BloodHoundAnalyzer is a bash script designed to automate the collection, deployment, import, and analysis of BloodHound, an Active Directory (AD) security tool. This script facilitates the collection of BloodHound data, setup and teardown of a BloodHound instance, import of data, and running various analysis tools on the collected data.
Before using BloodHoundAnalyzer, ensure you have the following tools installed:
- python3
- docker and docker-compose (for BloodHoundCE version)
- neo4j (for old BloodHound version)
Run the install.sh script to install the following tools:
- bloodhound-python: Collects Active Directory data.
- bloodhound-automation: Automates deployment of BloodHoundCE.
- AD-miner: Runs analysis and generates an AD miner report.
- GoodHound: Runs GoodHound analysis.
- Ransomulator: Runs the ransomulator script.
- BloodHound QuickWin: Runs the BloodHoundQuickWin script.
- PlumHound: Runs PlumHound tasks and short path analyses.
chmod +x ./install.sh
./install.shRun the script with one or more of the modules as detailed below. Make sure to have the necessary permissions to execute Docker or run Neo4j.
chmod +x ./BloodHoundAnalyzer.sh
./BloodHoundAnalyzer.sh [OPTIONS]-
-d, --domain DOMAIN
Specify the AD domain to analyze (required for BloodHoundCE and for Collection). -
-u, --username
Username (required for Collection only). -
-p, --password
Password - NTLM authentication (required for Collection only). -
-H, --hash
LM:NT - NTLM authentication (alternative to password, used for Collection only). -
-K, --kerb
Location to Kerberos ticket './krb5cc_ticket' - Kerberos authentication (alternative to password, used for Collection only). -
-A, --aes
AES Key - Kerberos authentication (alternative to password, used for Collection only). -
--dc
IP Address of Target Domain Controller (required for Collection only). -
-o, --output OUTPUT_DIR
Specify the directory where analysis results will be saved. Defaults to the current directory. -
-D, --data DATA_PATH
Specify the path to the BloodHound ZIP file to import. -
-M, --modules MODULES
Comma separated modules to execute between:- collect: Run bloodHound-python to collect Active Directory data.
- list : List available projects (only for BloodHoundCE).
- start : Start BloodHoundCE containers or neo4j.
- run : Run BloodHound GUI or Firefox with BloodHoundCE webpage.
- import : Import BloodHound data into the neo4j database.
- analyze : Run analysis tools (AD-miner, GoodHound, Ransomulator, PlumHound) on the imported data.
- stop : Stop BloodHoundCE containers or neo4j.
- clean : Stop and delete BloodHoundCE containers (only for BloodHoundCE).
-
--old
Use the old version of BloodHound. -
--oldpass
Specify Neo4j password for the old version of BloodHound. -
-h, --help
Display the help message.
./BloodHoundAnalyzer.sh -M collect -d example.com -u user -p password./BloodHoundAnalyzer.sh -M list./BloodHoundAnalyzer.sh -M start -d example.com
./BloodHoundAnalyzer.sh -M start --old./BloodHoundAnalyzer.sh -M run
./BloodHoundAnalyzer.sh -M run --old./BloodHoundAnalyzer.sh -M import,analyze -d example.com --data /path/to/bloodhound/data.zip -o /path/to/output
./BloodHoundAnalyzer.sh -M import,analyze --data /path/to/bloodhound/data.zip --old -o /path/to/output./BloodHoundAnalyzer.sh -M analyze -d example.com -o /path/to/output
./BloodHoundAnalyzer.sh -M analyze --old -o /path/to/output./BloodHoundAnalyzer.sh -M stop -d example.com
./BloodHoundAnalyzer.sh -M stop --old./BloodHoundAnalyzer.sh -M clean -d example.comThis project is licensed under the terms of the MIT license.
BloodHoundAnalyzer uses the following tools:
- https://github.com/dirkjanm/BloodHound.py
- https://github.com/Tanguy-Boisset/bloodhound-automation
- https://github.com/Mazars-Tech/AD_Miner
- https://github.com/PlumHound/PlumHound
- https://github.com/idnahacks/GoodHound
- https://github.com/zeronetworks/BloodHound-Tools/blob/main/Ransomulator
- https://github.com/kaluche/bloodhound-quickwin