Documentation
¶
Overview ¶
Package bloodhound provides BloodHound data processing and collection capabilities. It handles conversion of LDAP data to BloodHound format and remote data collection from Active Directory environments.
Index ¶
- Constants
- type BH
- func (bh *BH) CollectRemoteEnterpriseCA(step int, targets []EnterpriseCACollectionTarget, collector *RemoteCollector)
- func (bh *BH) GetCurrentWriter(kind string) (*BHFormatWriter, error)
- func (bh *BH) GetPaths(fileKey string) ([]string, error)
- func (bh *BH) Init(ldapFolder string, activeFolder string, outputFolder string, ...)
- func (bh *BH) IsAborted() bool
- func (bh *BH) LoadSchemaInfo(step int)
- func (bh *BH) PerformConversion()
- func (bh *BH) PerformRemoteCollection(auth *config.CredentialMgr)
- func (bh *BH) ProcessConfiguration(step int)
- func (bh *BH) ProcessDomain(step int)
- func (bh *BH) ProcessObjects(fileNames []string, kind string, step int) int
- func (bh *BH) RequestAbort() bool
- func (bh *BH) ResetAbortFlag()
- type BHFilesMap
- type BHFormatWriter
- type CAEnrollmentProcessor
- type CertAbuseProcessor
- func (cap *CertAbuseProcessor) GetCASecurity(caName string) builder.RegistryAPIResult
- func (cap *CertAbuseProcessor) GetEnrollmentAgentRights(caName string) builder.RegistryAPIResult
- func (cap *CertAbuseProcessor) IsRoleSeparationEnabled(caName string) builder.BoolRegistryAPIResult
- func (cap *CertAbuseProcessor) IsUserSpecifiesSanEnabled(caName string) builder.BoolRegistryAPIResult
- func (cap *CertAbuseProcessor) ProcessEAPermissions(ctx context.Context, caName string, computerName string, ...) builder.EnrollmentAgentRegistryAPIResult
- func (cap *CertAbuseProcessor) ProcessRegistryEnrollmentPermissions(ctx context.Context, caName string, computerName string, ...) builder.AceRegistryAPIResult
- type CollectionTarget
- type ConversionUpdate
- type EnterpriseCACollectionTarget
- type EnterpriseCARemoteCollectionResult
- type RemoteCollectionResult
- type RemoteCollectionUpdate
- type RemoteCollector
- func (rc *RemoteCollector) CollectRemoteComputer(target CollectionTarget) RemoteCollectionResult
- func (rc *RemoteCollector) CollectRemoteComputerWithContext(ctx context.Context, target CollectionTarget) RemoteCollectionResult
- func (rc *RemoteCollector) CollectRemoteEnterpriseCA(target EnterpriseCACollectionTarget) EnterpriseCARemoteCollectionResult
- func (rc *RemoteCollector) CollectRemoteEnterpriseCAWithContext(ctx context.Context, target EnterpriseCACollectionTarget) EnterpriseCARemoteCollectionResult
- func (rc *RemoteCollector) ProcessLocalGroupMembers(ctx context.Context, localMembers []string, machineSid string, ...) ([]builder.TypedPrincipal, []builder.NamedPrincipal)
Constants ¶
const ( // Computer availability error messages ErrorNonWindowsOS = "NonWindowsOS" ErrorNotActive = "NotActive" ErrorPortNotOpen = "PortNotOpen" // Default thresholds DefaultPasswordAgeThreshold = 60 * 24 * time.Hour // 60 days SMBPort = 445 )
const CURRENT_BH_VER = 5
CURRENT_BH_VER is the BloodHound JSON schema version this tool generates.
const TotalConversionSteps = 11
PerformConversion transforms LDAP data to BloodHound JSON format with progress tracking.
