search

SpecterOps / BloodHound

Six Degrees of Domain Admin
https://bloodhoundenterprise.io/
Apache License 2.0
1.09k stars 109 forks source link

There is no password in docker-compose output #659

Closed kamikazejunk closed 3 months ago

kamikazejunk commented 3 months ago

Question 1: There is no password output from docker-compose... Where is it?

Question 2: How to set own password during docker-compose instead of random password?

Question 3: What if I forgot a password, how can I reset password?

docker-compose up bloodhound_app-db_1 is up-to-date bloodhound_graph-db_1 is up-to-date Starting bloodhound_bloodhound_1 ... done Attaching to bloodhound_app-db_1, bloodhound_graph-db_1, bloodhound_bloodhound_1 app-db_1 | app-db_1 | PostgreSQL Database directory appears to contain a database; Skipping initialization app-db_1 | app-db_1 | 2024-06-20 05:32:31.195 UTC [1] LOG: starting PostgreSQL 13.2 (Debian 13.2-1.pgdg100+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 8.3.0-6) 8.3.0, 64-bit app-db_1 | 2024-06-20 05:32:31.195 UTC [1] LOG: listening on IPv4 address "0.0.0.0", port 5432 app-db_1 | 2024-06-20 05:32:31.195 UTC [1] LOG: listening on IPv6 address "::", port 5432 app-db_1 | 2024-06-20 05:32:31.197 UTC [1] LOG: listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432" app-db_1 | 2024-06-20 05:32:31.201 UTC [25] LOG: database system was shut down at 2024-06-20 05:24:47 UTC app-db_1 | 2024-06-20 05:32:31.204 UTC [1] LOG: database system is ready to accept connections graph-db_1 | Changed password for user 'neo4j'. IMPORTANT: this change will only take effect if performed before the database is started for the first time. graph-db_1 | 2024-06-20 05:33:06.974+0000 INFO Starting... graph-db_1 | 2024-06-20 05:33:07.274+0000 INFO This instance is ServerId{5dbdd441} (5dbdd441-d6f2-4079-8d14-95c9cfff143b) graph-db_1 | 2024-06-20 05:33:08.080+0000 INFO ======== Neo4j 4.4.34 ======== graph-db_1 | 2024-06-20 05:33:08.887+0000 INFO Performing postInitialization step for component 'security-users' with version 3 and status CURRENT graph-db_1 | 2024-06-20 05:33:08.887+0000 INFO Updating the initial password in component 'security-users' graph-db_1 | 2024-06-20 05:33:10.612+0000 INFO Bolt enabled on 0.0.0.0:7687. graph-db_1 | 2024-06-20 05:33:11.182+0000 INFO Remote interface available at http://localhost:7474/ graph-db_1 | 2024-06-20 05:33:11.185+0000 INFO id: 6C6C7C14D5CEFF7E24133DD85807E519418E22153FF54A8BC60969357256B966 graph-db_1 | 2024-06-20 05:33:11.185+0000 INFO name: system graph-db_1 | 2024-06-20 05:33:11.185+0000 INFO creationDate: 2024-03-23T12:47:16.55Z graph-db_1 | 2024-06-20 05:33:11.185+0000 INFO Started. bloodhound_1 | {"level":"info","time":"2024-06-20T05:33:27.52075751Z","message":"Reading configuration found at /bloodhound.config.json"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:33:27.521275275Z","message":"Logging configured"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:33:27.542572634Z","message":"No database driver has been set for migration, using: neo4j"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:33:27.542658787Z","message":"Connecting to graph using Neo4j"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:33:27.56317595Z","message":"Executing SQL migrations for v5.8.0"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:33:27.574250144Z","message":"Executing SQL migrations for v5.8.1"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:33:27.582041195Z","message":"Executing SQL migrations for v5.8.2"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:33:27.599381222Z","message":"Executing SQL migrations for v5.11.0"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:33:27.614729209Z","message":"Permission permission://graphdb/Mutate created during migration"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:33:27.61490039Z","message":"Permission permission://db/Wipe created during migration"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:33:27.623678786Z","message":"Role Power User updated during migration"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:33:27.625540854Z","message":"Role Administrator updated during migration"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:33:27.643783644Z","message":"Feature flag clear_graph_data created"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:33:27.644107673Z","message":"Feature flag fedramp_eula created"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:33:27.645156929Z","message":"Feature flag risk_exposure_new_calculation created"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:33:29.037819318Z","message":"Adding index issuancepolicy_system_tags_index to labels IssuancePolicy on properties system_tags using lucene+native-3.0"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:33:29.119926839Z","message":"Adding index issuancepolicy_user_tags_index to labels IssuancePolicy on properties user_tags using lucene+native-3.0"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:33:29.134588129Z","message":"Adding index issuancepolicy_name_index to labels IssuancePolicy on properties name using lucene+native-3.0"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:33:29.148028976Z","message":"Adding index issuancepolicy_domainsid_index to labels IssuancePolicy on properties domainsid using native-btree-1.0"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:33:29.171501809Z","message":"Adding index issuancepolicy_tenantid_index to labels IssuancePolicy on properties tenantid using native-btree-1.0"} bloodhound_1 | {"level":"error","time":"2024-06-20T05:33:29.406515275Z","message":"Invalid neo4j configuration supplied; returning default values"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:33:29.406533242Z","message":"Analysis requested by init"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:33:29.408110121Z","message":"Starting daemon API Daemon"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:33:29.408127569Z","message":"Starting daemon Tools API"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:33:29.408130259Z","message":"Starting