Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integration of Bloodhound Community Edition #300

Open
alcastronic opened this issue Aug 27, 2023 · 9 comments
Open

Integration of Bloodhound Community Edition #300

alcastronic opened this issue Aug 27, 2023 · 9 comments

Comments

@alcastronic
Copy link
Contributor

Hi are there, this is more of a question/feature request.

Are there plan's already to integrate the bloodHound Community Edition with RedELK?
It seems that SpecterOps has deprecated the original BloodHound Repo.

Are there any dependencies from RedELK to the BloodHound version that could prevent "just plugging in" the Community Edition?
@MarcOverIP
Copy link
Member

Valid point. We should move to the new Community Edition. You agree @fastlorenzo?

On a high level this should not be too hard I believe: just use the new docker container from them and test. Feel free to add a PR if you see the time.

@fastlorenzo
Copy link
Collaborator

@MarcOverIP agreed indeed, in the past I've made a small container that was taking SharpHound's JSON/ZIP files as input from a mount and was ingesting them directly into Neo4j.
The BloodHound Community Edition looks like a great enhancement to RedELK!
FYI - would require to update the Kibana app to embed it in the view.

@alcastronic
Copy link
Contributor Author

I'll have a look into it and prepare a PR for the RedELK part first. I think it might make sense to integrate the full stack e.G not only the Neo4J db but also the new WebApp with another postgresql db. That would spawn three new dockers and it would be required to expose the Bloodhound WebApp via nginx. The app should be able to handle auth itself.

Looging at https://github.com/SpecterOps/BloodHound/blob/main/examples/docker-compose/README.md this should be fairly simple to integrate.

@alcastronic
Copy link
Contributor Author

I a have it mostly done, there is however one issue with the reverse proxy support of the Bloodhound Community Edition as it wan'ts to be served from the root directory e.G https://127.0.0.1/ui/login so something like https://127.0.0.1/bloodhound/ui/login will not work. It is still possible to serve it on port 8080 as the Neo4J Browser but that would be over HTTP.

I have opened an issue SpecterOps/BloodHound#94 , maybe there is a way to change the root url altogether.

@alcastronic
Copy link
Contributor Author

I have started the Bloodhound WebApp on port 8443, since the route can not be changed out-of-the-box.
There is still an error that I need to investigate further before opening an PR, the Explore dashboard fails with the following error.

image

@MarcOverIP
Copy link
Member

Any help we can provide you on this?

@alcastronic
Copy link
Contributor Author

It seems that the app is working now, I'll do some cleanup and than open a PR so someone can test it.

@alcastronic
Copy link
Contributor Author

Current status:

  • Ingestion of data works.

image

  • Data is present :

image

  • For me, the pre-build cipher queries did not return any data.

  • Connection with Bloodhound (Version: 4.3.1) to neo4j works:

image

  • Other apps are working as well:

  • jupyter

  • neo4j browser

  • redelk dashboard

  • When limted flag is present only RedELK is installed.

 Done with base setup of RedELK on ELK server
 You can now login to the following interfaces: 
   - Main RedELK Kibana interface on port 443 (user: redelk, pass:[...])

The include for the bloodhound server is commented out when limited is present.

  • When limited flag is absent everything is installed for bloodhound including:

  • postgresql

  • neo4j

  • bloodhound-app

  • The login information for the previous apps and the bloodhound-community-ui is shown.

 Done with base setup of RedELK on ELK server
 You can now login to the following interfaces: 
   - Main RedELK Kibana interface on port 443 (user: redelk, pass:[...])
   - Jupyter notebooks on /jupyter (user: redelk, pass:[...])
   - Bloodhound community edition on https port 8443 (user: admin, pass:[...])
   - Neo4J Browser port 7473 (user: neo4j, pass:[...])
   - Neo4J using the BloodHound app on port 7687 (user: neo4j, pass:[...])
  • [] The credentials file shows the appropriate credentials
# passwords used by RedELK installation - NOT A CONFIG FILE! - passwords are defined in .env file
CredHtaccessUsername = "redelk"
CredHtaccessPassword = "[...]"
CredESUsername = "elastic"
CredESPassword = "[...]"
CredNeo4jUsername = "neo4j"
CredNeo4jPassword = "[...]"
CredBloodhoundAdminEmail = ""
CredBloodhoundUsername = "admin"
CredBloodhoundPassword = "[...]"
CredPostgresUsername = "bloodhound"
CredPostgresPassword = ""

The Postgres password is missing in the creds file, it is porperly set in the .env file.
When the let's encrypt e-mail is not set, the BloodhoundAdmin e-mail is empty as well.

@alcastronic
Copy link
Contributor Author

The Postgres password issue was resolved and PR #304 was opened.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fastlorenzo @alcastronic @MarcOverIP