Welcome back to my blog, today we will discuss about what BloodHound is, how it can be used in active directory (AD) enumeration, installation steps, how to collect active directory data with SharpHound, how to analyze attack paths with BloodHound, how to exploit weak kerberos delegation, and how we can secure active directory against BloodHound attacks.
What is BloodHound?
BloodHound is a cybersecurity tool used to analyze and map relationships inside Active Directory (AD) environments. Active Directory is a system used by organizations (such as companies, universities, or government offices) to manage users, computers, permissions, and access to resources like files, applications, and networks.
BloodHound helps security professionals, penetration testers, and system administrators understand how attackers might move inside a network if they gain access to one account or computer. Instead of only showing individual accounts or permissions, BloodHound builds a visual graph that shows how everything in Active Directory is connected.
Think of Active Directory like a large school with:
- Students (Users)
- Classrooms (Computers)
- Teachers and principals (Administrators)
- Rules about who can enter which rooms (Permissions)
BloodHound works like a map that shows how someone could move through the school by using the permissions and relationships between people and rooms.
How to Install and Run BloodHound on Linux/Ubuntu
To prepare for Active Directory enumeration and attack path analysis, BloodHound was installed directly from the Kali Linux repositories. Installing BloodHound locally ensures access to both its graphical analysis interface and the required data collection utilities used throughout the assessment.
The system package lists were first updated to ensure the latest repository metadata was available. BloodHound and its dependencies were then installed using the following command:
During installation, several supporting components were automatically deployed. The package manager installed SharpHound, which is responsible for collecting Active Directory enumeration data from target environments. AzureHound was also included to support hybrid or cloud-based enumeration scenarios.
BloodHound relies on a graph database backend to store and visualize domain relationships. As part of the installation, Neo4j was installed and configured as the primary database service. Since Neo4j operates on Java, the installer also deployed the required OpenJDK 11 runtime environment along with supporting Java utilities.
The installation process downloaded approximately 234 MB of packages and configured all required dependencies automatically. Once completed, the system contained the full BloodHound toolkit, including:
- Graphical interface for relationship visualization
- Data collection utilities
- Graph database backend for storing enumeration results
With BloodHound successfully installed, the environment was prepared for Active Directory data collection and privilege escalation path analysis in later stages of the assessment.
Initializing the BloodHound Environment
Following the installation of BloodHound and its dependencies, the environment required initial service configuration before the tool could be used for Active Directory relationship analysis. Kali provides a helper utility that automates the setup of the required database services and backend components.
To initialize the BloodHound environment, the setup script was executed:
The setup utility first verified that the required PostgreSQL service was running. PostgreSQL is used by the BloodHound API to store application-related data. The script confirmed that both the BloodHound database and its associated user account already existed and adjusted permissions accordingly.
Next, the script checked the status of the Neo4j graph database, which is responsible for storing and visualizing Active Directory relationship data. The output indicated that Neo4j was not currently running, prompting the setup script to automatically start the service. Once started, Neo4j exposed its management interface locally on port 7474.
At this stage, the setup process highlighted an important security requirement. Neo4j ships with default credentials (neo4j:neo4j), which must be changed before BloodHound can be used. The setup script also instructed updating the BloodHound API configuration file after modifying the password to ensure proper authentication between BloodHound and the Neo4j database.
The Neo4j web interface was then opened automatically, allowing the initial password change and confirmation that the database service was functioning correctly. With Neo4j running and PostgreSQL configured, the BloodHound backend services were successfully prepared for data ingestion and graph-based analysis during later enumeration stages.
Initial Enumeration
With the BloodHound backend services initialized, the next step involved accessing the Neo4j management interface to complete the initial database configuration. Neo4j provides the graph database engine used by BloodHound to store and analyze Active Directory relationships, making it a critical component of the enumeration workflow.
After the setup script started the Neo4j service, the web interface became available locally on port 7474. This interface allows administrators to manage the database, configure authentication, and verify connectivity.
