bloodhoundad / bloodhound Goto Github PK

When uploading the trusts,csv, the information is not showing up in the database.

From: https://github.com/adaptivethreat/Bloodhound/wiki/Getting-started

Step 4 is: "Run BloodHound.exe or build BloodHound from source."

There is no BloodHound.exe so I suspect it you just need the build from source link

:)

First, thank you all for providing this tool! It's super-legit and very helpful, operationally, on assessments.

I could be wrong, but I haven't found a way to explicitly display the node labels. They will display after zooming in to a certain level, but this often results in part of the graph not being visible. Being able to force labels to display at any zoom level would make the graphs much more valuable for the purpose of reporting, IMO.

I know you guys are busy, and there are much more pressing matters. I just wanted to get this onto the board.

Hi Guys,

It was important to retrieve all the information if you are off network and you have the ntds.dit. You can check this project https://github.com/ANSSI-FR/AD-control-paths/blob/master/README.md

Hi,
After running the following command:
Get-BloodHoundData | Export-BloodHoundCSV
im recieving:

Exception calling "Translate" with "1" argument(s): "The trust relationship between this workstation and the primary domain failed.
"
At C:\Repos\Bloodhound\PowerShell\BloodHound.ps1:2281 char:9
+         $ForestSid = (New-Object System.Security.Principal.NTAccount( ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : SystemException

it is normal?

Running the following command: Get-BloodHoundData -Verbose -CollectionMethod 'Stealth' | foreach-object { write-verbose "Obj: $($_.cn)"; $_ } | Export-BloodHoundData -URI http://localhost:7474 -UserPass "neo4j:BloodHound" -Verbose

It runs for many hours and I see data until eventually it halts with the following error:

Export-BloodHoundData : Cannot validate argument on parameter 'SID'. The argument "" does not match the "^S-1-."
pattern. Supply an argument that matches "^S-1-." and try the command again.
At line:1 char:114

• Get-BloodHoundData -Verbose -CollectionMethod 'Stealth' | foreach-object { write ...

• - CategoryInfo          : InvalidData: (:) [Export-BloodHoundData], ParameterBindingValidationException
  - FullyQualifiedErrorId : ParameterArgumentValidationError,Export-BloodHoundData
  

PS C:\Users\XXXXXX\Desktop\tools> Get-BloodHoundData -CollectionMethod 'Stealth' -Verbose | Export-BloodHoundCSV -Verbose

An error occurred while enumerating through a collection: The directory service
is unavailable.
.
At C:\Users\XXXXXX\Desktop\tools\BloodHound.ps1:5233 char:17

•              <<<< $Results | Where-Object {$_} | ForEach-Object {
  

  • CategoryInfo : InvalidOperation: (System.Director...sultsEnumer
    ator:ResultsEnumerator) [], RuntimeException
  • FullyQualifiedErrorId : BadEnumeration

Get-DomainSearcher: Error in retrieving PDC for current domain
At C:\Users\XXXXXXX\Desktop\tools\BloodHound.ps1:1711 char:22

•             throw <<<<  "Get-DomainSearcher: Error in retrieving PDC for
  

  current domain"
  • CategoryInfo : OperationStopped: (Get-DomainSearc... current do
    main:String) [], RuntimeException
  • FullyQualifiedErrorId : Get-DomainSearcher: Error in retrieving PDC for
    current domain

Some isues running Get-BloodHoundData -Verbose | Export-BloodHoundCSV on our domain. The user/group enumeration works fine, however when it begins to enumerate data on the individual hosts it runs for ~2k of 30k hosts before resulting in subsequent enumerations resulting in an "Access is Denied" errors.

If I run the Find-LocalAdminAccess function outside of the Get-BloodHoundData command results in "Access is denied" but running the Get-NetLocalGroup results in a success. I am running as an unprivileged, authenticated domain user.

PS C:\tmp\BloodHound> Invoke-CheckLocalAdminAccess -ComputerName ABC123.company.ad.domain.com

ComputerName IsAdmin

ABC123.company.ad.domain.com False

PS C:\tmp\BloodHound> Find-LocalAdminAccess -Verbose -ComputerName ABC123.company.ad.domain.com
VERBOSE: [] Running Find-LocalAdminAccess with delay of 0
VERBOSE: [] Total number of active hosts: 1
VERBOSE: [_] Enumerating server ABC123.company.ad.domain.com (1 of 1)
VERBOSE: Invoke-CheckLocalAdminAccess handle: 0
_VERBOSE: Error: Access is denied*
ABC123.company.ad.domain.com

PS C:\tmp\BloodHound> Get-NetLocalGroup -ComputerName ABC123.company.ad.domain.com

