bloodhound-import is a tool to run SharpHound collector and import json data to Neo4j DB used by Bloodhound.
sharphound binary is embed in to this app and its gets executed in-memory using go-donut(donut).
bloodhound-import can also be used to just upload existing bloodhound json file to db using --bhi-upload-only flag.
Note: AzureAD data is not supported.
-
execute and upload (windows only)
Following command will execute sharphound with flag
--CollectionMethod All --SkipPortScanand once its completed, it will parse and upload json data to neo4j db atlocalhost:7687.$env:BHI_NEO4J_PASSWORD="P@ssw0rd" .\bloodhound-import.exe ` --bhi-neo4j-url "bolt://localhost:7687" ` --bhi-neo4j-username "neo4j" ` --bhi-target-directory "C:\temp\bloodhound-import-output" ` --CollectionMethod All ` --SkipPortScan
-
upload only
Following command will only upload Bloodhound data to neo4j
export BHI_NEO4J_URL="bolt+s://neo-db-url:443" export BHI_NEO4J_PASSWORD="P@ssw0rd" ./bloodhound-import --bhi-upload-only --bhi-delete-exiting-data --bhi-target-directory ./data
| ARGS | ENV variable | example / explanation |
|---|---|---|
| --bhi-neo4j-url | BHI_NEO4J_URL | neo4j db URL, it should include schema and port. 'bolt://[IP/Host]:7687', 'bolt+s://[IP/Host]:443' default:bolt://localhost:7687 |
| --bhi-neo4j-username | BHI_NEO4J_USERNAME | DB username for basic auth default:neo4j |
| --bhi-neo4j-password | BHI_NEO4J_PASSWORD | DB password for basic auth |
| --bhi-target-directory | BHI_NEO4J_PASSWORD | folder where all unzipped SharpHound json files are exported and then uploaded to neo4j. Its also location of json data in upload-only mode |
| --bhi-upload-only | use upload only mode without running sharphound collector default:false |
|
| --bhi-delete-exiting-data | when specified ALL existing data from database will be deleted before uploading new data default:false |
|
| --bhi-delete-json-file | delete json files from target folder after upload is completed default:false |
|
| --bhi-logfile | location of log file | |
| --bhi-log-level | set logging level default:info |
| ARGS | example / explanation |
|---|---|
| --CollectionMethod | Specifies the CollectionMethod being used. |
| --OutputPrefix | Prefix to add to output files |
| --Stealth | Use stealth collection options, will sacrifice data quality in favour of much reduced default: false |
| --Domain | Specifies the domain to enumerate. If not specified, will enumerate the current domain your user context specifies. |
| --WindowsOnly | Limits computer collection to systems that have an operating system attribute that matches Windows default: false |
| --ComputerFile | A file containing a list of computers to enumerate. |
| --LdapFilter | Append this ldap filter to the search filter to further filter the results enumerated |
| --SearchBase | DistinguishedName to start LDAP searches at. Equivalent to the old --OU option |
| --PrettyJSON | Output 'pretty' json with formatting for readability default: false |
| --CacheFilename | Name for the cache file dropped to disk default: uniqu hash generated per machine) |
| --RandomizeFilenames | Randomize file names completely default: false |
| --NoSaveCache | Don't write the cache file to disk. Caching will still be performed in memory. default: false |
| --InvalidateCache | Invalidate and rebuild the cache file default: false |
| --DomainController | Domain Controller to connect too. Specifying this can result in data loss |
| --LdapPort | Port LDAP is running on. Defaults to 389/686 for LDAPS |
| --SecureLDAP | Connect to LDAPS (LDAP SSL) instead of regular LDAP default: false |
| --DisableKerberosSigning | Disables keberos signing/sealing, making LDAP traffic viewable default: false |
| --LdapUsername | Username for connecting to LDAP. Use this if you're using a non-domain account for connecting to computers |
| --LdapPassword | Password for connecting to LDAP. Use this if you're using a non-domain account for connecting to computers |
| --SkipPortScan | Skip SMB port checks when connecting to computers default: false |
| --PortScanTimeout | Timeout for SMB port checks default: "2000" |
| --ExcludeDomainControllers | Exclude domain controllers from enumeration (useful to avoid Microsoft ATP/ATA) default: false |
| --Throttle | Throttle requests to computers (in milliseconds) |
| --Jitter | Add jitter to throttle |
| --OverrideUserName | Override username to filter for NetSessionEnum |
| --NoRegistryLoggedOn | Disable remote registry check in LoggedOn collection default: false |
| --DumpComputerStatus | Dumps error codes from attempts to connect to computers default: false |
| --RealDNSName | Overrides the DNS name used for API calls |
| --CollectAllProperties | Collect all string LDAP properties on objects default: false |
| --StatusInterval | Interval for displaying status in milliseconds |
Following sharphound config flags are not supported by bloodhound-import
OutputDirectory¹, EncryptZip, ZipFilename, NoZip, Loop, LoopDuration, LoopInterval
¹ --OutputDirectory is set to --bhi-target-directory
While importing data to neo4j app will create following types of nodes and relationships based on Bloodhound json data.
(:Base :$objectType {objectid: $objectid} {$object.properties})
(:User|Computer) -- [:MemberOf] --> (:Group)
(:User|Computer) -- [:AllowedToDelegate] --> (:Computer)
(:User) -- [:HasSIDHistory] --> (:MemberType)
(:User) -- [:service, {port: item.port}] --> (:Computer)
(:MemberType) -- [:AllowedToAct] --> (:Computer)
(:Computer) --- [:HasSession] ---> (:User)
(:MemberType) -- [:AdminTo {fromgpo: false|true}] --> (:Computer)
(:MemberType) -- [:CanRDP {fromgpo: false|true}] --> (:Computer)
(:MemberType) -- [:ExecuteDCOM {fromgpo: false|true}] --> (:Computer)
(:MemberType) -- [:CanPSRemote {fromgpo: false|true}] --> (:Computer)
(:GPO) -- [:GpLink {enforced: item.enforced}] --> (:OU|Domain)
(:OU|Domain) -- [:Contains] --> (:User|Computer|OU)
(:Domain) -- [:TrustedBy {sidfiltering: x, trusttype: y, transitive: z}] --> (:Domain)
(n)-[r:TYPE {isacl: true, isinherited: false|true}]->(m)
where
TYPE = AllExtendedRights
ForceChangePassword
AddMember
AddAllowedToAct
GenericAll
WriteDacl
WriteOwner
GenericWrite
Owns
ReadLAPSPassword
ReadGMSAPassword
AceTyp