A browser was opened, and the Neo4j interface was accessed at:
Upon accessing the portal, the Neo4j login screen prompted for authentication. As this was the initial setup, the default credentials were used to establish the first connection:
- Username: neo4j
- Password: neo4j
These default credentials are standard for fresh Neo4j installations and are required to initialize the database environment. After successful authentication, Neo4j prompts for a password change to secure the database instance. This step ensures that only authorized tools and users can interact with the BloodHound graph database.
Establishing this connection confirmed that the Neo4j service was running correctly and ready to accept data. With the graph database accessible and properly configured, the environment was now prepared for BloodHound to ingest enumeration data and begin mapping Active Directory relationships in subsequent phases of the assessment.
Changing the Default Credentials
After successfully authenticating to the Neo4j web interface using the default credentials, the system enforced a mandatory password change. This is standard behavior for a fresh Neo4j installation, as the default credentials are publicly known and cannot be used for continued access.
The interface prompted for a new password to replace the default neo4j password. A secure password was selected and entered to complete the initialization process. This new password would be required by BloodHound when connecting to the Neo4j database backend.
This step is critical, as BloodHound relies entirely on Neo4j to store and query Active Directory relationship data. Without updating the default credentials, BloodHound would be unable to authenticate and establish a database connection.
Once the password was successfully updated, the Neo4j instance became fully operational and ready to accept connections. With the graph database configured and secured, the environment was now properly prepared for launching BloodHound and importing enumeration data collected from the target Active Directory environment.
Updating the BloodHound API Configuration
After securing the Neo4j database by changing the default password, it was necessary to update the BloodHound API configuration to ensure proper authentication between BloodHound and the Neo4j backend. BloodHound relies on this configuration file to establish a connection to the graph database, and any mismatch in credentials would prevent the application from functioning correctly.
To update the configuration, the BloodHound API configuration file was opened using the nano text editor:
This file contains the connection parameters for both the PostgreSQL database and the Neo4j graph database. Within the neo4j section, the secret field defines the password BloodHound uses to authenticate with the Neo4j service.
Since the default Neo4j password had been changed during initialization, the value of the secret field was updated to reflect the newly configured password. This ensures that BloodHound can successfully authenticate and communicate with the Neo4j database.
After updating the password, the file was saved and the editor exited. With the configuration file properly updated, BloodHound was now fully aligned with the Neo4j authentication settings and ready to establish a connection to the graph database during launch.
This completed the backend configuration phase, ensuring that all required services were properly configured and authenticated for subsequent Active Directory enumeration and analysis.
Launching BloodHound
With Neo4j secured and the BloodHound API configuration updated, the final step in the local setup was launching BloodHound and verifying that the web interface could successfully communicate with the backend services.
BloodHound was started from the terminal using:
On startup, BloodHound first validated that Neo4j was available. The output confirmed that Neo4j was already running, preventing the need to restart it. BloodHound then loaded its configuration from /etc/bhapi/bhapi.json and proceeded to initialize its backend components.
Since this was the first time BloodHound was being launched on this system, the application automatically initialized its database schema and applied a series of migrations. These migration entries (e.g., v6.x through v8.x) are expected during a first-run deployment and indicate that BloodHound is preparing its internal database structures for storing application state and analysis metadata. Immediately after, the tool created the necessary Neo4j indexes for various node types (users, computers, groups, domains, and Azure-related objects), which improves query performance when datasets are imported later.
Two non-blocking warnings appeared regarding AzureHound and SharpHound manifest generation. These messages indicate that BloodHound could not find the expected local collector directories under /etc/bloodhound/collectors/. This did not prevent the server from starting, and collectors can still be executed independently when needed during enumeration.
After initialization, the output confirmed that the server started successfully and then opened the BloodHound web interface locally:
Browsing to the URL displayed the BloodHound Community Edition login page. Initial authentication was performed using the default administrative credentials:
- Username:
admin - Password:
admin
On first login, BloodHound enforced a password change, prompting for a new password before continuing. This is expected behavior for a fresh deployment and ensures that the default administrative credentials are not left in place.
At this point, BloodHound was fully operational: the backend services were running, the graph database connection was established, and the web interface was accessible for importing SharpHound data and performing Active Directory attack path analysis in the next phase.
