Skip to main content

Parse output from common sources and transform it into BloodHound-ingestible data

Project description

              _____________________________ __    __    ______    __    __   __   __   _______
             |   _   /  /  __   / |   ____/|  |  |  |  /  __  \  |  |  |  | |  \ |  | |       \
             |  |_)  | |  |  |  | |  |__   |  |__|  | |  |  |  | |  |  |  | |   \|  | |  .--.  |
             |   _  <  |  |  |  | |   __|  |   __   | |  |  |  | |  |  |  | |  . `  | |  |  |  |
             |  |_)  | |  `--'  | |  |     |  |  |  | |  `--'  | |  `--'  | |  |\   | |  '--'  |
             |______/   \______/  |__|     |__|  |___\_\________\_\________\|__| \___\|_________\
           
                                         << @coffeegist | @Tw1sm >>

Python PyPi

BOFHound is an offline BloodHound ingestor and LDAP result parser compatible with TrustedSec's ldapsearch BOF, the Python adaptation, pyldapsearch and Brute Ratel's LDAP Sentinel. ldapsearch BOF logs can also be parsed from Havoc logs.

By parsing log files generated by the aforementioned tools, BOFHound allows operators to utilize BloodHound's beloved interface while maintaining full control over the LDAP queries being run and the spped at which they are executed. This leaves room for operator discretion to account for potential honeypot accounts, expensive LDAP query thresholds and other detection mechanisms designed with the traditional, automated BloodHound collectors in mind.

Check this PR to the SA BOF repo for BOFs that collect session and local group membership data and can be parsed by BOFHound.

References

Blog Posts:

Title Date
BOFHound: AD CS Integration Oct 30, 2024
BOFHound: Session Integration Jan 30, 2024
Granularize Your AD Recon Game Part 2 Jun 15, 2022
Granularize Your AD Recon Game May 10, 2022

Presentations:

Conference Materials Date
SO-CON 2024 Slides & Recording Mar 11, 2024

Installation

BOFHound can be installed with pip3 install bofhound or by cloning this repository and running pip3 install .

Usage

 Usage: bofhound [OPTIONS]                                                                                  
                                                                                                            
 Generate BloodHound compatible JSON from logs written by ldapsearch BOF, pyldapsearch and Brute Ratel's    
 LDAP Sentinel                                                                                              
                                                                                                            
╭─ Options ────────────────────────────────────────────────────────────────────────────────────────────────╮
│ --input             -i      TEXT                     Directory or file containing logs of ldapsearch     │
│                                                      results                                             │
│                                                      [default: /opt/cobaltstrike/logs]                   │
│ --output            -o      TEXT                     Location to export bloodhound files [default: .]    │
│ --properties-level  -p      [Standard|Member|All]    Change the verbosity of properties exported to      │
│                                                      JSON: Standard - Common BH properties | Member -    │
│                                                      Includes MemberOf and Member | All - Includes all   │
│                                                      properties                                          │
│                                                      [default: Member]                                   │
│ --parser                    [ldapsearch|BRC4|Havoc]  Parser to use for log files. ldapsearch parser      │
│                                                      (default) supports ldapsearch BOF logs from Cobalt  │
│                                                      Strike and pyldapsearch logs                        │
│                                                      [default: ldapsearch]                               │
│ --debug                                              Enable debug output                                 │
│ --zip               -z                               Compress the JSON output files into a zip archive   │
│ --help                                               Show this message and exit.                         │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────╯

Example Usage

Parse ldapseach BOF results from Cobalt Strike logs (/opt/cobaltstrike/logs by default) to /data/

bofhound -o /data/

Parse pyldapsearch logs and only include all properties (vs other property levels)

bofhound -i ~/.pyldapsearch/logs/ --properties-level all

Parse LDAP Sentinel data from BRc4 logs (will change default input path to /opt/bruteratel/logs)

bofhound --parser brc4

Parse Havoc loot logs (will change default input path to /opt/havoc/data/loot) and zip the resulting JSON files

bofhound --parser havoc --zip

ldapsearch

Specify *,ntsecuritydescriptor as the attributes to return to be able to parse ACL edges. You are missing a ton of data if you don't include this in your ldapsearch queries!