const (
TotalRemoteSteps = 6
)
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type BH ¶
type BH struct {
FilesMap BHFilesMap
Timestamp string
LdapFolder string
OutputFolder string
ActiveFolder string
Logger *core.Logger
RuntimeOptions *config.RuntimeOptions
Resolver *net.Resolver
RemoteWorkers int
DNSWorkers int
RemoteComputerTimeout time.Duration
RemoteMethodTimeout time.Duration
RemoteWriteBuff int
RemoteComputerCollection map[string]*RemoteCollectionResult
RemoteEnterpriseCACollection map[string]*EnterpriseCARemoteCollectionResult
ConversionUpdates chan<- core.ConversionUpdate
RemoteCollectionUpdates chan<- core.RemoteCollectionUpdate
// contains filtered or unexported fields
}
BH orchestrates BloodHound data conversion and remote collection operations. It maintains state for ingestion paths, output locations, and runtime configuration.
func (*BH) CollectRemoteEnterpriseCA ¶ added in v0.2.0
func (bh *BH) CollectRemoteEnterpriseCA(step int, targets []EnterpriseCACollectionTarget, collector *RemoteCollector)
CollectRemoteEnterpriseCA sets up encoding and delegates to collectEnterpriseCAData
func (*BH) GetCurrentWriter ¶
func (bh *BH) GetCurrentWriter(kind string) (*BHFormatWriter, error)
GetCurrentWriter creates a new BloodHound format writer for the specified object kind NOTE: Not thread-safe
func (*BH) GetPaths ¶
GetPaths retrieves the file paths for a given logical file key within the LDAP data folder.
func (*BH) Init ¶
func (bh *BH) Init(ldapFolder string, activeFolder string, outputFolder string, customResolver *net.Resolver, remoteWorkers int, dnsWorkers int, remoteComputerTimeout time.Duration, remoteMethodTimeout time.Duration, runtimeOptions *config.RuntimeOptions, logger *core.Logger)
Init initializes the BloodHound processor with necessary parameters
func (*BH) LoadSchemaInfo ¶
LoadSchemaInfo loads schema information from the schema file
func (*BH) PerformConversion ¶
func (bh *BH) PerformConversion()
func (*BH) PerformRemoteCollection ¶
func (bh *BH) PerformRemoteCollection(auth *config.CredentialMgr)
PerformRemoteCollection gathers data from computers and CAs using RPC and HTTP.
func (*BH) ProcessConfiguration ¶
ProcessConfiguration processes configuration entries for PKI objects
func (*BH) ProcessDomain ¶
ProcessDomain reads domain entries and creates a domain JSON file
func (*BH) ProcessObjects ¶
func (*BH) RequestAbort ¶
RequestAbort sets the abort flag if it has not been set already.
func (*BH) ResetAbortFlag ¶
func (bh *BH) ResetAbortFlag()
ResetAbortFlag clears any pending abort request.
type BHFilesMap ¶
BHFilesMap maps logical file keys to their physical filenames for LDAP ingestion data.
func NewBHFilesMap ¶
func NewBHFilesMap() BHFilesMap
NewBHFilesMap creates a new file map with standard LDAP data file names.
type BHFormatWriter ¶
type BHFormatWriter struct {
// contains filtered or unexported fields
}
BHFormatWriter writes BloodHound JSON objects with streaming and buffering.
func NewBHFormatWriter ¶
func NewBHFormatWriter(filename, typeName string, version int, bufferSize int) (*BHFormatWriter, error)
NewBHFormatWriter creates a buffered writer for BloodHound JSON output.
func (*BHFormatWriter) Add ¶
func (w *BHFormatWriter) Add(obj any) error
func (*BHFormatWriter) Close ¶
func (w *BHFormatWriter) Close() error
type CAEnrollmentProcessor ¶
type CAEnrollmentProcessor struct {
// contains filtered or unexported fields
}
CAEnrollmentProcessor scans CA web enrollment endpoints for NTLM authentication vulnerabilities and channel binding weaknesses.