ComputerName : ABC123.company.ad.domain.com
AccountName : ABC123/admin
SID : S-1-5-21-1754134174-4044512797-4222858863-500
Description : Built-in account for administering the computer/domain
Disabled : False
IsGroup : False
IsDomain : False
LastLogin : 5/20/2016 4:09:36 PM
PwdLastSet : 3/18/2014 12:38:17 PM
PwdExpired : False
UserFlags : 66049

ComputerName : ABC123.company.ad.domain.com
AccountName : ABC123/Admin2
SID : S-1-5-21-1754134174-4044512797-4222858863-1002
Description :
Disabled : False
IsGroup : False
IsDomain : False
LastLogin :
PwdLastSet : 3/1/2016 9:21:51 AM
PwdExpired : False
UserFlags : 66049

PS C:\tmp\BloodHound>

Any ideas on why it appears to error out?

When running the ingester I get the following error

You cannot call a method on a null-valued expression.
\BloodHound.ps1:13755 char:45

•         Get-NetUser -ADSPath $ADSpath | ForEach-Object {
  

When Bloodhound is started, the initial screen tries to load, but turns black and hangs. In the command window, the following errors appear:

user@linux:/opt/BloodHound-linux-x64# ./BloodHound
[3065:0923/202117:ERROR:buffer_manager.cc(438)] [.DisplayCompositor-0xb19c6e9500]GL ERROR :GL_INVALID_ENUM : glBufferData: <- error from previous GL command
[3065:0923/202118:ERROR:gles2_cmd_decoder.cc(2210)] [.Offscreen-For-WebGL-0x25e11a897e00]GL ERROR :GL_INVALID_ENUM : BackFramebuffer::Destroy: <- error from previous GL command
[3065:0923/202118:ERROR:gles2_cmd_decoder.cc(2210)] [.Offscreen-For-WebGL-0x25e11a897e00]GL ERROR :GL_INVALID_ENUM : BackFramebuffer::Destroy: <- error from previous GL command
[3065:0923/202120:ERROR:texture_manager.cc(2942)] [.RenderCompositor-0x25e11a990800]GL ERROR :GL_INVALID_ENUM : glTexImage2D: <- error from previous GL command
[3065:0923/202120:ERROR:gles2_cmd_decoder.cc(2210)] [.RenderWorker-0x25e11a897000]GL ERROR :GL_INVALID_ENUM : GLES2DecoderImpl::DoBindTexImage2DCHROMIUM: <- error from previous GL command

A ^C will end the session in the command window which shuts down Bloodhound.

Thanks

Hello,

I'm attempting to run Bloodhound on an internal test domain separate from my own, however when I run:
Get-BloodHoundData -Domain "FakeDomainName.com" | Export-BloodHoundCSV

I get an error stating that
Exception calling "FindAll" with "0" argument(s): "A referral was returned from the server. " At C:\users\fakeUser\Git\Bloodhound\PowerShell\BloodHound.ps1:5232 char:50 $Results = $GroupSearcher.FindAll <<<< () CategoryInfo : NotSpecified: (:) [], MethodInvocationException FullyQualifiedErrorId : DotNetMethodException

You cannot call a method on a null-valued expression. At C:\users\fakeUser\Git\Bloodhound\PowerShell\BloodHound.ps1:5246 char:33 $Results.dispose <<<< () CategoryInfo : InvalidOperation: (dispose:String) [], RuntimeException FullyQualifiedErrorId : InvokeMethodOnNull

WARNING: Error: Exception calling "FindAll" with "0" argument(s): "A referral was returned from the server."

The command stops here for stops here for at least a few minutes, no more than 10 before continuing
Exception calling "FindAll" with "0" argument(s): "A referral was returned from the server. " At C:\users\fakeUser\Git\Bloodhound\PowerShell\BloodHound.ps1:13415 char:61 ForEach($UserResult in $UserSearcher.FindAll <<<< ()) { CategoryInfo : NotSpecified: (:) [], MethodInvocationException FullyQualifiedErrorId : DotNetMethodException WARNING: Error: Exception calling "FindAll" with "0" argument(s): "A referral was returned from the server."

