BloodhoundCE owned new tag

[derekkddj]

Description

The new BloodhoundCE uses a system_tags to add if the user or computer is owned. This tag is used too for "high" value targets.

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

Python 3.10.12
BloodhoundCE 7.1.0v
I made test in my local enviroment but with production data. The only problem is that you can not set the node as "not owned" from the WEB interface, but this seems a problem with BloodhoundCE not with NeteExec.

Screenshots (if appropriate):

No scrrenshoot, the data is in producction.

Checklist:

• I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
• I have added or updated the tests/e2e_commands.txt file if necessary
• New and existing e2e tests pass locally with my changes
• My code follows the style guidelines of this project (should be covered by Ruff above)
• If reliant on third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

[NeffIsBack]

Thanks for the PR! Gonna take a look at it soon

[derekkddj]

After the PR I opened a Bug in BloodhoundCE, and they told me that this method of updating the owned tag via connection to Neo4J directly is not supported.
SpecterOps/BloodHound#1276 (comment)
We should use the API of BloodhoundCE

[NeffIsBack]

Hi, thanks for the PR.

I can confirm the inconsistency between the database and the UI:

And it doesn't surprise me they don't support messing with the database under the hood :D
But talking to the bloodhound API is likely much more complex and would require to either log in on every request or to maintain the state between NetExec runs (due to the API token), which is not really feasible.
Imo we should take a look at what the api call does under the hood to the database and mimic this behavior. Would probably the easiest solution.

[mpgn]

This is expected as the package we are using doesn't support bloodhound CE, only legacy BH is supported

[derekkddj]

Hi, thanks for the PR.

I can confirm the inconsistency between the database and the UI:

And it doesn't surprise me they don't support messing with the database under the hood :D But talking to the bloodhound API is likely much more complex and would require to either log in on every request or to maintain the state between NetExec runs (due to the API token), which is not really feasible. Imo we should take a look at what the api call does under the hood to the database and mimic this behavior. Would probably the easiest solution.

Yes, looking at the changes in the database made from Bloodhound would be perfect, maybe i will check this when i have time.
At least changing the tags in the database directly allows for the queries in BloodHoundCE to works, likes "sohortest path from owned..."

[exploide]

I think accessing the database directly would be rather fragile. One change by the BHCE developers and it breaks apart. The API is exactly intended for the integration between BloodHound and external tools like NetExec. Additional reason: In the long term, they plan to remove Neo4j and instead Postgres (with a Cypher adapter) should be used even as the graph database.

So a clean solution would be to use the API, but yes, this is probably more work.
It does not necessarily require you to login on every request or to maintain state. Currently, you already use a config file for BloodHound (or rather Neo4j) access data. This could (in a BHCE mode) take an API token the user puts in the file instead of a password. API tokens can be generated on the BHCE user settings page.

In general, feel free to copy relevant portions of the code from my Python tool bhcli. (or try to use it as a library?)
I think you are mostly interested in:

• how to send API requests
• how to get asset groups (like owned, admin_tier0, ...)
• how to add objects to an asset group
• how to do a Cypher query via the API
• my implementation of a bulk mark as owned

[NeffIsBack]

@exploide well, in the long run you might be right. Switching to the API is probably the best idea.

@derekkddj Thanks for the work! I will check it out how it works soon!

[derekkddj]

@exploide well, in the long run you might be right. Switching to the API is probably the best idea.

@derekkddj Thanks for the work! I will check it out how it works soon!

I just copy-paste the brillian API of @exploide

[mpgn]

could be renamed Bloodhound-Legacy
then change bloodhound package into bloodhound-ce into pyproject.toml
bloodhound-ce is by default, if user wants legacy, he just need to set BloodhoundAPI to false and BloodhoundLegacy to True

in combinaison with #664 it's perfect

imo

[derekkddj]

yes, we could merge the two ideas , to use the new collection method and to use the API to update the "owned" users and machines.

[NeffIsBack]

So i guess we'll wait until #664 is merged and then integrate the new bh ce connector 👍