BloodHound CE Update

[Cyb3rC3lt]

Hi Dirk,

Just wondering if your legendary python BloodHound injestion client will be updated for BloodHound CE? Until then us Kali users are all stuck on old BloodHound!

Thanks

[dirkjanm]

Hey, absolutely, there are some small changes to the data model that I'll process to ensure CE compatibility. Just need to find some time to add and test everything.

[Cyb3rC3lt]

Hey, absolutely, there are some small changes to the data model that I'll process to ensure CE compatibility. Just need to find some time to add and test everything.

Excellent news, thanks very much 😊

[Phaedrik]

Hey dirk, love to see the news. I've spent some time comparing the models between your json and SharpHound CE and maybe I'm not quite understanding how json works but both look similar with of course Sharphound providing more data. It looks like things got switched around in terms of indexing but nothing I'd consider to break ingestion to the degree it has.

If you do have time to explain what I'm missing here, would be greatly appreciated.

[dirkjanm]

bloodhound CE compatibility is now available for testing from the bloodhound-ce branch

[Cyb3rC3lt]

Great job Dirk, thanks a lot. Will try to find some time to give it a test

[Selora]

Hey there,

Just noticing that the RDP, DCOM and PSREmote computer attributes are not being populated anymore.

They do show when enabling debug, they're definitely pulled with the rpc_get_group_members function :

DEBUG: Found 580 SID: S-1-5-21-2241985869-2159962460-1278545866-1106
DEBUG: Sid is cached: [email protected]

However, the 'localgroup' attribute, which seems to be the new v6 ingestion destination for such attributes, is empty.

[dirkjanm]

hey @Selora, is this for all hosts or just for specific ones? The collection works fine in my test environment for these groups.

[Selora]

Hey @dirkjanm

It's a small lab, just a single DC. The user is in RDP and PSRemote but it's not showing up in the end-result, just when enabling the debug output with -v.

Running with --Collectors All, LoggedOn

Previously it was stored in a dictionary. I see the new code stores it in the localgroup attribute, but it's empty in the resulting .json file.

I wish I had more time to debug this and try it against other environment, I know this isn't super helpful. Since it's a new release, I thought I'd bring it up in case you might have a quick fix in mind.

Thanks again and much love for all the tools and research!

[dirkjanm]

Ah, on the DC that makes sense, these are explicitly ignored in the output for Domain Controllers, they should be populated in the groups JSON file instead.

[Selora]

Makes sense, I do see it in the groups output.

Thanks!

[spyr0-sec]

@dirkjanm as discussed on Slack, the domains json object is missing a "collected" key which is why it doesn't appear in the Data Quality page
https://github.com/dirkjanm/BloodHound.py/blob/bloodhound-ce/bloodhound/enumeration/domains.py#L115
so just needs a "collected": true added to the Properties node (Sorry I would add this myself but don't have perms to PR to the fork)

[dirkjanm]

thanks @spyr0-sec, added that one in the output

[exploide]

Great to see BloodHound CE support in BloodHound.py. :)

Unfortunately, I'm missing an ExecuteDCOM edge between a user and the DC. The edge is only missing when using the bloodhound-ce branch with BloodHound CE. It is there when using newest SharpHound with BloodHound CE and it is also there when using the master branch of BloodHound.py together with legacy BloodHound. So I suspect this is a bug. Noticed this in a single DC environment (HackTheBox).