Invoke-ThreadedFunction : Cannot bind argument to parameter 'ComputerName' because it is null. At C:\users\fakeUser\Git\Bloodhound\PowerShell\BloodHound.ps1:13624 char:89 $TargetComputers2 = Invoke-ThreadedFunction -NoImports -ComputerName <<<< $TargetComputers -Scri ptBlock $Ping -Threads 100 CategoryInfo : InvalidData: (:) [Invoke-ThreadedFunction], ParameterBindingValidationException FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Invoke-ThreadedFunction

Get-NetSession : Cannot validate argument on parameter 'ComputerName'. The argument is null or empty. Supply an argumen t that is not null or empty and then try the command again. At C:\users\fakeUser\Git\Bloodhound\PowerShell\BloodHound.ps1:13521 char:61 $Sessions = Get-NetSession -ComputerName <<<< $ComputerName CategoryInfo : InvalidData: (:) [Get-NetSession], ParameterBindingValidationException FullyQualifiedErrorId : ParameterArgumentValidationError,Get-NetSession

Get-NetLoggedon : Cannot validate argument on parameter 'ComputerName'. The argument is null or empty. Supply an argume nt that is not null or empty and then try the command again. At C:\users\fakeUser\Git\Bloodhound\PowerShell\BloodHound.ps1:13556 char:62 $LoggedOn = Get-NetLoggedon -ComputerName <<<< $ComputerName CategoryInfo : InvalidData: (:) [Get-NetLoggedon], ParameterBindingValidationException FullyQualifiedErrorId : ParameterArgumentValidationError,Get-NetLoggedon

Get-LoggedOnLocal : Cannot validate argument on parameter 'ComputerName'. The argument is null or empty. Supply an argu ment that is not null or empty and then try the command again. At C:\users\fakeUser\Git\Bloodhound\PowerShell\BloodHound.ps1:13579 char:69 $LocalLoggedOn = Get-LoggedOnLocal -ComputerName <<<< $ComputerName CategoryInfo : InvalidData: (:) [Get-LoggedOnLocal], ParameterBindingValidationException FullyQualifiedErrorId : ParameterArgumentValidationError,Get-LoggedOnLocal

The end result is the creation of two CSV's (local_admins and trusts) that do have some data on them, but I have no idea if those are complete or not, I haven't worked with this domain and have no idea what's there

I have practically no experience with AD and PowerShell, so if it's a rather simple fix that is extremely well known, I apologize in advance for not knowing it and taking up your time. Also, apologies for the terrible code segments. The preview was giving me issues with some of the characters that were in the error, and formatting has never been a forte of mine.

Thanks for any and all help!

I'm trying to follow the getting started guide, and I've got the neo4j instance up and can connect to it via the BloodHound Application. So, I'm ready to run the ingestor. When I run the powershell script (powershell -executionpolicy bypass -file "C:\Folder\BloodHound.ps1"), it merely returns me to the prompt (i.e. nothing happens). Looking for some community help on getting the ingestor to run and begin populating the database.

Thanks,

Jesse

When I run:
Get-BloodHoundData | Export-BloodHoundData -URI http://localhost:7474 -UserPass "neo4j:BloodHound" -Verbose

I only get these 4 lines returned.

VERBOSE: Global catalog string from enumerated forest root: GC://DOMAIN.local
VERBOSE: Get-DomainSearcher search string: GC://DOMAIN.LOCAL
VERBOSE: Get-DomainSearcher search string: LDAP://DC.DOMAIN.local/DC=DOMAIN,DC=local
VERBOSE: Get-DomainSearcher search string: LDAP://DC.DOMAIN.local/DC=DOMAIN,DC=local

Then there's a long period of time while the command is still running but no output is shown.

The neo4j db is being populated correctly. But the demo video from BSidesLV showed a lot more lines of output (not sure exactly what that output was because the quality of the video on youtube now is low) and I'm just wondering if there were changes made between that demo and the code that I'm running, or if something else is causing less output on my end.

Quick question. Is there any way to change to a different domain? When I run the powershell script, it only gets the domain admins for the domain my user is under even though the domain trusts are bidirectional.

You cannot call a method on a null-valued expression.
At N:\Bloodhound\PowerShell\BloodHound.ps1:5433 char:21

•                 $Members = $Result.properties.item("member")
  

•                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (:) [], RuntimeException
  • FullyQualifiedErrorId : InvokeMethodOnNull

Add a new prebuilt query in Bloodhound to find any computers that have a Domain Admin user session. Here's a crack at the query, although it's likely not following the correct syntax:

File: /Bloodhound/src/components/SearchContainer/Tabs/PrebuiltQueries.json:

{
"name": "Find all Computers with Domain Admins Sessions",
"requireNodeSelect": false,
"query": "MATCH (m:Computer),(n:User) WHERE (n)<-[r:HasSession]-(m) AND (n)-[r:MemberOf]->(o:Group) AND o.name =~ '(?i).DOMAIN ADMINS.' RETURN n,r,m",
"allowCollapse": false
}

Get-BloodHoundData | Export-BloodHoundData -URI http://localhost:7474/ -UserPass "neo4j:BloodHound"