daemon Data Pruning Daemon"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:33:29.408133117Z","message":"Starting daemon Data Pipe Daemon"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:33:29.408135522Z","message":"Server started successfully"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:34:30.836309815Z","message":"Fetching group members for 11 AD nodes"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:34:30.996614704Z","message":"Collected 5 group members"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:34:31.184428954Z","message":"Fetching group members for 8 AD nodes"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:34:31.225802189Z","message":"Collected 6 group members"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:34:31.322524964Z","message":"Fetching group members for 10 AD nodes"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:34:31.35602826Z","message":"Collected 5 group members"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:34:31.435942261Z","message":"Fetching group members for 11 AD nodes"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:34:31.498118476Z","message":"Collected 5 group members"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:34:31.596848341Z","message":"Fetching group members for 11 AD nodes"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:34:31.663886777Z","message":"Collected 5 group members"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:34:31.756563507Z","message":"Fetching group members for 2 AD nodes"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:34:31.756630052Z","message":"Collected 0 group members"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:34:31.808844498Z","message":"Fetching group members for 11 AD nodes"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:34:31.867540986Z","message":"Collected 4 group members"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:34:31.940450574Z","message":"Fetching group members for 1 AD nodes"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:34:31.94046347Z","message":"Collected 0 group members"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:34:31.978958813Z","message":"Fetching group members for 1 AD nodes"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:34:31.979467853Z","message":"Collected 0 group members"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:34:32.016524539Z","message":"Fetching group members for 11 AD nodes"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:34:32.062080856Z","message":"Collected 5 group members"} bloodhound_1 | {"level":"info","elapsed":1436.142525,"time":"2024-06-20T05:34:32.114466452Z","message":"Finished tagging Active Directory Tier Zero"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:34:33.108490243Z","message":"Expanding all AD group and local group memberships"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:34:33.127220342Z","message":"Collected 397 groups to resolve"} bloodhound_1 | {"level":"info","elapsed":1072.709152,"time":"2024-06-20T05:34:34.181232344Z","message":"ResolveAllGroupMemberships"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:34:34.363958694Z","message":"Finished post-processing 87 active directory computers"} bloodhound_1 | {"level":"warn","time":"2024-06-20T05:34:34.61621294Z","message":"Error in PostCanAbuseWeakCertBinding: unable to fetch strongcertificatebindingenforcementraw property for node ID 1933: property strongcertificatebindingenforcementraw: property not found"} bloodhound_1 | {"level":"warn","time":"2024-06-20T05:34:34.618830023Z","message":"Error in PostCanAbuseWeakCertBinding: unable to fetch strongcertificatebindingenforcementraw property for node ID 2322: property strongcertificatebindingenforcementraw: property not found"} bloodhound_1 | {"level":"warn","time":"2024-06-20T05:34:34.623120507Z","message":"Error in PostCanAbuseUPNCertMapping: unable to fetch certificatemappingmethodsraw property for node ID 1933: property certificatemappingmethodsraw: property not found"} bloodhound_1 | {"level":"warn","time":"2024-06-20T05:34:34.626204384Z","message":"Error in PostCanAbuseUPNCertMapping: unable to fetch certificatemappingmethodsraw property for node ID 2322: property certificatemappingmethodsraw: property not found"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:34:35.068484845Z","message":"Finished building adcs cache"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:34:35.567655725Z","message":"Started Data Quality Stats Collection"} bloodhound_1 | {"level":"info","time":"2024-06-20T05:34:35.912603958Z","message":"Cache successfully reset by datapipe daemon"} bloodhound_1 | {"level":"info","elapsed":6416.996682,"measurement_id":1,"time":"2024-06-20T05:34:35.91262394Z","message":"Graph Analysis"}

kamikazejunk commented 3 months ago

I wonder why it sets random password in neo4j instead of default password "neo4j:neo4j" which user change later.

docker install is so inconvenient as it sets random password first

StephenHinck commented 3 months ago

The logs show that you were spinning up a previously created database; hence, an initial user password was not set. You'd need to re-use the previously set password. From your logs:

app-db_1 | PostgreSQL Database directory appears to contain a database; Skipping initialization app

If you don't know the password, you have two options:

  1. Reset the installation: docker compose down -v
  2. Reset the password in PostgreSQL. The following would set the password for the account, admin to the password admin 
    
postgres=> select id from users where principal_name='admin';

id

long-uuid-value

postgres=> update auth_secrets set digest='$argon2id$v=19$m=1048576,t=1,p=2$QUB3+B/dvvpbOYKT9Wr1EA==$3sV71u+fW4kX+euamzIgOQ==' where user_id='long-uuid-value';



If you would like to set a default password, you may do so in either the .env file (here: https://github.com/SpecterOps/BloodHound/blob/main/examples/docker-compose/.env.example#L12) or in the docker_compose.yaml (here: https://github.com/SpecterOps/BloodHound/blob/main/examples/docker-compose/docker-compose.yml#L22).