BloodHound.py
BloodHound.py copied to clipboard
dirkjanm
BloodHound CE Update
Hi Dirk,
Just wondering if your legendary python BloodHound injestion client will be updated for BloodHound CE? Until then us Kali users are all stuck on old BloodHound!
Thanks
Hey, absolutely, there are some small changes to the data model that I'll process to ensure CE compatibility. Just need to find some time to add and test everything.
Hey, absolutely, there are some small changes to the data model that I'll process to ensure CE compatibility. Just need to find some time to add and test everything.
Excellent news, thanks very much 😊
Hey dirk, love to see the news. I've spent some time comparing the models between your json and SharpHound CE and maybe I'm not quite understanding how json works but both look similar with of course Sharphound providing more data. It looks like things got switched around in terms of indexing but nothing I'd consider to break ingestion to the degree it has.
If you do have time to explain what I'm missing here, would be greatly appreciated.
Great job Dirk, thanks a lot. Will try to find some time to give it a test
Hey there,
Just noticing that the RDP, DCOM and PSREmote computer attributes are not being populated anymore.
They do show when enabling debug, they're definitely pulled with the rpc_get_group_members function :
DEBUG: Found 580 SID: S-1-5-21-2241985869-2159962460-1278545866-1106
DEBUG: Sid is cached: [email protected]
However, the 'localgroup' attribute, which seems to be the new v6 ingestion destination for such attributes, is empty.
hey @Selora, is this for all hosts or just for specific ones? The collection works fine in my test environment for these groups.
Hey @dirkjanm
It's a small lab, just a single DC. The user is in RDP and PSRemote but it's not showing up in the end-result, just when enabling the debug output with -v.
Running with --Collectors All, LoggedOn
Previously it was stored in a dictionary. I see the new code stores it in the localgroup attribute, but it's empty in the resulting .json file.
I wish I had more time to debug this and try it against other environment, I know this isn't super helpful. Since it's a new release, I thought I'd bring it up in case you might have a quick fix in mind.
Thanks again and much love for all the tools and research!
Ah, on the DC that makes sense, these are explicitly ignored in the output for Domain Controllers, they should be populated in the groups JSON file instead.
@dirkjanm as discussed on Slack, the domains json object is missing a "collected" key which is why it doesn't appear in the Data Quality page
https://github.com/dirkjanm/BloodHound.py/blob/bloodhound-ce/bloodhound/enumeration/domains.py#L115
so just needs a "collected": true added to the Properties node (Sorry I would add this myself but don't have perms to PR to the fork)
Great to see BloodHound CE support in BloodHound.py. :)
Unfortunately, I'm missing an ExecuteDCOM edge between a user and the DC. The edge is only missing when using the bloodhound-ce branch with BloodHound CE. It is there when using newest SharpHound with BloodHound CE and it is also there when using the master branch of BloodHound.py together with legacy BloodHound. So I suspect this is a bug. Noticed this in a single DC environment (HackTheBox).
Few updates:
- All bugs that were fixed in BloodHound legacy (master branch) are now also fixed in the CE branch.
- BloodHound.py for BH CE now has it's own pypi package
- Installing the CE version gives you the
bloodhound-ce-pythoncommand to run - Which version you are running will be shown each time you run the tool.
See more install instructions in the README
@dirkjanm currently 8.0.2 version says two JSON files fail to parse, one is OUs, other one I'm not sure probably Groups cause only SID is visible for them in the UI, and the certificate template collection is not implemented
