Setting up Bloodhound on macOS

Inês Martins -

On a recent CTF I needed to set up Bloodhound on macOS and came across some issues. Hope this helps someone in need. :)

Installing a compatible Python version

Because of the way in which Python 3.8 handles multiprocessing in macOS you need to downgrade to Python 3.7.3 to be able to use Bloodhound.py.

Here's a great StackOverflow answer that explains how to do this downgrade using pyenv:

How to downgrade python version from 3.8 to 3.7 (mac)
I’m using Python & okta-aws tools and in order to fetch correct credentials on aws I need to run okta-aws init. But got an error message of Could not read roles from Okta and the system prompte...
Stack Overflowuser13902742

After this process you should now have something like:

~ python3 --version
Python 3.7.3

Collecting the data

On Windows, data collection is done with SharpHound:

SharpHound is the official data collector for BloodHound. It is written in C# and uses native Windows API functions and LDAP namespace functions to collect data from domain controllers and domain-joined Windows systems.

On macOS, you can use Bloodhoud.py, but you also need an additional tool that resolves the AD domain to its IP. I went with DNSChef but you can choose whatever works best.

So, start by cloning the Bloodhound.py and dnschef.py projects and install the requirements as specified on the README.md files.

Once both projects are correctly installed, you need to set up dnschef.py so that it resolves your AD domain to its corresponding IP, as previously mentioned:

~ sudo sh -c 'python3 dnschef.py --fakeip x.x.x.x --fakedomains abc.local -q'

(20:14:25) [*] DNSChef started on interface: 127.0.0.1
(20:14:25) [*] Using the following nameservers: 8.8.8.8
(20:14:25) [*] Cooking A replies to point to x.x.x.x matching: abc.local

Next, you can run the Bloodhound script, but make sure to point to your "fake" nameserver:

~ python3 ../bloodhound.py -d abc.local -u theusername -p 'thepassword' -dc abc.local -c all -ns 127.0.0.1

INFO: Connecting to LDAP server: abc.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: abc.local
INFO: Found 7 users
INFO: Found 53 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: XXX1.abc.local
INFO: Querying computer: XXX2.abc.local
INFO: Ignoring host XXX1.abc.local since its hostname does not match: Supplied hostname XXX1.abc.local does not match reported hostnames dc1 or dc1.abc.local
INFO: Done in 00M 08S

This process should output some .json files to your local directory. You'll be able to import and visualise the data on the next step.

Visualising the data

Start by downloading the macOS versions of both neo4j Community Edition Server and Bloodhound GUI.

Then, go to the directory where you downloaded neo4j and run:

~ tar -xf neo4j-community-x.x.x-unix.tar
~ cd neo4j-community-x.x.x/bin
~ ./neo4j console

Once the neo4j console application is running, go to http://localhost:7474 and authenticate with credentials: neo4j/neo4j.

You'll be prompted to change the password, so make sure to save these new creds, you'll need for the next step.

Now, go to the directory where you downloaded Bloodhound GUI and launch the app.

Leave the default DB URL and enter the same credentials you just set up for neo4j.

After logging in, on the right side, you'll see an icon to upload data. Click on the icon and import the .json files outputted on the previous step.

You should now have everything you need to visualise your AD info using Bloodhound!