

1Find all Domain Admins
2├── Shows members of Domain Admins group
3 
4Find Shortest Paths to Domain Admin
5├── Attack paths from any user to DA
6 
7Find Principals with DCSync Rights
8├── Who can perform DCSync attacks
9 
10Find Computers with Unconstrained Delegation
11├── Potential TGT capture points
12 
13Find Kerberoastable Users
14├── Users with SPNs (crackable tickets)
15 
16Find AS-REP Roastable Users
17├── Users without pre-authentication
18 
19List all Kerberoastable Users with most privileges
20├── High-value Kerberoasting targets

Custom Cypher Queries

cypher
1606070;">// Find paths from owned principals to DA
2MATCH p=shortestPath((n {owned:true})-[*1..]->(m:Group {name:606070;">#a5d6ff;">"DOMAIN ADMINS@CORP.LOCAL"}))
3RETURN p
4 
5606070;">// Find users with path to DA (excluding DAs themselves)
6MATCH (u:User)-[r:MemberOf*1..]->(g:Group {name:606070;">#a5d6ff;">"DOMAIN ADMINS@CORP.LOCAL"})
7WHERE NOT (u)-[:MemberOf]->(g)
8RETURN u.name
9 
10606070;">// Find computers where DA logged in
11MATCH (c:Computer)-[:HasSession]->(u:User)-[:MemberOf*1..]->(g:Group)
12WHERE g.name CONTAINS 606070;">#a5d6ff;">"DOMAIN ADMINS"
13RETURN c.name, u.name
14 
15606070;">// Find all GPO attack paths
16MATCH (n)-[:GPLink]->(o)
17RETURN n,o

Understanding Edges (Relationships)

1Common Attack Edges:
2├── MemberOf          - Group membership
3├── AdminTo           - Local admin rights
4├── HasSession        - Active login session
5├── CanRDP            - RDP access
6├── CanPSRemote       - WinRM access
7├── GenericAll        - Full control
8├── GenericWrite      - Write properties
9├── WriteDacl         - Modify ACL
10├── WriteOwner        - Take ownership
11├── ForceChangePassword - Reset password
12├── AddMember         - Add to group
13├── DCSync            - Replication rights
14├── AllExtendedRights - Extended rights
15├── Owns              - Object ownership
16└── Contains          - OU/Container relationship

Edge = Attack Step

Each edge represents a possible attack. A path with 5 edges means 5 attack steps from source to target.

Attack Path Analysis

Using BloodHound for Attack Planning

1
Mark OwnedRight-click compromised users/computers, mark as "Owned"
2
Find PathsRun "Shortest Path from Owned Principals"
3
Analyze EdgesClick each edge to understand the attack
4
PrioritizeFocus on shortest, most reliable paths
5
ExecuteFollow the path, updating owned status

Reading Attack Paths

1Example Path:
2[user01] --MemberOf--> [IT_Support] --GenericAll--> [svc_backup] --AdminTo--> [DC01]
3 
4Translation:
51. user01 is member of IT_Support group
62. IT_Support has GenericAll on svc_backup account
73. svc_backup is local admin on DC01
8 
9Attack:
101. Reset svc_backup's password (GenericAll)
112. Use svc_backup to access DC01
123. Dump domain credentials

Pro Tips

  • Always run session collection multiple times during an engagement
  • Mark High Value targets (DCs, admin accounts) for focused analysis
  • Use "Outbound Control" to see what a compromised user can attack
  • Check "First Degree Object Control" for immediate targets
  • Export paths as CSV for reporting
  • Clear database between engagements (different clients)

OPSEC

SharpHound generates significant LDAP traffic. Use --stealth flag and consider running from multiple hosts to blend with normal traffic.

Knowledge Check

Quick Quiz
Question 1 of 3

What does SharpHound collect?

Challenges

Path to Domain Admin

Challenge
🔥 intermediate

Using BloodHound, find the shortest attack path from your current user to Domain Admin. Document each step.

Need a hint? (4 available)

Key Takeaways

  • BloodHound visualizes AD attack paths using graph theory
  • SharpHound collects AD data; BloodHound visualizes it
  • Mark compromised principals as "Owned" for path analysis
  • Edges represent attack techniques (AdminTo, GenericAll, etc.)
  • Session collection should be repeated throughout engagement
  • Cypher queries enable custom attack path discovery