BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify.
Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.
Using the Interface
The BloodHound interface is designed to be intuitive and operationally focused. Because BloodHound is compiled as an Electron app, it is platform-independent and runs on Windows, OSX, and Linux.
When you first open BloodHound, you are greeted by the logon prompt:
The “Database URL” is the IP address and port where your neo4j database is running and should be formatted as bolt://ip:7687/
The DB Username is the username for the neo4j database. The default username for a neo4j database is neo4j.
The DB Password is the password for the neo4j database. The default password for a neo4j database is neo4j. The password for the provided example database is BloodHound.
Upon successful logon, BloodHound will draw any group(s) with the “Domain Admins” in their name, and show you the effective users that belong to the group(s):
Above, the BloodHound interface is split into 5 parts:
1. Menu and search bar
The search bar and menu are designed to be intuitive and operationally focused. The triple line in the top left will toggle the drop-down for the ‘Database Info’, ‘Node Info’, and ‘Queries’ tabs.
The ‘Database Info’ tab shows basic information about your currently loaded database, including the number of users, computers, groups, and relationships (or edges). You may also perform basic DB management functions here, including logging out and switching DBs, as well as clearing (read: DELETING ALL INFORMATION FROM) your currently loaded DB (be careful!).
The ‘Node Info’ tab will display information about a node that you click on in the graph.
The ‘Queries’ tab will show the pre-built queries we include with BloodHound, as well as additional queries you can build in yourself. More information about this will be available later.
2. Graph drawing area
This is the area where BloodHound will draw nodes and edges. Hitting ctrl will cycle through three options for displaying node labels: Default Threshold, Always Show, Never Show. You may click and hold a node to drag it to a different spot. You may also click a node, and BloodHound will populate the node info tab with information about that node.
- Refresh – BloodHound will re-calculate and re-draw the current display.
- Export Graph – BloodHound can export the currently drawn graph to JSON format, or as a PNG.
- Import Graph – BloodHound will draw an imported graph in JSON format.
- Upload Data – BloodHound will automatically detect and then ingest CSV formatted data. For more information on this, see CSV ingestion.
- Change Layout Type – Toggle between hierarchical (dagre) and force directed graph layouts.
- Settings – Alter node collapse behavior, and switch between low detail mode.
4. Zoom in/out and reset
The plus sign (+) will zoom in. The minus sign (–) will zoom out. The center icon will reset the graph to the default zoom.
5. Raw cipher query
BloodHound allows you to run custom cipher queries against the currently loaded neo4j database. For more information on this topic, see Cypher query language.