Bloodhound / Sharphound - How is this used?

Hi forum, I am working through the starting point and am up to machine named Pathfinder.

Working through the walkthrough I see that a tool called bloodhound is used. Unable to get this to run at first but after some fiddling about managed to get the neo4j DB running and then finally got bloodhound to also run its GUI so it appears to be setup right.

The next stage is to get the json files and import them into bloodhound for analysis. The command wouldn't execute on my system probably because I am using bloodhound 3 rather than bloodhound 2. The command is:

bloodhound-python -d megacorp.local -u sandra -p "Password1234!" -gc pathfinder.megacorp.local -c all -ns 10.10.10.30

Some further research on this tool draws my attention to sharphound.exe or sharphound.ps1 which is found here:

https://github.com/BloodHoundAD/SharpHound3

So it seems that I should be using SharpHound3 to gather the json files but they don't seem to some in a linux executable format. I would prefer to not run this on my Windows pc if possible.

Has anyone any experience with SharpHound?
Am I heading down the correct rabbit hole?

ta,
Neo

Comments

  • Hey man,

    So.. when you run sharphound.exe it should spit out a .zip file, drag and drop that zip file into the blood hound application window, that should import the data.

  • So speaking of Bloodhound it's just a domain mapping tool, and sharphound is the tool to collect information when running in the victim's machine to map the domain as this is complex for beginners to use, ppl made a new ingestor which is in python which will run the attacker machine itself to collect the mapping data, but when i was doing pathfinder, i tried the python bloodhound but it dint work(the json were created but couldnt map it), so i went old school

    Ja4V8s28Ck
    Nothing is an Accident, It's Just a part of Destiny

  • Type your comment> @Lycist said:

    Hey man,

    So.. when you run sharphound.exe it should spit out a .zip file, drag and drop that zip file into the blood hound application window, that should import the data.

    Yeah he is right!

    Ja4V8s28Ck
    Nothing is an Accident, It's Just a part of Destiny

  • I really don't want to be running sharphound on my windows PC so it looks like I will need to run it on one of the other machines that I rooted. Working on that now.

    Luckily I have another Windows machine that is rooted so I can do this. If I didn't have a rooted windows machine, all I had was user creds to get into AD and my Kali laptop how would I do this?

  • Essentially all I need is those JSON files and the ability to get them from my Kali machine

  • @NeoCortex2000 said:

    I really don't want to be running sharphound on my windows PC so it looks like I will need to run it on one of the other machines that I rooted. Working on that now.

    Luckily I have another Windows machine that is rooted so I can do this. If I didn't have a rooted windows machine, all I had was user creds to get into AD and my Kali laptop how would I do this?

    Just to make sure, because I have a feeling you haven't quite got that right: The SharpHound.exe will be executed on the Windows machine you want to root, not on your local machine or any other Windows machine

  • Then im stuck...

    How can I export the json files for analysis from the domain controller with only a username and password for a domain user?

    I just can't get this command to work:

    bloodhound-python -d megacorp.local -u sandra -p "Password1234!" -gc pathfinder.megacorp.local -c all -ns 10.10.10.30

    It gives me ImportError: cannot import name PyAsn1UnicodeDecodeError

  • I generally use the PS1 version or the EXE version to avoid dependency issues like that. Also might not want to include passwords here, even if they are publicly available.

    clubby789

    • GCIH
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
  • Passwords, noted.

    The PS1 version and the EXE version need to run on the windows target machine whereas the command above can be run from the attacker (linux machine) but it doesn't work.

  • ahh ok I figured it out.

    I needed to install the the Python based ingestor for bloodhound which can be found here:

    https://github.com/fox-it/BloodHound.py

    The after running the pip install I now can use the bloodhound-python command. Lets see if it works!

  • Turns out my install of Kali is borked. It didn't work. Had to spin up a phresh Kali VM and run it from there. Worked fine. Python is a pain in the arse when it doesn't work.

  • Type your comment> @NeoCortex2000 said:

    Turns out my install of Kali is borked. It didn't work. Had to spin up a phresh Kali VM and run it from there. Worked fine. Python is a pain in the arse when it doesn't work.

    I've installed ldap3, impacket, and dnspython and I for some reason cannot get this bloodhound-python command to work. at first it was just "required digestmod" error and now it gives me import errors ":cannot import name PyAsn1UnicodeDecodeError"

  • I was getting that digestmod error as well. I can't really help you with fixing it other than to deploy a whole new VM and build of Kali. I have about 6 or 7 versions of python installed and something is screwed in the python config. Sometimes other python apps have issues as well.

    Im left marginally frustrated with this as I want one machine (my laptop) to be able to do everything I need.

    If you fix it please do share the solution as I am faced with rebuilding the laptop if a solution doesn't come along.

  • I recommend doing/following along the box "Forest". There is a video online where someone uses it to work through a box and they give a pretty good explanation on what it does.

  • Would love to see a walkthrough of this box WITHOUT using bloodhound...

  • Type your comment> @Ja4V8s28Ck said:

    So speaking of Bloodhound it's just a domain mapping tool, and sharphound is the tool to collect information when running in the victim's machine to map the domain as this is complex for beginners to use, ppl made a new ingestor which is in python which will run the attacker machine itself to collect the mapping data, but when i was doing pathfinder, i tried the python bloodhound but it dint work(the json were created but couldnt map it), so i went old school

    When you say you went old school; what did you do?
    I am having no luck with Bloodhound, fresh install of kali and getting "Missing required parameter 'digestmod'"

  • there is an known Python 3 problem https://bugs.python.org/issue33604 which has probably impact on bloodhound.py. I checked with python 2.7 on Kali and it works.

  • How do you switch over or manually use Python 2.7 with blood-hound?
    Tried the git clone, then installing with pip3 install ., it downgraded to bloodhound 1.0.4 from 1.0.5
    Try to run after using python2 and it reports no module named ldap3
    Try to install (pip3 install ldap3) and it reports 'requirements already satisfied'

  • As a workaround, python3.7 does work with bloodhound.
    To change the default python version (current Kali build comes with 3.7 and 3.8) run the following commands (may require sudo/su):

    rm /usr/bin/python3

    ln -s /usr/bin/python3.7 /usr/bin/python3

    this deletes the symbolic link to python3.8 and defaults any call to python3 to using python3.7

  • actually > @DemiScuzz said:

    Type your comment> @Ja4V8s28Ck said:

    So speaking of Bloodhound it's just a domain mapping tool, and sharphound is the tool to collect information when running in the victim's machine to map the domain as this is complex for beginners to use, ppl made a new ingestor which is in python which will run the attacker machine itself to collect the mapping data, but when i was doing pathfinder, i tried the python bloodhound but it dint work(the json were created but couldnt map it), so i went old school

    When you say you went old school; what did you do?
    I am having no luck with Bloodhound, fresh install of kali and getting "Missing required parameter 'digestmod'"

    what I did was using the original bloodhound version, which uses sharphound.ps1 or sharphound.ps2

    Ja4V8s28Ck
    Nothing is an Accident, It's Just a part of Destiny

  • The Python Dint actually worked for me, if u checkout the python version of bloodhound, it said , bloodhound.py is not stable for Kerberos

    Ja4V8s28Ck
    Nothing is an Accident, It's Just a part of Destiny

  • edited May 11

    Type your comment> @phr0zengh0st said:

    Would love to see a walk-through of this box WITHOUT using bloodhound...

    You can technically avoid bloodhound and complete the box, but it is just a trial or error method as there are only 3 users, where one is administrator, so trying to dump pass using either of the user will give u dumb, but think of a real-world scenario , there would be more than 20 people connected to domain, u cant brute-force dumping pass on them , thats why bloodhound makes life easier

    Ja4V8s28Ck
    Nothing is an Accident, It's Just a part of Destiny

  • Type your comment> @phr0zengh0st said:

    Would love to see a walkthrough of this box WITHOUT using bloodhound...

    I didn't use bloodhound at all in my video walkthrough (in fact I've never used it) :

    @Ja4V8s28Ck said:
    You can technically avoid bloodhound and complete the box, but it is just a trial or error method as there are only 3 users, where one is administrator, so trying to dump pass using either of the user will give u dumb, but think of a real-world scenario , there would be more than 20 people connected to domain, u cant brute-force dumping pass on them , thats why bloodhound makes life easier

    That's not true at all. You can very easily see which users are a member of which groups with a simple LDAP query, and can see which users/groups have DC sync permissions by just using the built in DSACLS command. There's no trial and error (or brute force / guessing) involved in this machine, regardless of how many user accounts there were.

  • Type your comment> @VbScrub said:

    Type your comment> @phr0zengh0st said:

    Would love to see a walkthrough of this box WITHOUT using bloodhound...

    I didn't use bloodhound at all in my video walkthrough (in fact I've never used it) :

    Oops, I am so sorry, I dont know abt LDAP querying

    Ja4V8s28Ck
    Nothing is an Accident, It's Just a part of Destiny

  • https://github.com/fox-it/BloodHound.py/issues/46

    There's this issue in the Bloodhound.py repository. The issue is due to the ldap3 incompatible with python3.8. It seems python3-ldap is of lower version than pip's.

    tldr; (assuming you're using python 3.8)

    sudo apt remove python3-ldap 
    sudo pip3 install ldap3
    
    ...
        raise TypeError("Missing required parameter 'digestmod'.")
    TypeError: Missing required parameter 'digestmod'.
    

    This resolves the issue above, but it'll still give a warning, seems like some info couldn't be extracted due to that digestmod.

    e.g.

    ❯ bloodhound-python -d htb.local -u XXX -p XXX -gc forest.htb.local -c all -ns 10.10.10.161
    INFO: Found AD domain: htb.local
    INFO: Connecting to LDAP server: FOREST.htb.local
    INFO: Found 1 domains
    INFO: Found 1 domains in the forest
    INFO: Found 2 computers
    INFO: Connecting to LDAP server: FOREST.htb.local
    WARNING: Could not resolve SID: S-1-5-21-3072663084-364016917-1341370565-1153
    INFO: Found 31 users
    INFO: Found 75 groups
    INFO: Found 0 trusts
    INFO: Starting computer enumeration with 10 workers
    INFO: Querying computer: EXCH01.htb.local
    INFO: Querying computer: FOREST.htb.local
    WARNING: DCE/RPC connection failed: Missing required parameter 'digestmod'.
    WARNING: DCE/RPC connection failed: Missing required parameter 'digestmod'.
    WARNING: DCE/RPC connection failed: Missing required parameter 'digestmod'.
    WARNING: DCE/RPC connection failed: Missing required parameter 'digestmod'.
    WARNING: DCE/RPC connection failed: Missing required parameter 'digestmod'.
    INFO: Done in 00M 42S
    

    For future info, you can avoid these incompatibility issues with python if you use virtualenv for each project/tools.

  • edited June 23

    Type your comment> @NeoCortex2000 said:

    I was getting that digestmod error as well. I can't really help you with fixing it other than to deploy a whole new VM and build of Kali. I have about 6 or 7 versions of python installed and something is screwed in the python config. Sometimes other python apps have issues as well.

    Im left marginally frustrated with this as I want one machine (my laptop) to be able to do everything I need.

    If you fix it please do share the solution as I am faced with rebuilding the laptop if a solution doesn't come along.

    Have you tried upgrading the required packages (impacket, ldap3, dnspython) ? I got this digestmod error and after the upgrade I got the cannot import name 'PyAsn1UnicodeDecodeError' from 'pyasn1.error'. Then I googled this error and I just had to upgrade pyasn1 and now Bloodhound works. Sometimes the pre-installed packages in ISO or Kali VM are a little bit outdated (I hope its the right word, Native french sorry). You just need to upgrade them, that's why when you uninstall and reinstall them, you're installing the lastest version of all the packages . Hope my post will be useful for someone. Good luck !

  • Hello, I have also an issue with the bloodhound part.

    I use the following command which works:
    [email protected]:~/Downloads/blood_attack$ python3 -m bloodhound -d megacorp.local -u sandra -p "Password1234!" -gc pathfinder.megacorp.local -c all -ns 10.10.10.30
    INFO: Found AD domain: megacorp.local
    INFO: Connecting to LDAP server: Pathfinder.MEGACORP.LOCAL
    INFO: Found 1 domains
    INFO: Found 1 domains in the forest
    INFO: Found 1 computers
    INFO: Connecting to LDAP server: Pathfinder.MEGACORP.LOCAL
    INFO: Found 5 users
    INFO: Connecting to GC LDAP server: pathfinder.megacorp.local
    INFO: Found 51 groups
    INFO: Found 0 trusts
    INFO: Starting computer enumeration with 10 workers
    INFO: Querying computer: Pathfinder.MEGACORP.LOCAL
    INFO: Done in 00M 05S

    But when i drag & drop json files in bloodhound i have always:
    NO DATA RETURNED FROM QUERY

    I use bloodhound 3.0.4 on a kali debian 2020.2
    Python 3.8.3 and neo4j 4.1.0

    I don't see any link between nodes and the only query working is "List all Kerberoastable Accounts".

    Do you know what is wrong ?

    Thanks !

  • Does the Database Info show information for Users-Computers-Groups and so on?

  • Yes but I can't perform any request

Sign In to comment.