BloodHound and Grabbing Data

BloodHound is an Active Directory (AD) enumeration and attack path analysis tool that leverages graph theory to map relationships across an environment. It enables security professionals to visualize how permissions, group memberships and sessions interconnect, making it easier to identify privilege escalation paths and hidden security risks.

• Reveals indirect and non-obvious trust relationships
• Highlights shortest paths to critical assets
• Uses data collected via SharpHound ingestor
• Provides an interactive graph database interface (Neo4j-based)
• Supports both Red Team operations (attack simulation) and Blue Team efforts (defense and remediation)
• Aids in prioritizing remediation efforts based on risk paths

Uses Of BloodHound

• Map Active Directory relationships: Collects and visualizes users, groups, computers, sessions and ACLs.
• Identify attack paths: Shows how low-privileged users can escalate to Domain Admin or other critical targets.
• Visualize AD structure: Converts complex relationships into interactive graph-based views.
• Privilege auditing: Identifies over-privileged accounts and excessive access rights.
• Misconfiguration detection: Highlights risky ACLs, group nesting issues and insecure permissions.
• Attack simulation (Red Team): Helps simulate real-world lateral movement and escalation paths.
• Defense improvement (Blue Team): Supports hardening by reducing attack paths and tightening access control.
• Incident response support: Assists in understanding compromise paths during security investigations.

Installing BloodHound On Kali Linux

BloodHound can be installed in two ways:

• Docker-based setup (BloodHound Community Edition recommended)
• Manual installation (legacy method using Neo4j)

Note: This guide uses the Docker-based installation, which is the official and simplest way to run BloodHound Community Edition.

Step 1: Update Your System

sudo apt update && sudo apt upgrade -y

If you encounter errors:

sudo apt update --fix-missing && sudo apt upgrade -y

Step 2: Create Installation Directory

cd /opt
sudo mkdir -p BloodHound
cd BloodHound

Step 3: Install Docker & Docker Compose

Docker is required because BloodHound Community Edition runs as a containerized application.

sudo apt install docker.io docker-compose -y

Enable and start Docker:

sudo systemctl enable docker
sudo systemctl start docker

Verify installation:

docker --version
docker-compose --version

Step 4: Add User to Docker Group

sudo usermod -aG docker $USER

Note: Log out and log back in (or reboot) for this change to take effect.

Step 5: Download BloodHound Community Edition

curl -L https://ghst.ly/getbhce -o docker-compose.yml

Step 6: Start BloodHound

docker-compose pull
docker-compose up -d

Step 7: Access BloodHound

Open your browser and navigate to:

http://localhost:8080

Useful Commands

Stop BloodHound:

docker-compose down

View logs:

docker-compose logs -f

Output:

• You will notice many entries appearing in the terminal. Find the temporary password provided we will use it to log in to the BloodHound interface. Once you log in with that password, it will expire and prompt you to set a new password for the admin user. Your default username is admin.
• Now we have successfully logged in to the BloodHound interface.

Deploying Sharphound(Data Collection Phase)

SharpHound is the official data collection tool for BloodHound. It gathers AD data from a compromised system. Once you gain access to a target machine Upload via Meterpreter (msfconsole), File shares, Manual copy (lab environments) .

Running SharpHound on Target Machine

You can download SharpHound (PowerShell version) from its official GitHub repository and transfer it to the target system.

Step 1: Open PowerShell

powershell -ep bypass

Step 2: Navigate to File Location

cd Downloads

Step 3: Import Script

. .\SharpHound.ps1

Step 4: Execute Data Collection

Invoke-BloodHound -c All -d GFG.local -OutputDirectory C:\Users\Franklin\Downloads -ZipFileName File.zip

• This generates a ZIP file containing all collected AD data.

Output:

Transferring Data to Kali (Analysis Machine)

• Move the generated ZIP file to your Kali Linux system where BloodHound is installed.
• This can be done via drag-and-drop, shared folders or file transfer tools like SCP

Output:

Importing Data into BloodHound

• Once the file is available in Kali, open BloodHound in the browser at http://localhost:8080.
• Upload the generated ZIP file
• Wait for ingestion and processing to complete

Output:

Analyzing the Data

Once processing is complete:

• Go to the Group Management or Analysis section
• Click on All Active Directory Domains (e.g., GFG.local)
• You will see all users, groups and relationships in the domain (e.g., GFG.local)

Selecting a user displays details such as:

• Group memberships
• Session information
• Access relationships
• Account attributes (e.g., last login, privileges)

Output:

• You will now see a list of all users from GFG.local.
• Selecting a user shows details such as group memberships, last login information and related attributes.
• For example, selecting USER@GFG.local and clicking Explore provides detailed insights about that account.

Output:

• Use the search bar on the right to quickly look up usernames and view all their associated data.
• Take time to explore these options yourself to better understand how BloodHound maps users and groups in Active Directory.

Output: