Skip to content

deadjakk/bloodhound-cli

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

bh (BloodHound CLI)

Unofficial BloodHound CLI tool written in rust.

Command line neo4j tool to use the bloodhound NEO4J schema to optimize pentesting workflows.

This tool does the following:

  • Parses credentials from various dump file formats while simultaneously marking the users as owned in BH
  • Stores these credentails in NEO4J, visible from the BloodHound GUI client
  • Dumps these credentials with user principal in an 'impacket-friendly format' to stdout
  • Dumps the computers to which a provided principal has access
  • Allows for batch unmarking as well, this also removes creds

What this tool does not do (yet?):

  • Show the graphs, that is best suited for the GUI, since it's graphical
  • It does not contain a lot of queries currently, it performs functions that I feel I need in my day-to-day testing

Installation and Setup

There are just two steps:

  1. Install it like most rust binaries:

cargo install bhound # this will install it as just 'bh'

  1. Add your credentials (replace with your own creds or whatever):
cat  > ~/.bhdb << EOF
user=neo4j
pass=password
server=192.168.1.22:7687
EOF

Usage

All commands currently take one positional argument, it can be a text file from which it will try to parse users in various formats, or it can be a single user, bh SHOULD figure it out. That said, be mindful of what you throw at it.

Marking Owned Principals (-m)

This will parse any of the following formats while ignoring invalid lines:

  • hashcat format (secretsdump.py)
  • LSA secretsdump.py format, example: domain.com/user:password123
  • userprincipalname, example: [email protected]

No prior formatting should be required, as the username+domain get normalized prior to submission to the db. This means you can automatically mark a user as owned and store the credential in the NEO4J database by feeding most common outputs into bh. You WILL be able to see the credential from the bloodhound GUI client by looking under "Extra Properties".

This shold be shown in the image below:
cred-from-bh-gui

This also means for your convenience, you can just feed an entire ntds.dit dump (in hashcat format) to bh and you will no longer have to grep through a dit file again.

The only caveat here is that some AD domains have been through a number of changes and the provided domain might be the netbios name or a domain different from the one stored in neo4j. You can force a given principal, or list of principals to use a specific domain by using the -d flag, as shown in the example below:

$ cat dit-dump.ntds
sprawl.local\service_one:1105:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
sprawl.local\kerby:1106:aad3b435b51404eeaad3b435b51404ee:2782ac0a5f160561f1e061bacf148f2e:::
sprawl.local\user1:1107:aad3b435b51404eeaad3b435b51404ee:6184be9146ff782ee1edaf65bb25b7a7:::
sprawl.local\lowpriv:1111:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::

$ bh dit-dump.ntds -m -d sprawl.local
found user file: dit-dump.ntds
marked [email protected] as owned: true
marked [email protected] as owned: true
marked [email protected] as owned: true
marked [email protected] as owned: true

Dumping Local Admin Access (-g)

Provided a user principal name, bh will return the computers to which the given principal has administrative access, according to the NEO4J database.

$ bh -g [email protected]
-------- [email protected] --------
ADSS.SPRAWL.LOCAL
COMP1.SPRAWL.LOCAL

Dumping User Credentials from NEO4J (-c)

This snippet is probably how one might most often use this tool during the course of a penetration test. By adding the -c flag, the plaintext password is dumped if it is available, if not, the populated hashes arg is returned. If neither are available, the creds are omitted. This is dumped in the impacket format meaning you can simply copy+paste and slap it in front of whatever impacket example script you please.

$ bh [email protected] -c
-------- [email protected] --------
-hashes aad3b435b51404eeaad3b435b51404ee:6184be9146ff782ee1edaf65bb25b7a7 SPRAWL.LOCAL/[email protected]
-hashes aad3b435b51404eeaad3b435b51404ee:6184be9146ff782ee1edaf65bb25b7a7 SPRAWL.LOCAL/[email protected]

Help Output for Reference

bh 0.1.1
deadjakk
Pentesting workflow optimizer that works with the bloodhound NEO4J db & schema

USAGE:
    bh [FLAGS] [OPTIONS] <principals>

FLAGS:
    -c, --cred-dump
            dump credentials as well as the principal name (only used with -g)

    -g, --getadmins
            get a list of computers to which the provided principal(s) have local administrators rights, passwords will
            be retrieved automagically in impacket format if present in database in impacket format
    -h, --help
            Prints help information

    -m, --markowned
            mark user or list of users as owned

    -V, --version
            Prints version information


OPTIONS:
    -d, --domain <domain>
            force a domain value for parsing, good if you're importing things from that might use an older name or a
            NETBIOS name for the domain

ARGS:
    <principals>
            newline-separated file containing a list of principals or principals+passwords see --help for more info and
            example formats... any parsed passwords will be viewable in the bloodhound GUI when marking principals as
            owned

            the following formats are accepted (invalid lines are ignored):

            optionaldomain\user:password

            optionaldomain/user:password

            [email protected]:password

            domain\user:RID:hash:hash::: (hashcat format)

            user:RID:hash:hash:::        (hashcat format)

            some common output you might use here is output from secretsdump.py (secrets/sam/or ntds.dit) (hashcat
            format)

            output file or any hashcat format file to import passwords during the owned

I am not associated in any way with the makers of the BloodHound GUI

About

Bloodhound CLI Written in Rust

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages