Tools of the Trade: Tracking Security Misconfigurations with BloodHound
In this blog, we will be looking into BloodHound, a premier tool utilized by penetration testers to identify and enumerate security misconfigurations in Active Directory (AD) and Azure environments. All visual representations shown in this blog are a result of using credentials from a compromised AD user account. The domain this account lives in has been specifically configured to be used for practicing attacks against Active Directory. Do not attack anything you don’t have explicit permission to attack!
What is BloodHound?
BloodHound is a tool for both attackers and defenders. Penetration testers use BloodHound to aid in uncovering information about domains and potential security misconfigurations within those domains. This gives the penetration tester extremely valuable information on domain configurations and relationships that might be missed otherwise. Defenders can use BloodHound for not only the same reason of discovery, but also to aid the remediation of said misconfigurations in their domain.
What are Attack Paths?
An attack path is the visualization of a path an attacker can take by exploiting attack vectors (vulnerabilities) within an environment. BloodHound visualizes attack paths for the user, making information regarding these paths available throughout the process of exploitation or remediation.
Components of BloodHound
SharpHound and AzureHound are data collection tools penetration testers use to provide information so it can be ingested and visualized in BloodHound.
The BloodHound web application is the visualization portion of the tool that runs on a Postgresql application database and a Neo4j graph database. BloodHound ingests this information from SharpHound and AzureHound.
In the example below, we can see “bloodhound-python” being run with multiple flags. The “-d” flag is used to specify that bloodhound is being run against the “SLIPKNOT.local” domain, the “-u” flag is used to specify the username you want to authenticate as, and the “-p” flag is used to specify the password for the user named after the “-u” flag. The last two flags are “-ns”, used for declaring the nameserver (in this case, the domain controller), and “-c” used with “all” to collect as much data as possible.
After running, multiple .json files are created in the directory it was run in. These .json files contain a variety of information on the domain it was run against. The files are then uploaded to the web application to be parsed and visualized for the user.
Interpreting Results with the BloodHound Interface
After uploading the files into the web application, we can start to look at the environment BloodHound provides the user. This environment is comprised of nodes that represent user, group, computer, domain, etc. These nodes help the user understand and identify attack paths and security misconfigurations by making the entire domain searchable with pre-built or custom queries.
There is a wealth of information provided once the files are ingested into BloodHound. From here the use of the querying system, and what is done with the results, ultimately depends on the objective of the user.
When navigating the querying system there are also multiple ways to visualize and learn about the nodes within the domain. At the bottom of the BloodHound interface the user can sort their node layout by “Sequential” and “Standard”.
After a query is selected, the user can select individual nodes from the results and learn more information about them on the right-hand panel of the interface. The information displayed within this panel depends on the selected node. If a user were to select a group node the resulting information would be creation date, members, description, and other information about the group if available.
A popular series of pre-built queries used by attackers and defenders is the “Shortest Paths” group of queries. These queries can display the shortest paths to some of the most important information within a domain, including domain admins, kerberoastable users, and other high value targets. These queries, along with many other pre-built queries, provide valuable information. This greatly increases the likelihood of penetration testers or network administrators identifying and then exploiting or remediating security misconfigurations within a domain.
Continuously BloodHound emerges as an invaluable asset. For penetration testers, this tool is not just about finding vulnerabilities, it’s also about visualizing and understanding the varying strings of relationships and permissions within an Active Directory domain. By highlighting the paths of least resistance, BloodHound helps pentesters efficiently identify and exploit weaknesses such as misconfigured permissions or vulnerable user accounts. This high level of insight allows for strategic and effective approaches.
For defenders, BloodHound serves as a powerful auditing tool. By adopting the attacker’s viewpoint, they can identify and remediate potential security misconfigurations within their domain. No matter if you’re uncovering hidden security misconfigurations to exploit or remediate, BloodHound stands tall as a tool for all.
Soren is a recent graduate of the Evolve Academy, having completed the program in March of 2023. Before pursuing a career in cybersecurity, Soren gained valuable experience as a Fiber Optic Cable Tech, installing fiber in data centers in Texas. His motivation to enter the field stems from a desire to protect networks and the individuals whose lives are impacted when attacks occur.