Collection of various utilities to aid in Pentesting with BloodHound.
a) With pipx.
pipx install git+https://github.com/dadevel/bloodhoundcli.git@mainb) With pip.
pip install --user git+https://github.com/dadevel/bloodhoundcli.git@mainIn any case complete the setup by installing the custom queries for BloodHound (based on work by @luemmelsec).
curl -Lo ~/.config/bloodhound/customqueries.json https://raw.githubusercontent.com/dadevel/bloodhoundcli/main/customqueries.jsonRun Neo4j containers with Podman.
bloodhoundcli setup project-1
bloodhoundcli setup project-2 # first container will be stoppedExecute arbitrary Cypher queries against Neo4j.
bloodhoundcli query 'MATCH (u:User {enabled: true} RETURN u.samaccountname)' > ./users.txt
bloodhoundcli query -s 'MATCH (u:User {name: toUpper($stdin)} SET u.owned=true RETURN count(u)' << EOF
[email protected]
[email protected]
EOFRun a DCSync from impacket-secretsdump with multiple wordlists and rulesets trough Hashcat.
Pre-created computer accounts are automatically cracked.
Specify --no-lm-brute to skip LM hash cracking.
impacket-secretsdump -just-dc -outputfile corp.local -k -no-pass dc01.corp.local
bloodhoundcli generate-wordlist > ./custom-words.txt # made of usernames, descriptions, etc.
bloodhoundcli hashcat-ntds -t ./clem9669-wordlists/dictionnaire_de ./clem9669-hashcat-rules/clem9669_medium.rule -t ./custom-words.txt ./unicorn-hashcat-rules/unicorn\ rules/SuperUnicorn.rule -t ./weakpass-3.txt ./unicorn-hashcat-rules/unicorn\ rules/Unicorn250.rule -p ./hashcat.potfile ./*.ntdsNote:
bloodhoundcliassumes that the name of the NTDS file minus the.ntdssuffix is the FQDN of the domain. This means a DCSync fromdc01.subdomain.corp.localshould be namedsubdomain.corp.local.ntds.
Import the DCSync output and Hashcat potfile into BloodHound (inspired by @knavesec and @syss-research).
This adds Credential objects with nthash, lmhash and password properties and HasCredential as well as AssignedTo edges between users and credentials.
bloodhoundcli import-ntds -p ./hashcat.potfile ./*.ntdsImport nodes for standalone computers and local users by leveraging the SQLite database of NetExec.
This includes nthash properties from SAM dumps and AdminTo as well as HasCredential and AssignedTo edges e.g. to identify local admin password reuse.
bloodhoundcli import-netexec ~/.nxc/workspaces/default/smb.dbAdd historical session data as well as inferred RDP and local admin edges (original idea from @rantasec). First export recent logons from Windows Event Logs with Get-RecentLogons.ps1, then transfer the JSON output to your computer and finally import it into Neo4j.
bloodhoundcli import-winevents ./logons.jsonAssign weights to edges in BloodHound (based on work by @riccardoancarani and @jmbesnard).
bloodhoundcli enrichNow you can use queries like the following to find the easiest instead of the shortest path to Domain Admin.
MATCH (a {owned: true}) MATCH (b {highvalue: true}) CALL apoc.algo.dijkstra(a, b, '>', 'cost') YIELD path RETURN path;