Produces the following error:
Exception calling "UploadString" with "2" argument(s): "The remote server returned an error: (500) Internal Server Error."
At C:\Users\user\Downloads\BloodHound-master\BloodHound-master\PowerShell\BloodHound.ps1:14103 char:48

•             $Null = $WebClient.UploadString <<<< ($URI.AbsoluteUri + "db/data/batch", $JsonRequest)
  

  • CategoryInfo : NotSpecified: (:) [], MethodInvocationException
  • FullyQualifiedErrorId : DotNetMethodException

I'm running powershell v4 and can't seem to get past the error below.

field : Cannot bind argument to parameter 'Type' because it is null.
At C:...\BloodHound-master\PowerShell\BloodHound.ps1:14750 char:31

• lgrmi2_sidusage = field 1 $SID_NAME_USE
  

•                           ~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidData: (:) [field], ParameterBindingValidationException
  • FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,field

field : Cannot bind argument to parameter 'Type' because it is null.
At C:...\BloodHound-master\PowerShell\BloodHound.ps1:14783 char:21

• Flags = field 2 $DsDomainFlag
  

•                 ~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidData: (:) [field], ParameterBindingValidationException
  • FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,field

I'm using the command "Get-BloodHoundData | Export-BloodHoundCSV -CSVFolder C:\BloodHoundData" after importing the modules/cmdlets from the BloodHound powershell script.

I'm receiving back a TON of the following error. There are different SIDs everytime but they are all SIDs.

WARNING: Error converting CN=SID,CN=redacted,DC=redacted,DC=redacted,DC=redacted

I'm not sure what I can do to resolve this issue. I also attempted to utilize:

Get-BloodHoundData | Export-BloodHoundData -URI http://localhost:7474/ -UserPass "neo4j:BloodHound"

but I get a error connecting to the server.

Error connecting to Neo4j rest REST server at 'http://localhost:7474/'
At C:\Bloodhound\PowerShell\BloodHound.ps1:13849 char:13

•         throw "Error connecting to Neo4j rest REST server at '$($URI.Absolut ...
  

•         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : OperationStopped: (Error connectin...ocalhost:7474/':String) [], RuntimeException
  • FullyQualifiedErrorId : Error connecting to Neo4j rest REST server at 'http://localhost:7474/'

My collector and my database server are local to the same machine. Please provide some input, I would be happy to troubleshoot, but I really am unsure of where to begin.

Thanks for the wonderful tool! If only I could get it working.

I was trying to run Bloodhound on a german network and found out I had to replace most occurences of "Administrators" with "Administratoren" in the powershell module (similar to PowerShellMafia/PowerSploit#176). Then at least the information gathering is working. Some queries of the GUI work, others don't because the group names are different.
Is there anything else I should be aware of? Is there any way to make the program work on any domain controller (especially non english ones with different group names)?

Hi,

I have an issue with the Powershell Ingestor. All groups / users in local_admins.csv appears as being part of the "UNKNOWN" domain (e.g "group","MIDEEL.SHINRA-INC.local","Domain Admins@UNKNOWN"). All users / groups are properly named in the two other files (e.g "Domain [email protected]")

Some quick infos:

• I ran Get-BloodHoundData | Export-BloodHoundCSV
• I'm running the script from a non-domain-joined machine with runas /netonly [...].
• There is only one domain in my small environment.

I can still do a find / replace to change it but i'm still wondering where this might come from.

And thanks for this tool, I've just played a bit with it but I will definitely try it on my next engagement.

Cheers !

Sample Database
To configure the sample database on Linux:

1. Copy BloodHoundExampleDB.graphdb to /data/databases.
2. Edit /conf/neo4j.conf and change the "#dbms.active_database=graph.db" line to "dbms.active_database=BloodHoundExampleDB.graphdb".
3. Start neo4j (<NEO4J DIRECTORY>/bin/neo4j start).
4. Log on to https://127.0.0.1:7474 (or wherever your Neo4j instance lives) using the default credentials of neo4j\neo4j. Enter new credentials when prompted.
5. Run the BloodHound binary you downloaded earlier, and use the credentials you chose in step 4.

Kali Rolling VM 64

Went through the process twice - can login to the HTTP interface but get "No Neo4j Database Found" as soon as I type bolt://localhost:7687 into the field.

Log shows:

nohup: ignoring input
2016-12-30 15:10:49.772+0000 INFO No SSL certificate found, generating a self-signed certificate..
2016-12-30 15:10:50.529+0000 INFO Starting...
2016-12-30 15:10:51.493+0000 INFO Bolt enabled on localhost:7687.
2016-12-30 15:10:54.987+0000 INFO Started.
2016-12-30 15:10:56.123+0000 INFO Remote interface available at http://localhost:7474/

One attempt was with a VM from Kali.org - one custom VM built with VMware Workstation some time ago Both VM are used regularly and are stable.