func NewCAEnrollmentProcessor ¶
func NewCAEnrollmentProcessor(caDnsHostname, caName string, auth *config.CredentialMgr, log chan<- string) *CAEnrollmentProcessor
NewCAEnrollmentProcessor creates an enrollment scanner for the given CA.
func (*CAEnrollmentProcessor) ScanCAEnrollmentEndpoints ¶
func (p *CAEnrollmentProcessor) ScanCAEnrollmentEndpoints(ctx context.Context) ([]builder.CAEnrollmentEndpointAPIResult, error)
ScanCAEnrollmentEndpoints probes both web enrollment and web service endpoints for NTLM vulnerabilities (ESC8) and channel binding issues.
type CertAbuseProcessor ¶
type CertAbuseProcessor struct {
// contains filtered or unexported fields
}
CertAbuseProcessor collects and processes certificate authority security data, including enrollment permissions and related abuse vectors.
func NewCertAbuseProcessor ¶
func NewCertAbuseProcessor(domain string, msrpcObj *msrpc.WinregRPC, auth *config.CredentialMgr) *CertAbuseProcessor
NewCertAbuseProcessor creates a processor for the specified domain.
func (*CertAbuseProcessor) GetCASecurity ¶
func (cap *CertAbuseProcessor) GetCASecurity(caName string) builder.RegistryAPIResult
GetCASecurity retrieves CA security registry value from the remote machine
func (*CertAbuseProcessor) GetEnrollmentAgentRights ¶
func (cap *CertAbuseProcessor) GetEnrollmentAgentRights(caName string) builder.RegistryAPIResult
GetEnrollmentAgentRights retrieves EnrollmentAgentRights registry value from the remote machine
func (*CertAbuseProcessor) IsRoleSeparationEnabled ¶
func (cap *CertAbuseProcessor) IsRoleSeparationEnabled(caName string) builder.BoolRegistryAPIResult
RoleSeparationEnabled checks if role separation is enabled on the CA
func (*CertAbuseProcessor) IsUserSpecifiesSanEnabled ¶
func (cap *CertAbuseProcessor) IsUserSpecifiesSanEnabled(caName string) builder.BoolRegistryAPIResult
IsUserSpecifiesSanEnabled checks if a requesting user can specify any SAN they want
func (*CertAbuseProcessor) ProcessEAPermissions ¶
func (cap *CertAbuseProcessor) ProcessEAPermissions( ctx context.Context, caName string, computerName string, computerObjectId string, objectDomain string, ) builder.EnrollmentAgentRegistryAPIResult
ProcessEAPermissions retrieves enrollment agent restrictions from a CA
func (*CertAbuseProcessor) ProcessRegistryEnrollmentPermissions ¶
func (cap *CertAbuseProcessor) ProcessRegistryEnrollmentPermissions( ctx context.Context, caName string, computerName string, computerObjectId string, objectDomain string, ) builder.AceRegistryAPIResult
ProcessRegistryEnrollmentPermissions retrieves CA security from the registry, including ownership and management rights ACEs.
type CollectionTarget ¶
type CollectionTarget struct {
SID string
DNSHostName string
SamName string
IPAddress string
IsDC bool
Domain string
OperatingSystem string
PwdLastSet int64
LastLogonTimestamp int64
}
CollectionTarget identifies a computer for remote data collection.
type ConversionUpdate ¶
type ConversionUpdate = core.ConversionUpdate
type EnterpriseCACollectionTarget ¶
type EnterpriseCACollectionTarget struct {
GUID string
DNSHostName string
CAName string
Domain string
IPAddress string
}
EnterpriseCACollectionTarget identifies a CA for remote data collection.
type EnterpriseCARemoteCollectionResult ¶
type EnterpriseCARemoteCollectionResult struct {
GUID string `json:"GUID"`
CARegistryData builder.CARegistryData `json:"CARegistryData"`
HttpEnrollmentEndpoints []builder.CAEnrollmentEndpointAPIResult `json:"HttpEnrollmentEndpoints"`
HostingComputer string `json:"HostingComputer"`
}
EnterpriseCARemoteCollectionResult holds data collected remotely from a CA.
