Using BloodHound (Legacy and CE) - SethBodine/audit-tools GitHub Wiki
Using BloodHound
BloodHound maps Active Directory and Azure AD environments to reveal attack paths that would otherwise be invisible. It ingests data collected by SharpHound (on-prem AD) or AzureHound (Azure AD / Entra ID) and lets you run graph queries to find privilege escalation routes and risky relationships.
BloodHound runs in separate containers alongside the main audit-tools container. Two editions are available:
- BloodHound CE (Community Edition) - current, actively maintained, recommended
- BloodHound Legacy - end of life, documented here for reference only
BloodHound CE
Install
cd /opt
mkdir BloodHoundCE && cd BloodHoundCE
wget https://github.com/SpecterOps/BloodHound/raw/main/examples/docker-compose/docker-compose.yml
podman compose -f docker-compose.yml up
Note: Refer to the BloodHound CE install guide if podman compose has issues with the one-liner installation.
Access
- Navigate to http://localhost:8080
- Log in as Admin using the password shown during installation
- Change the password and record it securely
Importing Data
- Click Administration in the left menu
- Under Data Collection, select File Ingest
- Click Upload File(s) and select the JSON files produced by AzureHound or SharpHound
Note: BloodHound CE only accepts JSON files. If the collector produced a ZIP, extract it first.
Queries
Use the built-in queries from the Explore menu. Custom queries are not yet available in CE.
Reset the Database
podman volume rm $(podman volume ls -q | grep neo4j-data)
BloodHound Legacy
Note: BloodHound Legacy is end of life and no longer maintained.
Install
- Install Kali Linux in a VM
- Install BloodHound Legacy from the Kali repositories
- Optionally run bqm to generate custom queries
Running
Launch BloodHound from the Kali start menu.
Data Import and Custom Queries
TBC
Known Issues
TBC