Probably is simple NOB fix, but would really appreciate a shove in the right direction even if it comes with some ribbing.

CLOSE - WORKING NOW...No Clue why...

root@AlienAttack01:/neo4j-community-3.1.0/bin# ./neo4j status
Neo4j is running at pid 2166
root@AlienAttack01:/neo4j-community-3.1.0/bin# ./neo4j stop
Stopping Neo4j.. stopped
root@AlienAttack01:~/neo4j-community-3.1.0/bin# ./neo4j console
Starting Neo4j.
WARNING: Max 1024 open files allowed, minimum of 40000 recommended. See the Neo4j manual.
2016-12-30 15:49:44.827+0000 INFO Starting...
2016-12-30 15:49:45.299+0000 INFO Bolt enabled on localhost:7687.
2016-12-30 15:49:47.261+0000 INFO Started.
2016-12-30 15:49:48.065+0000 INFO Remote interface available at http://localhost:7474/

NOW it works...Very sorry for the false problem...

Hello

After running the recently optimised ingestor for a day without stealth mode from a laptop on a corporate network with a complicated multinational AD structure, the resulting csvs had the following volumes:

• group_memberships ~ 200 Mb
• local_admins ~ 6 Mb
• trusts ~ 5 Kb
• user_sessions ~ 60 Kb

The process to load group memberships into BloodHound has now been running continuously for about 72h and is showing at around 60% completion. Here are the database stats at this stage:

• Users ~ 40k loaded
• Computers ~ 24k loaded
• Groups ~ 76k loaded
• Sessions ~ 600 loaded
• Relationships ~ 1.8 million loaded

Questions:
A) Is the long time required to load in the data expected behaviour due to volume?
B) Is the likely cause for the number of mapped sessions being so low due to the network segregation in place on the network? Note that the mapping of user sessions did not finish within a day.
C) Would anyone have further suggestions from practice on how to improve coverage / effectiveness in a large messy environment?

When using the latest version of neo4j community edition (3.1.0) there's a database format issue preventing loading the BloodHoundExampleDB.graphdb file. This issue prevents users from loading the example db and this is the error message:

This can be fixed by going into your [neo4jroot]/conf/neo4j.conf file and uncommenting out the line:
dbms.allow_format_migration=true

Then you should be able to log into BloodHound over http://localhost:7687 instead of the suggested bolt:// connection.

Also, can you guys pretty please update your getting started documentation on the wiki? Here are some people who've done a decent job in that regard.
http://blog.cobaltstrike.com/2016/12/14/my-first-go-with-bloodhound/
https://popped.io/setting-up-bloodhound-on-debian-jessie/
https://www.shellandco.net/understand-privilege-relationships-active-directory-environment/

Expected: Simple to follow step-by-step instructions for running BloodHound on a vanilla Kali linux (or similar).
Current: Confusing and somewhat incomplete instructions

Recommended changes:

Wiki Update:

For running the binary:

1.) Binary and source needed, source for BloodHoundExampleDB.graphdb
2.) Move BloodHoundExampleDB.graphdb to /var/lib/neo4j/data/databases/graph.db after
installing neo4j via apt on Kali
mv -r BloodHoundExampleDB.graphdb /var/lib/neo4j/data/databases/graph.db
3.) Restart neo4j service, tail /var/log/neo4j/neo4j.log to check for errors, or run neo4j in console mode
service neo4j restart OR
neo4j console to watch messages
4.) Open browser to http://localhost:7474 neo4j web interface and set initial admin password
5.) Fire up BloodHound binary
./BloodHound

Quickstart:
Add quickstart instructions to README or INSTALL in BloodHound binary package

Having a try with this tool, scripts ran ok. Only noticed some occasional warnings related to converting SID's.

When starting the tool it doesn't show the Domain Admins group with memberships. Any idea what could be the cause?
Searching other users, groups, computers works fine and info is displayed. Only Domain Admins info is never shown.

If someone has an idea what is wrong feel free to drop a note.

Cheers.

It uses bolt://localhost

Looks like the latest code uses http://localhost:7474 but the precompiled version is not using latest code

PS E:\BloodHound-win32-x64\resources\app\PowerShell> .\BloodHound.ps1 Get-BloodHoundData | Export-BloodHoundData -URI ht
tp://localhost:7474/ -UserPass "neo4j:neo4j"
At E:\BloodHound-win32-x64\resources\app\PowerShell\BloodHound.ps1:119 char:13

• <a href="/open-source" class="js-selected-navigation-item nav-item n ...

