DEV Community

Cover image for Setting up and Using BloodHound in Kali Linux
Adam Katora
Adam Katora

Posted on

Setting up and Using BloodHound in Kali Linux

BloodHound is a tool used to visualize and identify attack paths in Active Directory Domains. Being that AD is Windows based, some of the default tools for BloodHound (ie. SharpHound ingestor) only run on Windows. Fortunately, there are tools for Unix-like systems that allow us to easily work with BloodHound on Kali and other Linux machines.

It is important to note, that you will need a set of valid Domain Credentials (ie a Username & Password) for the ingestor to be able to run.

I'll be working on a fresh Virtualbox install of Kali, version 2022.1-amd64.

BloodHound Quick Overview

BloodHound consists of 2 main parts: 1.) an ingestor to enumerate / collect Active Directory Domain data. 2.) A GUI application to visualize the relationships between the Active Directory Domain data that was collected by the ingestor.

The GUI Application itself is an electron app backed by a neo4j graph database.


On Kali linux, the easiest way to get running with an ingestor is to use

Start by creating a new folder on your Desktop, I'm calling mine "BH_tut", this will just help us keep all our working files organized. Then, change directory to your newly created folder.

cd ~/Desktop
mkdir BH_tut && cd BH_tut
Enter fullscreen mode Exit fullscreen mode

Setting up our Folders

Next, we'll need to grab the source code for ingestor off github. In a web browser, open up Then, click the green "Code" button and select the Copy To Clipboard icon from the dropdown.

Get the link from Github

Back in your terminal, run the following command from within the "BH_Tut" folder to copy the source files to your local machine.

git clone
Enter fullscreen mode Exit fullscreen mode

Copy Repo to Local

Change directory into the newly downloaded, folder.

Enter fullscreen mode Exit fullscreen mode

Note: Typically, I'd reccommend spinning up a new Python virtual enviornment and installing and its dependencies into the venv as opposed to the system version of Python. However, as of Kali 2022.1 (maybe even earlier, I haven't tested any others) all the python packages required to run are pre-installed on the system version of Python.

If you follow along with the DBCreator section later on, we will end up needing to create a venv there.

You can confirming that is working by running:

Enter fullscreen mode Exit fullscreen mode

Without supplying any options to the program, you should just see the banner printed with all the available flags and options.

Confirm is working

With that up and running, we can focus on enumerating our AD Domain. It's time to get some data, or as I like to call it, release the hounds!
Release the Hounds!

Here's an example command of how you'd run on an Active Directory Domain.

./ -c All -u [username] -p [password] -dc [domain controller domain name] -d [domain name] -ns [nameserver ip] 
Enter fullscreen mode Exit fullscreen mode


  • Collection Method: '-c'
    • We'll set to all to save everything that BloodHound can grab
  • Username: '-u'
    • The username of an active user account in this Active Directory Domain
  • Password: -p
    • The password for the above user account
  • Domain Controller (Domain Name not IP): '-dc'
    • The domain name of the Domain Controller (typically follows the pattern of 'dc.[domain].com'), this won't work if you just supply the IP address of the domain controller
  • Domain (Domain Name not IP): '-d'
    • The name of the Active Directory domain (Taking the above example, this typically would be the same as above without the dc. subdomain, ie '[domain].com')
  • Name Server (IP Address): '-ns'
    • Here, you can specify a custom nameserver IP Address to resolve the above -dc & -d flags to.

I ran my on a HackTheBox machine I was working on, it's a retired box, but I still kept some info redacted to avoid any spoilers.

Here's what your directory will look similar too after successfully enumerating an AD Domain.


As you can see, separate .json files have been created for each of the categories of collection items was able to enumerate through.

Generating Sample data w/ DBCreator

NOTE: This shows how to generate sample data, but also covers installing neo4j, which is required to run BloodHound. If you already collected data with an ingestor, feel free to skip ahead to the point where I've written "Neo4j Installation", and make sure you install neo4j on your Kali machine.

If you don't currently have an AD Domain you can run in, no worries, we can use BloodHound Database Creator to generate some sample data.

Start by going to the BloodHound-Tools Github Repo and grabbing the clone link like we did above for

Then, clone that repo into the "BH_tut" folder.

git clone
Enter fullscreen mode Exit fullscreen mode

Once that finshes downloading, change directory into the "BloodHound-Tools" directory and then the "DBCreator" directory inside that

cd BloodHound-Tools
cd DBCreator
Enter fullscreen mode Exit fullscreen mode

Now, we will create a new Python venv to install the DBCreator depencies as these aren't all in the default system Python.