Required Data

The following attributes are required for proper functionality:

samaccounttype
distinguishedname
objectsid

Some object classes rely on domain objects being populated within BOFHound. Domains can be queried with either of the following commands

ldapsearch (objectclass=domain) *,ntsecuritydescriptor
ldapsearch (distinguishedname=DC=windomain,DC=local) *,ntsecuritydescriptor

Example ldapsearch Queries

# Get All the Data (Maybe Run BloodHound Instead?)
ldapsearch (objectclass=*) *,ntsecuritydescriptor

# Retrieve All Schema Info
ldapsearch (schemaIDGUID=*) name,schemaidguid 0 3 "" CN=Schema,CN=Configuration,DC=windomain,DC=local

# Retrieve Only the ms-Mcs-AdmPwd schemaIDGUID
ldapsearch (name=ms-mcs-admpwd) name,schemaidguid 1 3 "" CN=Schema,CN=Configuration,DC=windomain,DC=local

# Retrieve Domain NetBIOS Names (useful if collecting data via `netsession2/netloggedon2` BOFs)
ldapsearch (netbiosname=*) * 0 3 "" "CN=Partitions,CN=Configuration,DC=windomain,DC=local"

# Unroll a group's nested members
ldapsearch (memberOf:1.2.840.113556.1.4.1941:=CN=TargetGroup,CN=Users,DC=windomain,DC=local) *,ntsecuritydescriptor

# Query domain trusts
ldapsearch (objectclass=trusteddomain) *,ntsecuritydescriptor

# Query across a trust
ldapsearch (objectclass=domain) *,ntsecuritydescriptor 0 3 dc1.trusted.windomain.local "DC=TRUSTED,DC=WINDOMAIN,DC=LOCAL"

#####
# Queries below populate objects for AD CS parsing

# Query the domain object
ldapsearch (objectclass=domain) *,ntsecuritydescriptor

# Query Enterprise CAs
ldapsearch (objectclass=pKIEnrollmentService) *,ntsecuritydescriptor 0 3 “” “CN=Configuration,DC=domain,DC=local”

# Query AIACAs, Root CAs and NTAuth Stores
ldapsearch (objectclass=certificationAuthority) *,ntsecuritydescriptor 0 3 “” “CN=Configuration,DC=domain,DC=local”

# Query Certificate Templates
ldapsearch (objectclass=pKICertificateTemplate) *,ntsecuritydescriptor 0 3 “” “CN=Configuration,DC=domain,DC=local”

# Query Issuance Policies
ldapsearch (objectclass=msPKI-Enterprise-Oid) *,ntsecuritydescriptor 0 3 “” “CN=Configuration,DC=domain,DC=local”

Versions

Check the tagged releases to download a specific version

  • v0.4.0 and onward support parsing AD CS objects and edges
  • v0.3.0 and onward support session/local group data
  • v0.2.1 and onward are compatible with BloodHound CE
  • v0.2.0 is the last release supporting BloodHound Legacy

Development

bofhound uses Poetry to manage dependencies. Install from source and setup for development with:

git clone https://github.com/fortalice/bofhound
cd bofhound
poetry install
poetry run bofhound --help

References and Credits

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

bofhound-0.4.3.tar.gz (46.3 kB view details)

Uploaded Source

Built Distribution

bofhound-0.4.3-py3-none-any.whl (64.4 kB view details)

Uploaded Python 3

File details

Details for the file bofhound-0.4.3.tar.gz.

File metadata

  • Download URL: bofhound-0.4.3.tar.gz
  • Upload date:
  • Size: 46.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.8.3 CPython/3.12.6 Darwin/24.0.0

File hashes

Hashes for bofhound-0.4.3.tar.gz
Algorithm Hash digest
SHA256 f90159fa65767554cda687a2b7cfc08d23304110f596b7d8956bf7d33988ad47
MD5 f65590f49691b25280d9e4da8daefe43
BLAKE2b-256 3390526c9ba34e8df753e998accfb8dbb66beea50af575f1942aecee25662d65

See more details on using hashes here.

File details

Details for the file bofhound-0.4.3-py3-none-any.whl.

File metadata

  • Download URL: bofhound-0.4.3-py3-none-any.whl
  • Upload date:
  • Size: 64.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.8.3 CPython/3.12.6 Darwin/24.0.0

File hashes

Hashes for bofhound-0.4.3-py3-none-any.whl
Algorithm Hash digest
SHA256 f23a7e4dec6944763b8bffd1b6e9ac54567249f3410cf840ed48dad596ac8e70
MD5 b2e033d38194f91ffd425fc6b0c01610
BLAKE2b-256 5acd73bb7e4f422dc056596334162fa46f4a098877627b585e867018ff478a5c

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page