Ethical Hacking #bloodhound#active-directory#privilege-escalation

BloodHound for Active Directory Pentesting

Master BloodHound for AD reconnaissance, privilege escalation paths, and attack chain visualization.

10 min read

Introduction

BloodHound revolutionized Active Directory penetration testing by automating the discovery of attack paths and privilege escalation vectors. Instead of manually hunting for complex relationships between users, groups, computers, and permissions, BloodHound maps the entire AD environment and highlights exploitable chains. For security professionals assessing corporate environments, BloodHound is now an indispensable tool.

What Is BloodHound?

BloodHound is a graph-based Active Directory reconnaissance and attack path analysis tool. It uses graph theory to identify relationships and attack chains in AD environments that would be nearly impossible to discover manually.

Key Capabilities

  • AD environment mapping via SharpHound data collector
  • Attack path visualization between any two entities
  • Automated privilege escalation discovery
  • Relationships and ACL analysis
  • Custom queries for specific patterns
  • Node properties detailing permissions and group memberships

Understanding Active Directory Basics

Before using BloodHound, understand AD core concepts:

AD Entities

  • Users: Human and service accounts
  • Groups: Collections of users with shared permissions
  • Computers: Machines in the domain
  • Organizational Units (OUs): Hierarchical structure
  • Group Policy Objects (GPOs): Configuration settings

Critical Relationships

  • Group membership: User belongs to group
  • Admin to computer: User has administrative privileges
  • Ownership: Users/groups owning resources
  • ACL permissions: Explicit access control rights

Installation and Setup

Install BloodHound

Visit GitHub: BloodHoundAD/BloodHound.

On Windows:

Download BloodHound-windows-x64.zip
Extract and run BloodHound.exe

On Linux:

wget https://github.com/BloodHoundAD/BloodHound/releases/download/v4.3.1/BloodHound-linux-x64.zip
unzip BloodHound-linux-x64.zip
./BloodHound

Install Neo4j Database

BloodHound requires Neo4j for data storage:

# Ubuntu/Debian
curl -fsSL https://debian.neo4j.com/neotechnology.asc | apt-key add -
echo 'deb https://debian.neo4j.com stable 4.4' | tee /etc/apt/sources.list.d/neo4j.list
sudo apt update
sudo apt install neo4j

# Start Neo4j
sudo systemctl start neo4j

Access Neo4j at http://localhost:7474 and change default credentials (neo4j/neo4j).

Configure BloodHound

On first launch, configure Neo4j connection:

  • Database URL: bolt://localhost:7687
  • Username: neo4j
  • Password: [your password]

Data Collection with SharpHound

Understand SharpHound

SharpHound is the AD data collector. It queries AD APIs to enumerate:

  • All users and groups
  • Computer memberships
  • ACL permissions
  • Session information
  • Trust relationships

Download SharpHound

GitHub: BloodHoundAD/SharpHound

Running SharpHound

Basic Collection (from Domain-Joined Machine):

.\SharpHound.exe -c All

This collects:

  • Users and groups
  • Computers and sessions
  • ACL permissions
  • GPOs
  • Trusts

Output:

SharpHound_<timestamp>_<randomstring>.zip

Collection Options

Stealth Mode (slower, less detectable):

.\SharpHound.exe -c All --CollectionMethod All --NoSaveCache

Specific Collection Methods:

# Only users and groups
.\SharpHound.exe -c Group,LocalGroup

# Include GPO analysis
.\SharpHound.exe -c All,GPOLocalGroup

# Session enumeration only
.\SharpHound.exe -c Session

Importing Data into BloodHound

Upload Collected Data

  1. Open BloodHound application
  2. Click “Upload Data” in top-right
  3. Select the ZIP file from SharpHound
  4. Wait for import completion

Verify Data Import

  • Nodes appear in the graph
  • Statistics show entity counts
  • Database populated successfully

Analyzing Active Directory with BloodHound

Dashboard Overview

The main dashboard displays:

  • Number of users, groups, computers
  • Users with admin privileges
  • Domain admins count
  • High-value targets

Finding Shortest Paths to Domain Admin

BloodHound’s core function:

  1. Click search box (top-left)
  2. Search for “Domain Admins” group
  3. Right-click → “Mark as High Value”
  4. Search for your user account
  5. Right-click → “Shortest Paths to High Value Targets”

BloodHound highlights the attack path from your current user to Domain Admin.

Understanding Attack Paths

A typical path might be:

Your User → MemberOf → Group1
Group1 → HasSession → Computer1
Computer1 → AdminTo → Server1
Server1 → MemberOf → Domain Admins

Each arrow represents an exploitable relationship.

Common BloodHound Queries

Dangerous Rights Granted

Find accounts with dangerous permissions:

# Users with WriteDacl on Group1
MATCH (u:User)-[r:WriteDacl]->(g:Group)
WHERE g.name = "GROUP1@DOMAIN.COM"
RETURN u.name

Find Computer Admins

Identify who can administer specific computers:

MATCH (u:User)-[r:AdminTo]->(c:Computer)
WHERE c.name = "COMPUTER@DOMAIN.COM"
RETURN u.name

Unconstrained Delegation

Find computers with unconstrained delegation (Kerberos attack vector):

MATCH (c:Computer {unconstrainedDelegation:true})
RETURN c.name

Across Domain Trusts

Identify privilege escalation across trusted domains:

MATCH (n)-[r:TrustedBy|:Trusts]->(m)
WHERE n.domain <> m.domain
RETURN n.name, r, m.name

Exploitation Concepts Revealed by BloodHound

Kerberoasting

BloodHound identifies users with SPNs (Service Principal Names):

MATCH (u:User {hasSPN:true})
RETURN u.name

These accounts are vulnerable to Kerberoasting attacks for offline password cracking.

Delegation Attacks

Unconstrained Delegation:

  • Computer can impersonate any user
  • BloodHound shows computers with this setting
  • Exploitable with printer bug or force authentication

Constrained Delegation:

  • Computer can impersonate users to specific services
  • Check if TRUSTED_TO_AUTH_FOR_DELEGATION is set

Weak ACLs

BloodHound finds dangerous permissions:

  • WriteDacl: Modify ACLs on objects
  • WriteProperty: Modify object properties
  • GenericAll: Full permissions
  • AddMember: Add users to groups

Credential Harvesting

Identify computers where users with domain admin privileges log in:

MATCH (c:Computer)-[r:HasSession]-(u:User)
WHERE u:DomainAdmin
RETURN c.name, u.name

Building Custom Attack Chains

Example: Service Account to Domain Admin

Service Account
↓ (Member of Group)
Service Group
↓ (GenericAll on AdminGroup)
Admin Group
↓ (Member of)
Domain Admins

Right-click each node to see the exact relationship and exploitation methods.

Advanced BloodHound Techniques

Custom Queries

Create reusable queries in the Query Editor:

# Find all Tier 0 assets
MATCH (n {operatingSystem:"Windows Server 2019"})-[r:AdminTo]->(c:Computer)
WHERE c.name CONTAINS "DC"
RETURN n.name, c.name

Mark High Value Assets

Right-click nodes to mark as “High Value”:

  • High-value users
  • High-value computers
  • High-value groups

This focuses analysis on critical targets.

Filter Results

Use filters to reduce noise:

  • Filter by domain
  • Filter by operational system
  • Filter by group membership

Best Practices for AD Security

Use BloodHound for Defense

Security teams should run BloodHound regularly to:

  1. Audit dangerous paths before attackers find them
  2. Identify excessive permissions (principle of least privilege violation)
  3. Detect delegation misconfigurations
  4. Prevent credential harvesting by limiting admin logins
  5. Remove unnecessary group memberships

Remediation Actions

Common findings and fixes:

FindingRemediation
High-risk ACLsReview and restrict to minimum necessary
Unconstrained delegationRemove or move to separate OU
Weak group membershipRemove non-required members
Credential exposurePrevent admin logons on workstations

Troubleshooting BloodHound

No Data After Import

  • Verify SharpHound ran successfully
  • Check ZIP file contains JSON files
  • Restart Neo4j service
  • Try uploading again

Slow Queries

  • Neo4j performance depends on data size
  • Large AD environments may need optimization
  • Consider filtering collection (fewer computers)
  • Increase Neo4j heap size

Connection Errors

# Test Neo4j connection
neo4j status

# Restart if needed
sudo systemctl restart neo4j

Ethical Considerations

Authorization Requirements

  • Only run SharpHound with explicit written authorization
  • Clearly document scope of assessment
  • Discuss findings with domain administrators
  • Provide remediation recommendations

Responsible Disclosure

  • Share findings only with authorized personnel
  • Present in professional, non-threatening manner
  • Provide context for each finding
  • Suggest practical mitigations

Conclusion

BloodHound transforms AD security assessment from manual, time-consuming reconnaissance into systematic, visualization-based analysis. By understanding entity relationships, attack paths, and dangerous permissions, you can identify privilege escalation routes that real attackers would exploit. Start with small AD environments to learn the tool, progress to enterprise domains, and always maintain strict ethical standards when uncovering organizational vulnerabilities.

#pentesting #privilege-escalation #active-directory #bloodhound

// related articles

ethical-hacking Kerbrute: Kerberos User Enumeration and Brute-Forcing 7 min read ethical-hacking Linux Privilege Escalation Techniques and Tools 7 min read ethical-hacking Windows Privilege Escalation Guide with WinPEAS 7 min read