•         ~
  

  The '<' operator is reserved for future use.
  At E:\BloodHound-win32-x64\resources\app\PowerShell\BloodHound.ps1:121 char:13
• <a href="/business" class="js-selected-navigation-item nav-item nav- ...

•         ~
  

  The '<' operator is reserved for future use.
  At E:\BloodHound-win32-x64\resources\app\PowerShell\BloodHound.ps1:123 char:13
• <a href="/explore" class="js-selected-navigation-item nav-item nav-i ...

•         ~
  

  The '<' operator is reserved for future use.
  At E:\BloodHound-win32-x64\resources\app\PowerShell\BloodHound.ps1:125 char:11

•       ~
  

  The '<' operator is reserved for future use.
  At E:\BloodHound-win32-x64\resources\app\PowerShell\BloodHound.ps1:138 char:8

Is there any plans to allow manual manipulation of the database via another method? Often times on a red team you wouldn't want to run the powershell scripts within blood hound as it often goes against the low and slow methodologies. One idea is to just send manual json queries, or on the js application itself use fillable forms that meet the database schema outside of csv's.

I have a large db with many objects and most of the queries load in a few seconds, however "Find Shortest Path to Domain Admins" doesn't load. The Querying Database animation loops in the bottom left corner but nothing appears to be happening. This persists across reboots. Server is 2012 R2, 128 GB RAM and 8 CPU.

Any ideas?

Having an issue when attempting to start data collection. Powershell is unable to connect to neoj4. I can connect to the instance in a web browser, and it's local. Any thoughts?

Error connecting to Neo4j rest REST server at 'http://localhost:7474/'
At C:\Users\dean.buttry\OneDrive - Tempur Sealy International, Inc\Downloads\BH\BloodHound\PowerShell\BloodHound.ps1:13728 char:13

•         throw "Error connecting to Neo4j rest REST server at '$($ ...
  

•         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : OperationStopped: (Error connectin...ocalhost:7474/':String) [], RuntimeException
  • FullyQualifiedErrorId : Error connecting to Neo4j rest REST server at 'http://localhost:7474/'

not an issue, but rather a question to the database...is there a [simple] way how to start with 'clean' database, so I can feed collected data into, without mixing them up with data from 'sample' database?

thanks

Hi
It seems that the png export only takes a screenshot of the current view. To have the nodes' labels we have to zoom in and then export it. By doing this, only the current view is exported and we have to export several times then stitch the images together to have the complete view of the graph in PNG format.
Is it possible to modify the export function so export includes the complete graph including the nodes' labels?

I downloaded the windows version - installed Neo4j - I point my dbase to the example - when I try to login my cursor turns into a red circle with a line though it - I used the default creds new4j and BloodHound and a no go.

I was diagnosing an issue where my bloodhound database never grew above a certain size so I changed output to CSV. In the CSV file it became clear that in my AD environment I ended up with a group which contained itself as a member, causing Get-BloodHoundData to churn forever when trying to process that group.

Here is the command I'm running:

$VerbosePreference = "Continue"; Get-BloodHoundData -verbose | Export-BloodHoundCSV -SkipGCDeconfliction -Verbose -CSVFolder .\csv

Checking group_memberships.csv file after some time reveals a pattern:

"[email protected]","user","[email protected]"
"[email protected]","user","[email protected]"
"[email protected]","user","[email protected]"
"[email protected]","user","[email protected]"
"[email protected]","user","[email protected]"
"[email protected]","group","[email protected]"
"[email protected]","user","[email protected]"
"[email protected]","user","[email protected]"
"[email protected]","user","[email protected]"
"[email protected]","user","[email protected]"
"[email protected]","group","[email protected]"
"[email protected]","user","[email protected]"
"[email protected]","user","[email protected]"
"[email protected]","user","[email protected]"
"[email protected]","user","[email protected]"
...

The Powershell process consumes all available RAM on the system being run on. In this example, it took ~1.9GB, leaving ~150MB free.

> Get-BloodHoundData | Export-BloodHoundCSV

> Get-Process
14995  37  1916712  1794212  2039  363.89  13100  powershell

I'm getting the following intermittent error. The Neo4j server is running on a different host, but up and responding as expected (with no issues reported).

Exception calling "UploadString" with "2" argument(s): "The remote server returned an error: (500) Internal Server
Error."
At C:\path\to\BloodHound-master\PowerShell\BloodHound.ps1:14103 char:17

•             $Null = $WebClient.UploadString($URI.AbsoluteUri + "db/data/batc ...
  

• - CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
  - FullyQualifiedErrorId : WebException
  

Hi

Having an issue on large corporate network with the tuned up-ingestor, any community thoughts?

