Skip to content

BloodHound

BloodHound is an open source toolset to collect and analyze relational data within an Active Directory and/or Azure environment. BloodHound uses graph theory to reveal hidden and often unintended relationships within these environments to allow Attackers and Defenders to identify highly complex attack paths that would otherwise be impossible to quickly identify. BloodHound has become an industry standard tool for both Red Teams and Blue Teams to attack and defend Active Directory environments.

For additional details on how to use the BloodHound tool see BloodHound's Official Documentation.

Compatibility Note

On August 8, 2023 SpectreOps released the latest version of BloodHound as BloodHound: Community Edition. Currently, NodeZero only supports BloodHound v4.2-v4.3.1.

Installing and Setting up BloodHound

Please see BloodHound's Installation documentation:

Using Neo4j in a Docker Container

If you wish to run the Neo4j DBMS for BloodHound in a Docker container, there is an available image on dockerhub.

  1. Pull the docker image: 
    docker pull neo4j/neo4j:4.4.13
  2. Create a local data directory to which neo4j has write permissions.
  3. Create and run the docker container:
    • Volume mount the created data directory to /data within the container
    • Publish container ports 7687 (the bolt protocol port) and optionally 7474 (the neo4j browser interface).
    • Setting the NEO4J_AUTH environment variable to a username and password combination

docker run --name neo --rm -v $PWD/data/:/data -e NEO4J_AUTH=neo4j/password -p 7687:7687 -p 7474:7474 neo4j:4.4.13
Reference: Docker run Command

Once the container is running, you should be able to connect via the BloodHound GUI.

How Does NodeZero Use BloodHound?

After NodeZero discovers and verifies a domain user credential, it will utilize a BloodHound data collector to gather information on the Active Directory or Azure environment. NodeZero stores this data in a neo4j 4.4.x graph database in our ephemeral architecture during the life of the pentest, and will utilize it to identify complex attack paths that may lead to compromising the domain. After the pentest finishes, the BloodHound data is backed up and stored for a limited time. H3 customers who wish to utilize NodeZero's BloodHound collections to inform their own Red/Blue/Purple team operations can request the data from a pentest for a limited time.

Obtaining NodeZero's BloodHound Data

Note

The ability to download NodeZero's collected BloodHound data is a paid feature, unavailable to free trials. If you would like to request access to this feature, please contact H3 Customer Success.

Using a NodeZero Pentest's BloodHound Data

NodeZero provides BloodHound data in the form of a neo4j backup dump file. Users can use this file to directly load the data into the neo4j database they connect the BloodHound GUI to.

Using neo4j-admin to Import NodeZero's BloodHound Dump to Neo4j

Neo4j provides an administrative command-line tool called neo4j-admin to manage/administer its Database Management System (DBMS). This tool is typically located in the neo4j bin directory. neo4j-admin's load command loads the archive file that NodeZero produces. The command can be run from an online or an offline neo4j DBMS. Typically, the neo4j-admin load command should be run as the neo4j user to ensure appropriate file permissions.

$neo4j-admin load --database=neo4j --from=<DUMP_FILE_PATH>

Reference: neo4j 4.4 - Restore a database dump

Importing NodeZero's BloodHound Dump When Running Neo4j as a Docker Container

The neo4j docker images from dockerhub do not contain the neo4j-admin utility. Instead, you will need to pull the image for neo4j-admin itself: 

docker pull neo4j/neo4j-admin:4.4.13

Once complete, users can use the following command to extract the BloodHound data dump from NodeZero into the data folder they will mount when running the neo4j container: 

docker run --interactive --tty --rm  --volume=$PWD/data:/data --volume=<ABSOLUTE_PATH_TO_BLOODHOUND_DATA_DUMP.dump>:/backups.dump neo4j/neo4j-admin:4.4.13 neo4j-admin load --database=neo4j --from=/backups.dump
Once the dump is finished extracting, you can run your neo4j container: 
docker run --name neo --rm -v $PWD/data/:/data -e NEO4J_AUTH=neo4j/password -p 7687:7687 -p 7474:7474 neo4j:4.4.13