Hot on the Trail of Domain Admin: Bloodhound Intro

Hot on the Trail of Domain Admin: Bloodhound Intro

Recently, I had a chance to utilize and deploy Bloodhound during a internal security assessment.  Bloodhound has been talked about the new hotness in security tools for a while now, and I had been meaning to sit down and figure it out.  This post will serve as a general outline to getting Bloodhound up and running on your environment.  

What is BloodHound?

Bloodhound is an open source tool, licensed under GPLv3, that will help organizations or penetration testers to analyze and understand Active Directory Trust Relationships.  This can be beneficial from an offensive stand point, because it will instruct the engineer the exact hops needed through a network to obtain Domain Admin privileges.  In terms of defensive engineer, this tool can help show attack paths that an attacker might take, or show you flaws in your environment.   When viewing the trust relationships it is best to make business justifications if these trust paths need to exist.

The developers of Bloodhound are truly intelligent security researches that are deeply embedded in the world of Windows Security.  I highly recommend viewing their video discussing the use cases and the usage of the tool.  The name of the video is Six Degrees of Domain Admin.


As with most setups that are performed on this blog we want to start with a up to date Kali Linux install.  

Bloodhound has two options of installation.  You can either install from source by pulling from GitHub or you can run apt install bloodhound.  For this blog post I recommend using the aptitude package manager.

One of the main components of Bloodhound is the Neo4j graphing platform.  In order to keep prying eyes from looking our mapping we should change the password by invoking the following commands: neo4j console  Now that Neo4j is running you can open your web browser to http://localhost:7474 which will look like the screenshot below.  

The default password for Neo4j is neo4j:neo4j.  You can login to the portal using that, and Neo4j will automatically prompt to change your temporary password.  

Now that Neo4j is setup, we can see if Bloodhound is accessible.  We will open a new terminal window and run the command bloodhound which will launch Bloodhound.  Take note, you will need to leave the Neo4j console window because it is the graphing platform that will be utilized by bloodhound.  You can background the process if you would like.  The screenshot below shows the Bloodhound will be waiting for login credentials, which will be as follows:

Database URL - bolt://
Username - neo4j
Password - <Password Entered Above>

Once you submit the Login form you will be presented with the Bloodhound tool without any data.  Continue to read in order to obtain data that can be ingested by Bloodhound.  


Now that you have the server side of Bloodhound running, you need to get the juicy data into the graphing platform.  There are example data that are included with Bloodhound in order to test the graphing portion, but instead I would recommend utilizing a development environment to test out Bloodhound.  

BloodHound comes with a PowerShell script with several cmdlets that make this process easy. Get-BloodHoundData collects the data BloodHound needs. This cmdlet will return a PowerShell object. It’s necessary to pipe this object to another cmdlet to take some action on it. The Export-BloodHoundCSV cmdlet will dump the BloodHound data into three CSV files.

PS C:\> powershell-import /path/to/BloodHound.ps1
PS C:\> powershell Get-BloodHoundData | Export-BloodHoundCSV

The CSV files will exist on the target where the above cmdlets were run. To import them into BloodHound you will need to download the CSV files and use the Upload function in BloodHound’s interface.

From this point, you’re ready to run queries against this data. BloodHound has several pre-built queries and it’s also very easy to ask BloodHound to give you a trust path from one identity or system to another.  As you can see from the screenshot below the Shortest Path can be selected that will allow owned nodes to get to Domain Admin.


Bloodhound might be one of the most powerful tools that were released in recent Network Security history.  The demo that was presented here was limited in design. Utilizing Bloodhound in a large scale Active Directory environment would yield much large results.  Until next time, keep on digging!  


Ryan Villarreal

About Ryan Villarreal