BloodHound needs to be fed JSON files containing info on the objects and relationships within the AD domain. These information are obtained with collectors (also called ingestors). The best way of doing this is using the official SharpHound (C#) collector.
It must be run from the context of a domain user, either directly through a logon or through another method such as runas (
runas /netonly /user:$DOMAIN\$USER).
# Use the PowerShell moduleImport-Module .\SharpHound.ps1Invoke-BloodHound -CollectionMethod All# Use the executable version.\SharpHound.exe --CollectionMethod All
The previous commands are basic but some options (i.e. Stealth and Loop) can be very useful depending on the context
# Perform stealth collection methodsInvoke-BloodHound -CollectionMethod All -Stealth.\SharpHound.exe --CollectionMethod All --Stealth# Loop collections (especially useful for session collection)# e.g. collect sessions every 10 minutes for 3 hoursInvoke-BloodHound -CollectionMethod Session -Loop -LoopDuration 03:00:00 -LoopInterval 00:10:00.\SharpHound.exe --CollectionMethod Session --Loop --LoopDuration 03:00:00 --LoopInterval 00:10:00# Use LDAPS instead of plaintext LDAP (IgnoreLdapCert for self-signed TLS/SSL certificates)Invoke-BloodHound -SecureLdap -IgnoreLdapCert.\SharpHound.exe --SecureLdap --IgnoreLdapCert
From UNIX-like system, a non-official (but very effective nonetheless) Python version can be used.
BloodHound.py is a Python ingestor for BloodHound.
bloodhound.py -c All -d $DOMAIN -u $USERNAME -p $PASSWORD -dc $DOMAIN_CONTROLLER
Once collection is over, the data can be uploaded and analysed in BloodHound by doing the following.
Find paths between specified nodes
Run pre-built analytics queries to find common attack paths
Run custom queries to help finding more complex attack paths or interesting objects
Run manual neo4j queries
Mark nodes as high value targets for easier path finding
Mark nodes as owned for easier path finding
Find information about selected nodes: sessions, properties, group membership/members, local admin rights, Kerberos delegations, RDP rights, outbound/inbound control rights (ACEs), and so on
Find help about edges/attacks (abuse, opsec considerations, references)
Using BloodHound can help find attack paths and abuses like ACEs abuse, Kerberos delegations abuse, credential dumping and credential shuffling, GPOs abuse, Kerberoast, ASREProast, domain trusts attacks, etc.