Skip to content

BloodHound

BloodHound is an open source toolset to collect and analyze relational data within an Active Directory and/or Azure environment. BloodHound uses graph theory to reveal hidden and often unintended relationships within these environments to allow Attackers and Defenders to identify highly complex attack paths that would otherwise be impossible to quickly identify. BloodHound has become an industry standard tool for both Red Teams and Blue Teams to attack and defend Active Directory environments.

For additional details on how to use the BloodHound tool see BloodHound's Official Documentation.

Compatibility Note

As of May 2024, NodeZero now supports BloodHound CE v5.8+.

Installing and Setting up BloodHound

Please see BloodHound's Installation documentation:

How Does NodeZero Use BloodHound?

After NodeZero discovers and verifies a domain user credential, it will utilize a BloodHound data collector to gather information on the Active Directory or Entra environment. NodeZero stores this data in a neo4j 4.4.x graph database in our ephemeral architecture during the life of the pentest, and will utilize it to identify complex attack paths that may lead to compromising the domain or Entra ID tenant. After the pentest finishes, the BloodHound data is backed up and stored for a limited time. H3 customers who wish to utilize NodeZero's BloodHound collections to inform their own Red/Blue/Purple team operations can request the data from a pentest for a limited time.

Obtaining NodeZero's BloodHound Data

Note

The ability to download NodeZero's collected BloodHound data is a paid feature, unavailable to free trials. If you would like to request access to this feature, please contact H3 Customer Success.

Using a NodeZero Pentest's BloodHound Data

NodeZero provides BloodHound data in the form of a neo4j backup dump file. Users can use this file to directly load the data into the neo4j database they connect the BloodHound GUI to.

Using neo4j-admin to Import NodeZero's BloodHound Dump to Neo4j

Neo4j provides an administrative command-line tool called neo4j-admin to manage/administer its Database Management System (DBMS). This tool is typically located in the neo4j bin directory. neo4j-admin's load command loads the archive file that NodeZero produces. The command can be run from an online or an offline neo4j DBMS. Typically, the neo4j-admin load command should be run as the neo4j user to ensure appropriate file permissions.

$neo4j-admin load --database=neo4j --from=<DUMP_FILE_PATH>

Reference: neo4j 4.4 - Restore a database dump

BloodHound CE provides an environment variable called NEO4J_DATA_MOUNT that can be used to mount a neo4j data directory. Running the following command will extract the neo4j dump archive to a data directory that can be passed to NEO4J_DATA_MOUNT in the current directory.

docker run -v <PATH_TO_DUMP_FILE>:/dump.dump -v $PWD/data/:/data --rm neo4j/neo4j-admin:4.4 neo4j-admin load --database=neo4j --from=/dump.dump

Now set the NEO4J_DATA_MOUNT environment variable and start bloodhound CE.

export NEO4J_DATA_MOUNT=$PWD/data
curl -L https://ghst.ly/getbhce | docker compose -f - up