Why BloodHound is Useful in Active Directory Enumeration
1. Helps Discover Hidden Permission Relationships
In large organizations, permissions are often complicated. A user may not appear to have high privileges directly, but they might have indirect access through group memberships or delegated permissions.
BloodHound helps identify:
- Who controls certain accounts
- Which users can modify other users
- Which computers can be accessed by specific accounts
- Paths that could lead to administrative privileges
This makes it easier to detect weak security configurations.
2. Visualizes Attack Paths
Instead of reading thousands of lines of technical data, BloodHound creates graphs that show how access can spread across a network.
For example, BloodHound might reveal:
- A normal user can reset another user’s password
- That second user belongs to a privileged group
- That group can control a domain administrator account
This chain of relationships is called an attack path. BloodHound automatically finds these paths and shows them visually.
3. Helps Improve Security
BloodHound is not just for attackers or penetration testers. System administrators use it to:
- Identify risky permission settings
- Reduce unnecessary privileges
- Strengthen network security
- Understand how privilege escalation can occur
By fixing weak configurations, organizations can prevent real attacks.
4. Saves Time During Enumeration
Manual Active Directory enumeration can take a long time because AD environments often contain:
- Thousands of users
- Hundreds of computers
- Many nested groups and permissions
BloodHound automates data collection and analysis, allowing security professionals to focus on interpreting results rather than manually searching for relationships.
How BloodHound Works (Simple Explanation)
BloodHound works in two main stages:
Stage 1: Data Collection
BloodHound uses a data collector (such as SharpHound or other collectors) to gather information from the Active Directory environment.
The collector gathers information like:
- User accounts
- Group memberships
- Computer sessions
- Access permissions
- Trust relationships between domains
Stage 2: Data Analysis and Visualization
After collecting data, BloodHound imports it into a database and shows the relationships using graphs.
These graphs allow users to:
- Search for privileged accounts
- Identify shortest paths to administrative control
- Understand trust relationships
- Explore how access spreads through the network
Interesting Things to Explore Using BloodHound
Privilege Escalation Paths
BloodHound can show how a low-privileged account might eventually gain administrator privileges through multiple permission relationships.
Domain Trust Relationships
In organizations with multiple domains, BloodHound can reveal how domains trust each other and how access might move between them.
Session Information
BloodHound can show which users are currently logged into which computers. This helps identify opportunities where privileged credentials might be exposed.
Group Membership Chains
Sometimes users are part of groups that are nested inside other groups. BloodHound makes it easy to see these chains and how they lead to powerful permissions.
Attack Simulation and Defense Planning
Security teams can use BloodHound to simulate how attackers might move inside the network and then fix those weaknesses before they are exploited.
Important Ethical and Security Considerations
BloodHound is a powerful tool and should only be used:
- During authorized penetration testing
- In controlled lab environments
- By security teams performing defensive assessments
Using BloodHound without permission in a real environment is illegal and unethical.
Why BloodHound is Popular in Cybersecurity
BloodHound is widely used because:
- It simplifies complex Active Directory environments
- It provides visual attack path analysis
- It supports both offensive and defensive security
- It helps security teams prioritize real risks instead of guessing
Simple Real-World Example
Imagine you find a regular employee account in a company network. That account might:
- Have permission to reset another employee’s password
- That employee might belong to a server administrator group
- That group might control domain controllers
BloodHound helps identify this entire chain automatically, showing how a small access point could lead to full network control.
Summary
BloodHound is a powerful Active Directory analysis tool that helps users understand relationships between accounts, computers, and permissions. By visualizing these connections, it helps identify security risks, attack paths, and privilege escalation opportunities. It is widely used by cybersecurity professionals to strengthen network security and understand how attackers might move through an Active Directory environment.
Keywords:
Active Directory
Penetration Testing
BloodHound Complete Installation
How to Install BloodHound on Kali Linux
How to Install BloodHound on Ubuntu
How to Secure Active Directory Against BloodHound Attacks
BloodHound Installation on Kali Linux/Ubuntu
0 Comments