Setting up Bloodhound on macOS

Setting up Bloodhound on macOS

On a recent CTF I needed to set up Bloodhound on macOS and came across some issues. Hope this helps someone in need. :)

Installing a compatible Python version

Because of the way in which Python 3.8 handles multiprocessing in macOS you need to downgrade to Python 3.7.3 to be able to use

Here's a great StackOverflow answer that explains how to do this downgrade using pyenv:

How to downgrade python version from 3.8 to 3.7 (mac)
I’m using Python & okta-aws tools and in order to fetch correct credentials on aws I need to run okta-aws init. But got an error message of Could not read roles from Okta and the system prompte...

After this process you should now have something like:

~ python3 --version
Python 3.7.3

Collecting the data

On Windows, data collection is done with SharpHound:

SharpHound is the official data collector for BloodHound. It is written in C# and uses native Windows API functions and LDAP namespace functions to collect data from domain controllers and domain-joined Windows systems.

On macOS, you can use, but you also need an additional tool that resolves the AD domain to its IP. I went with DNSChef but you can choose whatever works best.

So, start by cloning the and projects and install the requirements as specified on the files.

Once both projects are correctly installed, you need to set up so that it resolves your AD domain to its corresponding IP, as previously mentioned:

~ sudo sh -c 'python3 --fakeip x.x.x.x --fakedomains abc.local -q'

(20:14:25) [*] DNSChef started on interface:
(20:14:25) [*] Using the following nameservers:
(20:14:25) [*] Cooking A replies to point to x.x.x.x matching: abc.local

Next, you can run the Bloodhound script, but make sure to point to your "fake" nameserver:

~ python3 ../ -d abc.local -u theusername -p 'thepassword' -dc abc.local -c all -ns

INFO: Connecting to LDAP server: abc.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: abc.local
INFO: Found 7 users
INFO: Found 53 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer:
INFO: Querying computer:
INFO: Ignoring host since its hostname does not match: Supplied hostname does not match reported hostnames dc1 or
INFO: Done in 00M 08S

This process should output some .json files to your local directory. You'll be able to import and visualise the data on the next step.

Visualising the data

Start by downloading the macOS versions of both neo4j Community Edition Server and Bloodhound GUI.

Then, go to the directory where you downloaded neo4j and run:

~ tar -xf neo4j-community-x.x.x-unix.tar
~ cd neo4j-community-x.x.x/bin
~ ./neo4j console

Once the neo4j console application is running, go to http://localhost:7474 and authenticate with credentials: neo4j/neo4j.

You'll be prompted to change the password, so make sure to save these new creds, you'll need for the next step.

Now, go to the directory where you downloaded Bloodhound GUI and launch the app.

Leave the default DB URL and enter the same credentials you just set up for neo4j.

After logging in, on the right side, you'll see an icon to upload data. Click on the icon and import the .json files outputted on the previous step.

You should now have everything you need to visualise your AD info using Bloodhound!