search

outflanknl / RedELK

Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations.
BSD 3-Clause "New" or "Revised" License
2.35k stars 371 forks source link

Integration of Bloodhound Community Edition #300

Open alcastronic opened 1 year ago

alcastronic commented 1 year ago

Hi are there, this is more of a question/feature request.

Are there plan's already to integrate the bloodHound Community Edition with RedELK? It seems that SpecterOps has deprecated the original BloodHound Repo.

Are there any dependencies from RedELK to the BloodHound version that could prevent "just plugging in" the Community Edition?

MarcOverIP commented 11 months ago

Valid point. We should move to the new Community Edition. You agree @fastlorenzo?

On a high level this should not be too hard I believe: just use the new docker container from them and test. Feel free to add a PR if you see the time.

fastlorenzo commented 11 months ago

@MarcOverIP agreed indeed, in the past I've made a small container that was taking SharpHound's JSON/ZIP files as input from a mount and was ingesting them directly into Neo4j. The BloodHound Community Edition looks like a great enhancement to RedELK! FYI - would require to update the Kibana app to embed it in the view.

alcastronic commented 11 months ago

I'll have a look into it and prepare a PR for the RedELK part first. I think it might make sense to integrate the full stack e.G not only the Neo4J db but also the new WebApp with another postgresql db. That would spawn three new dockers and it would be required to expose the Bloodhound WebApp via nginx. The app should be able to handle auth itself.

Looging at https://github.com/SpecterOps/BloodHound/blob/main/examples/docker-compose/README.md this should be fairly simple to integrate.

alcastronic commented 11 months ago

I a have it mostly done, there is however one issue with the reverse proxy support of the Bloodhound Community Edition as it wan'ts to be served from the root directory e.G https://127.0.0.1/ui/login so something like https://127.0.0.1/bloodhound/ui/login will not work. It is still possible to serve it on port 8080 as the Neo4J Browser but that would be over HTTP.

I have opened an issue https://github.com/SpecterOps/BloodHound/issues/94 , maybe there is a way to change the root url altogether.

alcastronic commented 11 months ago

I have started the Bloodhound WebApp on port 8443, since the route can not be changed out-of-the-box. There is still an error that I need to investigate further before opening an PR, the Explore dashboard fails with the following error.

image

MarcOverIP commented 11 months ago

Any help we can provide you on this?

alcastronic commented 10 months ago

It seems that the app is working now, I'll do some cleanup and than open a PR so someone can test it.

alcastronic commented 10 months ago

Current status:

image

image

image

 Done with base setup of RedELK on ELK server
 You can now login to the following interfaces: 
   - Main RedELK Kibana interface on port 443 (user: redelk, pass:[...])

The include for the bloodhound server is commented out when limited is present.

 Done with base setup of RedELK on ELK server
 You can now login to the following interfaces: 
   - Main RedELK Kibana interface on port 443 (user: redelk, pass:[...])
   - Jupyter notebooks on /jupyter (user: redelk, pass:[...])
   - Bloodhound community edition on https port 8443 (user: admin, pass:[...])
   - Neo4J Browser port 7473 (user: neo4j, pass:[...])
   - Neo4J using the BloodHound app on port 7687 (user: neo4j, pass:[...])
# passwords used by RedELK installation - NOT A CONFIG FILE! - passwords are defined in .env file
CredHtaccessUsername = "redelk"
CredHtaccessPassword = "[...]"
CredESUsername = "elastic"
CredESPassword = "[...]"
CredNeo4jUsername = "neo4j"
CredNeo4jPassword = "[...]"
CredBloodhoundAdminEmail = ""
CredBloodhoundUsername = "admin"
CredBloodhoundPassword = "[...]"
CredPostgresUsername = "bloodhound"
CredPostgresPassword = ""

The Postgres password is missing in the creds file, it is porperly set in the .env file. When the let's encrypt e-mail is not set, the BloodhoundAdmin e-mail is empty as well.

alcastronic commented 10 months ago

The Postgres password issue was resolved and PR #304 was opened.