Collection of various utilities to aid in Pentesting with BloodHound.

1. Install Podman and docker-compose.

2. Configure rootless containers for Podman.

3. Enable the Podman socket for your user.

   systemctl --user enable --now podman.socket

4. Install this Python package with pipx.

   pipx install git+https://github.com/dadevel/bloodhoundcli.git@main

If you don't want to use BloodHoundCli and are here just for the custom queries run the command below. Otherwise the queries are automatically installed when you create your first BloodHoundCli project.

curl -Lo ~/.config/bloodhound/customqueries.json https://github.com/dadevel/bloodhoundcli/raw/main/bloodhoundcli/data/customqueries.json

The queries are based on work by @luemmelsec and @martinsohn. Thank you!

Projects are managed with Podman containers. Only one project can be active at a time. Each project consists of BloodHound Community Edition, Neo4j and Postgres.

bloodhoundcli setup-project example1
bloodhoundcli shutdown-project example1
bloodhoundcli setup-project example2
bloodhoundcli list-projects
bloodhoundcli destroy-project example1
bloodhoundcli destroy-project example2

• BloodHound Legacy: bolt://localhost:7687/, username neo4j, empty password
• Neo4j: http://localhost:7474/, username neo4j, empty password
• BloodHound Community Edition: http://localhost:7575/, username admin, empty password

Ingest files from AzureHound and modern SharpHound.

bloodhoundcli import-bhce ./azurehound.json ./*_BloodHound.zip

Files from bloodhound.py and old SharpHound must be imported with BloodHound Legacy.

Quickly fetch data from Neo4j for use with other tools or import data from other tools into BloodHound.

bloodhoundcli query 'MATCH (u:User {enabled: true}) RETURN u.samaccountname' > ./users.txt
bloodhoundcli query -s 'MATCH (u:User {name: toUpper($stdin)} SET u.owned=true RETURN u.name' << EOF
john.doe@corp.local
jane.doe@corp.local
EOF
bloodhoundcli query -s -j 'MATCH (u:User {name: $stdin.name}) SET u.foo=$stdin.value RETURN u.name' << EOF
{"name": "john.doe@corp.local", "value": "bar"}
{"name": "jane.doe@corp.local", "value": "baz"}
EOF

Execute a set of post-processing queries to mark certain objects with additional attributes and add additional edges for certain situations.

bloodhoundcli enrich

These attributes are:

• tier=0 for a standard set of tier 0 objects
• highvalue=true for objects with potential path to tier 0
• active=true for accounts with login in last 90 days
• sensitive=true for members of Protected Users

The enrichment also assigns weights to edges in BloodHound (based on work by @riccardoancarani and @jmbesnard).

This allows to search for the easiest instead of the shortest path to Domain Admin.

MATCH (a {owned: true}) MATCH (b {highvalue: true}) CALL apoc.algo.dijkstra(a, b, '>', 'cost') YIELD path RETURN path;

Run a DCSync from impacket-secretsdump with multiple wordlists and rulesets trough Hashcat. LM hashes and pre-created computer accounts are automatically cracked unless --no-lm-brute respective --no-pre2k is specified.

impacket-secretsdump -just-dc -outputfile corp.local -k -no-pass dc01.corp.local
bloodhoundcli generate-wordlist > ./custom-words.txt  # made of usernames, descriptions, etc.
bloodhoundcli hashcat-ntds -t ./clem9669-wordlists/dictionnaire_de ./clem9669-hashcat-rules/clem9669_medium.rule -t ./custom-words.txt ./unicorn-hashcat-rules/unicorn\ rules/SuperUnicorn.rule -t ./weakpass-3.txt ./unicorn-hashcat-rules/unicorn\ rules/Unicorn250.rule -p ./hashcat.potfile ./*.ntds

Import the DCSync output and Hashcat potfile into BloodHound (inspired by @knavesec and @syss-research). This adds Credential objects with nthash, lmhash and password properties and HasCredential as well as AssignedTo edges between users and credentials.

bloodhoundcli import-ntds -p ./hashcat.potfile ./*.ntds

Note: BloodHoundCli assumes that the name of the NTDS file minus the .ntds suffix is the FQDN of the domain. This means a DCSync from dc01.subdomain.corp.local must be named subdomain.corp.local.ntds.

Import adidnsdump into BloodHound to add an ipaddress attribute to computers. For hosts that appear in ADIDNS but don't exist in BloodHound, standalone computer objects are created.

bloodhoundcli import-adidns corp.local ./records.csv

Import nodes for standalone computers and local users by leveraging the SQLite database of NetExec. This includes nthash properties from SAM dumps and AdminTo as well as HasCredential and AssignedTo edges e.g. to identify local admin password reuse.

bloodhoundcli import-netexec ~/.nxc/workspaces/default/smb.db

Add historical session data as well as inferred RDP and local admin edges (original idea from @rantasec). First export recent logons from Windows Event Logs with Get-RecentLogons.ps1, then transfer the JSON output to your computer and finally import it into Neo4j.

bloodhoundcli import-winevents ./logons.json

Import SMB Signing, WebClient and EFS info from ServiceDetector.

bloodhoundcli query 'MATCH (c:Computer {active: true}) RETURN c.name' > ./computers.txt
servicedetector -c coercion -d corp.local -u jdoe -p 'passw0rd' $(< ./computers.txt) | tee -a ./servicedetector.json
jq -r 'select(.category=="coercion" and .product=="WebClient" and .state=="running")|.host' ./servicedetector.json | bloodhoundcli query -s 'MATCH (c:Computer {name: $stdin}) SET c.webclient=true RETURN c.name'
jq -r 'select(.category=="coercion" and .product=="EFS" and .state=="running")|.host' ./servicedetector.json | bloodhoundcli query -s 'MATCH (c:Computer {name: $stdin}) SET c.efs=true RETURN c.name'
jq -r 'select(.category=="smb" and .signing==false)|.host' ./servicedetector.json | bloodhoundcli query -s 'MATCH (c:Computer {name: $stdin}) SET c.smbsigning=false RETURN c.name'