Ensure that the venv module is installed on your Kali machine by running

sudo apt update
sudo apt install python3 python3-venv
Enter fullscreen mode Exit fullscreen mode

With that installed, create the new venv by running:

python3 -m venv venv
Enter fullscreen mode Exit fullscreen mode

Then, activate the venv by running:

source venv/bin/activate
Enter fullscreen mode Exit fullscreen mode

Then install the dependencies for DBCreator by running:

pip install -r requirements.txt
Enter fullscreen mode Exit fullscreen mode

NOTE: I hit an issue running the generate command. According to the BloodHound-Tools github issues, it seems as if I wasn't the only one.

The workaround I found was to download this updated file, and replace the existing file with that new one.

After swapping out those files I was able to sucessfully run the generate command from DBCreator.

DBCreator is now installed, but we still need a neo4j instance running for the generator to save our sample data to

Neo4j Installation

Install neo4j from the apt repository with:

sudo apt install neo4j
Enter fullscreen mode Exit fullscreen mode

Installing Neo4j

After installation completes, start neo4j with the following command:

sudo neo4j console
Enter fullscreen mode Exit fullscreen mode

Starting Neo4j

Then navigate to localhost:7474. Login with the default credentials

username: neo4j 
password: neo4j
Enter fullscreen mode Exit fullscreen mode

Neo4j First Login

After you've successfully logged in with the default credentials, you'll be prompted to change the password. I've opted to go with kalilinux for the new password.

Neo4j Change Password

Return to the terminal that you installed DBCreator in. Ensure that the venv is activated (that's the venv/bin/activate command), then run:

Enter fullscreen mode Exit fullscreen mode

You'll see a banner "BloodHound Sample Database Creator" and (CMD) appear at the bottom of the terminal. This is where we can set the neo4j configuration options. Type the following command:

Enter fullscreen mode Exit fullscreen mode

You'll be promted for the DB url: the default value

 should work, hit enter.

For DB Username, `neo4j`, the default is correct.  

For DB Password, supply the new password we created, `kalilinux`.

And finally, No, to "Use encryption".

![Running DBCreator](

After hitting "enter" you should see a message "Database Connection Successful!", after which, you can run the command `generate`. (If you hit an error with generate don't forget the updated file from above)

![Running the DBCreator Generate Command](

Now our neo4j database is seeded with sample data and we're ready to install the BloodHound GUI app.


## Installing BloodHound w/ Pre-Compiled Binaries  

**Note: Don't install the version of BloodHound from the apt repository. It's not maintained by the BloodHoun dev team and as such might be out of date**

Navigate to the [BloodHound Github Repo]( at []( On the right-hand sidebar, you should see a heading titled "Releases". Immediately below that should be the latest release available. Click to navigate to the binaries page for that.  

Scroll down to the "Assets" list where you should see a zip download for Linux x64. Download that zip to your Kali machine.

Move or copy the downloaded file from your downloads folder, to our BH_tut folder on the Desktop. 

**NOTE:** For this write-up, I'm just installing BloodHound in our BH_tut folder. In the real-world, you should install programs such as this into the Linux /opt directory, ie /opt/BloodHound.

cp ~/Downloads/ ~/Desktop/BH_tut/
Enter fullscreen mode Exit fullscreen mode

Then, from the BH_tut directory, unzip the file and once it's completed unzipped, change into the newly created directory.

cd BloodHound-linux-x64
Enter fullscreen mode Exit fullscreen mode

Ensure that the 'BloodHound' file is executable.

sudo chmod 770 BloodHound
Enter fullscreen mode Exit fullscreen mode

Then run the program with:

Enter fullscreen mode Exit fullscreen mode

You'll see the BloodHound login screen and be prompted to supply the neo4j credentials that we created earlier. We kept our username the default at neo4j, and set the password to kalilinux.

BloodHound First Login

If you followed along with the DBCreator setup, once logged in you should see a data graph with your sample data loaded up. To view some of the pre-built analysis queries, click "Search Node" dropdown, then "Analysis" tab, then choose one of the pre-built queries to view.

DBCreator Sample Data

If you used an ingestor to get your data, we still have one more step to load up the data into our neo4j database.

Navigate back to your folder, and find the .json files that were created earlier. With the BloodHound application window open, click and drag (hold ctrl to select multiple files) the .json files into BloodHound.

You'll see an uploads progress window. Once all of the uploads reach 100% upload completion, feel free to close the window. If you click the "Search for a node" toggle dropdown, then the analysis tab, the pre-built queries should work for however much data your ingestor was able to find.

Ingestor Data

This walkthrough is certainly only scratching the surface of what's possible with BloodHound. I myself am looking forward to digging into the Analysis queries in more depth, and depending on what I learn, hopefully write a follow-up on that. Hopefully, this is able to help new pentesters looking to get started with AD & BloodHound though.

Top comments (0)