type RemoteCollectionResult ¶
type RemoteCollectionResult struct {
SID string `json:"SID"`
LocalGroups []builder.LocalGroupAPIResult `json:"LocalGroups"`
Sessions builder.SessionAPIResult `json:"Sessions"`
PrivilegedSessions builder.SessionAPIResult `json:"PrivilegedSessions"`
RegistrySessions builder.SessionAPIResult `json:"RegistrySessions"`
DCRegistryData builder.DCRegistryData `json:"DCRegistryData"`
NTLMRegistryData builder.NTLMRegistryData `json:"NTLMRegistryData"`
UserRights []builder.UserRightsAPIResult `json:"UserRights"`
IsWebClientRunning builder.IsWebClientRunningAPIResult `json:"IsWebClientRunning"`
LdapServices builder.LdapServicesResult `json:"LdapServices"`
SMBInfo *builder.SMBInfoAPIResult `json:"SMBInfo"`
Status builder.ComputerStatus `json:"Status"`
}
RemoteCollectionResult holds all data collected remotely from a computer.
func (*RemoteCollectionResult) StoreInComputer ¶
func (rcr *RemoteCollectionResult) StoreInComputer(computer *builder.Computer)
type RemoteCollectionUpdate ¶
type RemoteCollectionUpdate = core.RemoteCollectionUpdate
type RemoteCollector ¶
type RemoteCollector struct {
RuntimeOptions *config.RuntimeOptions
RemoteMethodTimeout time.Duration
// contains filtered or unexported fields
}
RemoteCollector executes remote data collection from AD computers and CAs.
func NewRemoteCollector ¶
func NewRemoteCollector(authenticator *config.CredentialMgr, runtimeOptions *config.RuntimeOptions, methodTimeout time.Duration, logger *core.Logger) *RemoteCollector
NewRemoteCollector creates a collector with the given credentials and options.
func (*RemoteCollector) CollectRemoteComputer ¶
func (rc *RemoteCollector) CollectRemoteComputer(target CollectionTarget) RemoteCollectionResult
func (*RemoteCollector) CollectRemoteComputerWithContext ¶ added in v0.2.0
func (rc *RemoteCollector) CollectRemoteComputerWithContext(ctx context.Context, target CollectionTarget) RemoteCollectionResult
CollectRemoteComputerWithContext wraps CollectRemoteComputer with hard timeout enforcement.
func (*RemoteCollector) CollectRemoteEnterpriseCA ¶
func (rc *RemoteCollector) CollectRemoteEnterpriseCA(target EnterpriseCACollectionTarget) EnterpriseCARemoteCollectionResult
func (*RemoteCollector) CollectRemoteEnterpriseCAWithContext ¶ added in v0.2.0
func (rc *RemoteCollector) CollectRemoteEnterpriseCAWithContext(ctx context.Context, target EnterpriseCACollectionTarget) EnterpriseCARemoteCollectionResult
CollectRemoteEnterpriseCAWithContext wraps CollectRemoteEnterpriseCA with hard timeout enforcement.
func (*RemoteCollector) ProcessLocalGroupMembers ¶
func (rc *RemoteCollector) ProcessLocalGroupMembers(ctx context.Context, localMembers []string, machineSid string, machineHost string, isDC bool, domain string) ([]builder.TypedPrincipal, []builder.NamedPrincipal)
Helpers
Source Files
¶
- bh_conversion.go
- bh_core.go
- bh_helpers.go
- bh_remote.go
- bh_writer.go
- caenrollment.go
- certabuse.go
- remote_availability.go
- remote_computers.go
- remote_dcregistry.go
- remote_enterpriseca.go
- remote_ldapservices.go
- remote_localgroups.go
- remote_ntlmregistry.go
- remote_privsessions.go
- remote_regsessions.go
- remote_sessions.go
- remote_smbinfo.go
- remote_userrights.go
- remote_webclient.go
Directories