A CLI tool to interact with the BloodHound CE API.
BloodHound by SpecterOps is the tool to work with Active Directory attack paths, taking advantage of modeling security-relevant relationships in a graph with nodes and edges.
Once filled with data, the BloodHound database is also a great source of information useful beyond the BloodHound GUI.
A lot of information you typically dump from LDAP is already available in BloodHound.
bhcli
makes this information accessible on the commandline.
Retrieve lists of user names for further processing, grep in the description field, or even run custom Cypher queries.
bhcli
can also mark a bunch of objects as owned, import/export your custom queries and might perform an audit to search for interesting permissions.
Check the help message below for all features.
This tool is not published on PyPi yet, but as with any Python tool, just fetch the repository and install it.
For example using a virtualenv and pip
:
$ git clone https://github.com/exploide/bloodhound-cli.git
$ cd bloodhound-cli
$ python3 -m venv venv
$ source venv/bin/activate
$ pip install .
Or using pipx
which handles the virtualenv automatically:
$ git clone https://github.com/exploide/bloodhound-cli.git
$ cd bloodhound-cli
$ pipx install .
Thanks to the Click framework, you can get tab completion for the bhcli
command for free.
At least if your shell is bash, zsh or fish.
See the click documentation if you want to enable this feature.
$ bhcli --help
Usage: bhcli [OPTIONS] COMMAND [ARGS]...
CLI tool to interact with the BloodHound CE API
Options:
--debug Enable debug output.
--version Show the version and exit.
-h, --help Show this message and exit.
Commands:
audit Audit domains for potential security issues.
auth Authenticate to the server and configure an API token.
computers Get lists of computers.
cypher Run a raw Cypher query and print the response as JSON.
domains Get lists of domains.
groups Get lists of groups.
mark Mark objects as belonging to an asset group.
members Get lists of group members.
queries Import and export custom queries.
stats Get statistics on domains.
upload Upload and ingest files from the BloodHound collector.
users Get lists of users.
Passing -h
to any of the subcommands will show the usage for the specific subcommand.
The auth
subcommand is used to do the initial authentication to the BloodHound server, create a new API token and store it in the config file.
The config file is by default located at $HOME/.config/bhcli/bhcli.ini
but respects $XDG_CONFIG_HOME
.
$ bhcli auth http://localhost:8080
Username: admin
Password:
INFO: Authenticating to the BloodHound server...
INFO: Creating new API token...
INFO: Storing API token to config file: /home/user/.config/bhcli/bhcli.ini
INFO: bhcli is now configured and ready to access the API.
The upload
subcommand can be used to ingest data from JSON or ZIP files into the BloodHound database.
$ bhcli upload *.zip
INFO: Starting new file upload job...
INFO: Uploading file 20240404165636_BloodHound.zip
INFO: Ending file upload job...
INFO: Now waiting for ingestion being complete...
INFO: Ingestion completed, the data is now available.
The domains
subcommand outputs the domains known to BloodHound.
$ bhcli domains --sid
DEV.CONTOSO.COM S-1-5-21-3196737421-3229850471-3263425470
CONTOSO.COM S-1-5-21-1625355769-4140374492-270706875
The users
subcommand outputs lists of user objects.
$ bhcli users --domain dev.contoso.com --enabled --description
[email protected] Built-in account for administering the computer/domain
[email protected]
[email protected]
[email protected]
...
The computers
subcommand outputs lists of computer objects.
$ bhcli computers --domain dev.contoso.com --sam
DC02.DEV.CONTOSO.COM DC02$
WEB06.DEV.CONTOSO.COM WEB06$
...
The groups
subcommand outputs lists of group objects.
$ bhcli groups
ACCESS CONTROL ASSISTANCE [email protected]
ACCOUNT [email protected]
[email protected]
ALLOWED RODC PASSWORD REPLICATION [email protected]
...
The members
subcommand outputs lists of group members.
$ bhcli members --indirect 'DOMAIN [email protected]'
[email protected]
[email protected]
...
The stats
subcommand is useful to get a statistical overview about the domain.
$ bhcli stats -d contoso.com
┌────────────────────┬─────────┬─────────┐
│ CONTOSO.COM │ all │ enabled │
├────────────────────┼─────────┼─────────┤
│ User Accounts │ 40 │ 25 │
│ Computer Accounts │ 11 │ 10 │
│ Domain Admins │ 4 │ 3 │
│ Domain Controllers │ 1 │ 1 │
│ Protected Users │ 0 │ 0 │
│ Groups │ 84 │ │
│ Root CAs │ 1 │ │
│ Enterprise CAs │ 2 │ │
│ Cert Templates │ 43 │ │
└────────────────────┴─────────┴─────────┘
The audit
subcommand reports potential security issues within the domain, which might lead to a quick win.
$ bhcli audit -d contoso.com
CONTOSO.COM
=========
[*] Interesting privileges for domain users or computers
2 relations found
Group Relation Target Kind of Target
AUTHENTICATED [email protected] ADCSESC1 CONTOSO.COM Domain
[email protected] GenericWrite [email protected] User
[*] Interesting privileges for guests
0 relations found
[*] Kerberoastable user accounts of high value (enabled, no MSA/gMSA)
1 accounts found
[email protected]
[*] AS-REP-roastable user accounts (enabled)
1 accounts found
[email protected]
[*] Accounts trusted for unconstrained delegation (enabled, no DCs)
1 accounts found
APPSRV02.CONTOSO.COM
The mark
subcommand allows to mark a bunch of user and computer objects as belonging to an asset group.
BloodHound comes with the asset groups owned
and admin_tier_0
by default, but custom groups can be created, too.
$ bhcli mark owned --file successful_password_spraying.txt
INFO: Marked 6 objects as owned.
The queries
subcommand allows to import and export custom Cypher queries.
The import file must either be in the format that the --save
option produces or in the legacy Bloodhound's customqueries.json
format.
Note that not everything from the latter might be compatible.
$ bhcli queries my-bloodhound-queries.json
INFO: Imported 12 custom queries.
The cypher
subcommand lets you directly run a Cypher query against the database.
It outputs JSON data which can be further processed, e.g. with jq
.
$ bhcli cypher 'MATCH (c:Computer) RETURN c' | jq -c '.nodes[].properties | [.name, .haslaps]'
["WEB06.DEV.CONTOSO.COM",true]
["DC02.DEV.CONTOSO.COM",false]