Running: Invoke-BloodHound -CollectionMethod Stealth -Domain "uk.sub.client.com" -Debug -Verbose -SkipGCDeconfliction

Current scan settings (slightly changed):

 'Stealth'       {
                $UseGroup = $False #changed to false
                $UseGPOGroup = $True
                $UseSession = $True
                $UseDomainTrusts = $False #changed to false
                $SkipGCDeconfliction2 = $False
}

Last debug message before crash:
DEBUG: "Sort-Object" - "GPOName" cannot be found in "InputObject".

Then:

Get-NetOU : Cannot process argument transformation on parameter 'GUID'. Cannot convert value to type System.String.
At C:\Users\bob\Documents\Blood\BloodHoundNew.ps1:3406 char:77
+         Get-NetOU -Domain $Domain -DomainController $DomainController -GUID $GPO ...
+                                                                             ~~~~
    + CategoryInfo          : InvalidData: (:) [Get-NetOU], ParameterBindingArgumentTransformationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-NetOU
 
Get-NetSite : Cannot process argument transformation on parameter 'GUID'. Cannot convert value to type System.String.
At C:\Users\bob\Documents\Blood\BloodHoundNew.ps1:3455 char:79
+         Get-NetSite -Domain $Domain -DomainController $DomainController -GUID $G ...
+                                                                               ~~
    + CategoryInfo          : InvalidData: (:) [Get-NetSite], ParameterBindingArgumentTransformationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-NetSite

npm WARN engine [email protected]: wanted: {"node":"~0.10.1"} (current: {"node":"4.3.1","npm":"1.4.21"})
npm WARN optional dep failed, continuing [email protected]

[email protected] postinstall /pentest/BloodHound/node_modules/electron-prebuilt
node install.js

sh: 1: node: not found
npm WARN This failure might be due to the use of legacy binary "node"
npm WARN For further explanations, please read
/usr/share/doc/nodejs/README.Debian

npm ERR! [email protected] postinstall: node install.js
npm ERR! Exit status 127
npm ERR!
npm ERR! Failed at the [email protected] postinstall script.
npm ERR! This is most likely a problem with the electron-prebuilt package,
npm ERR! not with npm itself.
npm ERR! Tell the author that this fails on your system:
npm ERR! node install.js
npm ERR! You can get their info via:
npm ERR! npm owner ls electron-prebuilt
npm ERR! There is likely additional logging output above.

npm ERR! System Linux 4.6.0-kali1-amd64
npm ERR! command "/usr/bin/nodejs" "/usr/bin/npm" "install"
npm ERR! cwd /pentest/BloodHound
npm ERR! node -v v4.3.1
npm ERR! npm -v 1.4.21
npm ERR! code ELIFECYCLE
npm WARN optional dep failed, continuing [email protected]
npm ERR!
npm ERR! Additional logging details can be found in:
npm ERR! /pentest/BloodHound/npm-debug.log
npm ERR! not ok code 0

Steps to reproduce:
Clean, fully updated kali VM.
apt-get install npm && apt-get install node.js
npm install

Expected: Everything needed to run bloodhound is in the binary package download

Current: Bloodhound binary requires also downloading the source for the sample database

Request: Include BloodHoundExampleDB.graphdb in binary package. Please also see #50 for including instructions on how to properly move the sample database and get neo4j working with BloodHound

PS N:\BloodHoundCSVs> Get-BloodhoundData | Export-BloodHoundCSV
WARNING: Error converting
CN=S-1-5-21-somenumbershereremoved-somenumbershereremoved-somenumbershereremoved-somenumbershereremove,CN=ForeignSecurityPrincipals,DC=domainname,DC=upperforestname,DC=domainnamehere,DC=dnssuffixhere
You cannot call a method on a null-valued expression.
At N:\Bloodhound\PowerShell\BloodHound.ps1:5433 char:21

•                 $Members = $Result.properties.item("member")
  

•                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (:) [], RuntimeException
  • FullyQualifiedErrorId : InvokeMethodOnNull

I am trying to run the PS ingestor on a large domain (~50,000 users), and the PS ingestor crashes with out of memory errors. This is a machine with 32GB of ram.

The command used was:

Get-BloodHoundData | Export-BloodHoundCSV -CSVFolder c:\bloodhound\my-csv

The only file generated was:

group_memberships.csv with a file size of 1600kb and it contains 19433 rows of data.

Here are the errors (some of them, they were repeated)

Add-Member : Cannot validate argument on parameter 'NotePropertyName'. Exception of type 'System.OutOfMemoryException'
was thrown.
At C:\BloodHound\PowerShell\BloodHound.ps1:5571 char:47

•                 $GroupMember | Add-Member Noteproperty 'DNSHostNa ...
  

•                                           ~~~~~~~~~~~~
  

  • CategoryInfo : InvalidData: (:) [Add-Member], ParameterBindingValidationException
  • FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.AddMemberCommand

Exception of type 'System.OutOfMemoryException' was thrown.
At C:\BloodHound\PowerShell\BloodHound.ps1:795 char:5

• $ObjectCSV = $InputObject | ConvertTo-Csv -NoTypeInformation
  

• ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : OperationStopped: (:) [], OutOfMemoryException
  • FullyQualifiedErrorId : System.OutOfMemoryException

Exception of type 'System.OutOfMemoryException' was thrown.
At C:\BloodHound\PowerShell\BloodHound.ps1:803 char:9

•     $ObjectCSV | ForEach-Object { $Start=$True }{ if ($Start) {$S ...
  

•     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : OperationStopped: (:) [], OutOfMemoryException
  • FullyQualifiedErrorId : System.OutOfMemoryException

Exception of type 'System.OutOfMemoryException' was thrown.
At C:\BloodHound\PowerShell\BloodHound.ps1:5505 char:25

•                     $GroupMember = New-Object PSObject
  

•                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : OperationStopped: (:) [], OutOfMemoryException
  • FullyQualifiedErrorId : System.OutOfMemoryException

HI,
Seems like execution the Powershell in a corporate environment would be very (very) noisy.
Would it be possible to add flags to to include users and computers from text files ?
Let's say we mark our users in advance using "net group "domain admins" /admin" (recursively), and look for OUs with the admin PCs, and only look for these systems and users.
I understand that it will somewhat damage the path creation since we won't have all the data, but it could be a little easier on the IPS\ATA\etc if we reduce our traffic and AD access fingerprint.
Thanks,
Roy

I am trying to import the CSV's that were generated with the new version of the ingester, however Bloodhound seems to have a problem importing the data. For example the group_membership.csv file has over 1.7million entries, however, BH is only showing 117k relationships. Many times when trying to import the data BH goes out to lunch with a solid white screen and has to be killed off via task manager. Not sure how to best import large CSV files into BH.

Other examples are that it only indicates 9800 computers and 8250 users, even though there are at least 7 times that many computers and users in the domain. Also there are no maps being build and several of the pre-built queries don't have any info such as Find all Domain Admins, shortest path to domain admin, etc.

Is there a limit as to what BH can process for data or is there a better way to import the data into neo4j?

I successfully created the 4 CSVs with the PS function, but when I upload them into BloodHound, I get nothing - no data in the database, no errors. Is there any logging happening that I can check out? Is there some basic formula for calculating how long the import will take, based on the size of the CSVs?

Thanks,
Joel

Hi,
first of all - thanks for this wicked tool, really amazing one!
I have everything up and running, all set on Win 2008 P2 server, can pull the data from the DC.
but when I run BloodHound 'client' on separate linux machine [Debian 8, x64]
I cannot list or run any of the 'pre-build analytical queries'.
however, I can see them on the Windows machine just fine.

any ideas?
many thanks

Peter

The "QueryNodeSelect" function in BloodHound/src/components/Float/QueryNodeSelect.jsx is used to gather information from user queryable data. For really large environments it might be easier, in some cases, to allow users to input data for a query.

For instance, selecting all computers with sessions belonging to a specific user or service account. Another example is finding usernames in multiple domains.

With the current model the "nodeSelectQuery" would need to populate ALL users in a dropbox list for selection. It would be easier to just query the BloodHound user for data associated with the username.

I took a quick look at BloodHound/src/components/Float/QueryNodeSelect.jsx did not see a quick and easy way for myself to accomplish this. I figure there should be an easy way to determine if the query field of nodeSelectQuery is empty and then just ask for input.

Example:

 {
             "name" : "Cutaway Test: Search Account Name in All Domains",
             "requireNodeSelect": true,
             "nodeSelectQuery": {
                 "query": "",
                 "onFinish": "MATCH (n:User) WHERE n.name =~ ('(?i){}' + '(?i)@*.') RETURN n",
                 "start": "{}",
                 "end": "",
                 "allowCollapse": false,
                 "boxTitle": "Input Account Name..."
             }
 },

Thank you,
cutaway

I wanted to run Neo4j in a Docker container when testing out BloodHound, as I try to avoid installing Java locally at all costs. To do this, and have it load the example DB included in the repo, I had to rearrange some of the example DB data directories. To keep things simple, I created a data-only Docker image that contains the example DB and exposes the directory so the Neo4j Docker container can easily mount it.

The data-only Docker image is located here if you feel like adding it as part of the Getting Started documentation.

Alternatively, if you would rather me not host your example data publicly under my own account, let me know and I'll take it down.