• Home
  • /Learn
  • /Using the BloodHound Tool for an Active Directory Security Assessment
background image


Using the BloodHound Tool for an Active Directory Security Assessment


The intricacy of a modern-day cyber network means that keeping track of all its moving parts can be complex and challenging. It’s this complexity that attackers exploit to camouflage their presence in a network. The question now is how can businesses keep track of these attack vectors to protect the sanctity of their systems?

One way to identify these potential risks is by using the BloodHound tool to conduct a comprehensive assessment, which analyzes the relationships within an Active Directory Domain to trace attack paths with the help of graph theory. A BloodHound assessment can be helpful for any business attempting to outpace security concerns while pushing for digital acceleration.

How Does the BloodHound Tool Work?

BloodHound uses graph theory to help both the defenders and the attackers find unintended and hidden relationships within the Active Directory environment. It deploys an ingestor to collect data. An ingestor is SharpHound with command line “.exe” or a PowerShell script that has a similar assembly as “.exe”. Once deployed, the ingestor collects all information from the Active Directory, users, groups, and computers. SharpHound is an efficient and effective ingestor that uncovers the details of ad permissions, active sessions, and other information through the permission of an ordinary user. It delivers JSON files to the Neo4j database, which visualizes them via a graphical user interface. 

BloodHound is written in JavaScript, compiled with Electron, and draws its extraordinary power from the Neo4j graph database, which is touted as ACID-compliant. This combination packs BloodHound with several advantages like online backup and licensed high availability extensions. Tapping into its highly effective and cutting-edge graph database, BloodHound searches relationships and calculates the shortest path that takes the least time between two objects. This calculation is expedited through links.

Using BloodHound: Beginners Tutorial

Getting Started: Download BloodHound and Neo4j

The first step to start a BloodHound assessment is by installing the tool and downloading the Neo4j database. Go to the GitHub release page, install the latest version of the BloodHound, and convert the downloaded file into a folder. Now, it's time to get your ingestor. Go to BloodHound GitHub and install “SharpHound.exe.” Again, convert this file into a folder. Finally, all you need is a database. Download Neo4j desktop, and it will come in the form of an app data folder, wherein you can choose to install it for multiple users or only for yourself. Now, the Neo4j desktop GUI should start working. Choose the path where you want it to store data and click on confirm.

To conclude the process, follow the given steps:

  • Go to the “project tab” and name the default project as the BloodHound

  • Click on “add a graph” and then choose “create a local graph” 

  • Name the graph as “BloodHound” and create a password

  • Your setup is now complete

Collection Of Data

To facilitate the process of data collection, create a directory in PowerShell and make it the current directory. Type “c: .exe –c all” to initiate the process, and once the collection is successful, SharpHound creates a file.

Upload The Data

To upload the data, initiate BloodHound.exe and log in with the username Neo4j. Now upload the .zip file from SharpHound, and the application will transfer its JSON files to the database. To run a built-in query, navigate the search bar and click on the icon on the left side. Now click on ‘queries’ and finally select ‘find the shortest path to domain admin.’

To find the shortest path, you need to follow only two steps: 

  • Choose the pathfinding icon

  • Type the domain admin group in the section of target and user in the start node

Interpreting The Results

The path above is one of the many conducted in a Packetlabs Active Directory Assessment. Once the results are populated, knowing what to look for is important and requires an experienced eye. Below are a few samples of the additional checks conducted:

  • Check for admin count true

  • Check for unconstrained delegation, not Domain Controller edge

  • Check for Access Control Lists (ACLs) leading to Domain Admin

  • Check for the number of service accounts that are Domain Admin

Final Thoughts

When you want to analyze trust relationships in Active Directory environments, it is best to opt for a BloodHound assessment. By providing you with insights into complex attack paths in a network, it allows you to eliminate the path and prevent attackers from gaining domain admin permissions. To help protect your business from malicious hackers, Contact the Packetlabs team for a penetration test to identify potential vulnerabilities in your security system.