Listen to this Post

Introduction:
BloodHound has long been the gold standard for mapping Active Directory attack paths, but its focus on Windows left a critical blind spot: Linux and SSH infrastructures. GoLinHound, a new open-source collector, changes that by extracting Linux system relationships and SSH trust configurations, then outputting them as OpenGraph JSON for seamless ingestion into BloodHound. This integration enables security professionals to visualize cross-platform attack chains that span from a compromised Linux jump box to a Windows domain administrator, finally closing the visibility gap in hybrid environments.
Learning Objectives:
- Understand the architecture and role of GoLinHound within the BloodHound ecosystem.
- Learn to deploy GoLinHound to enumerate Linux hosts, users, sudo privileges, and SSH key relationships.
- Master the analysis of combined Windows, Azure, and Linux attack paths using BloodHound’s graph database and custom Cypher queries.
You Should Know:
1. What is GoLinHound and Why It Matters
GoLinHound is a Go‑based tool designed to discover attack paths that originate or traverse through Linux systems. It collects data such as local users, groups, sudoers entries, SSH authorized_keys, known_hosts, and active SSH sessions. The output is a JSON file compliant with BloodHound’s OpenGraph schema, meaning it can be loaded directly into BloodHound alongside data from SharpHound (Windows) and AzureHound. This unification reveals previously hidden relationships—for example, a developer’s SSH key stored on a Linux server that also authenticates to a domain‑joined Windows machine, or a service account with sudo privileges that is reused across both operating systems.
2. Installing and Configuring GoLinHound
GoLinHound is available on GitHub. To install it, you need Go 1.19+ or you can download a precompiled binary from the releases page.
Linux/macOS build from source:
git clone https://github.com/your-repo/golinhound.git replace with actual repo URL cd golinhound go build -o golinhound main.go sudo mv golinhound /usr/local/bin/
Configuration:
Create a `config.yaml` file to define target Linux hosts and authentication methods:
targets:
- host: 192.168.1.100
user: root
key_path: /path/to/private_key
- host: linux-server.internal
user: analyst
password: "{{GOLINHOUND_ANALYST_PW}}" use env vars for secrets
output: bloodhound_data.json
Set environment variables to avoid hardcoding credentials:
export GOLINHOUND_ANALYST_PW='SecurePass123'
3. Collecting Linux and SSH Data
Run GoLinHound with the configuration file:
golinhound collect --config config.yaml
The tool connects to each target via SSH, executes a series of commands to gather:
– Users and groups (/etc/passwd, /etc/group)
– Sudo privileges (/etc/sudoers, sudo -l)
– SSH authorized keys (~/.ssh/authorized_keys for each user)
– SSH known hosts (/etc/ssh/ssh_known_hosts, ~/.ssh/known_hosts)
– Active SSH sessions (ss -tlnp, ps aux | grep sshd)
The collected data is transformed into nodes (User, Group, Computer) and edges (MemberOf, CanSSH, HasSession, AdminTo) following BloodHound’s graph model. The output JSON file is saved as specified.
4. Ingesting Data into BloodHound
Assuming you have BloodHound Community Edition or Enterprise running with a Neo4j database:
1. Open the BloodHound UI.
2. Navigate to Upload Data.
- Select the JSON file generated by GoLinHound (
bloodhound_data.json). - BloodHound will parse the file and merge the Linux nodes and edges with any existing Windows/Azure data.
- Verify the new objects appear by searching for a Linux hostname or a Unix‑style user.
Alternative CLI import:
bloodhound-import -u http://localhost:7474 -d neo4j -c bloodhound_data.json
5. Mapping Cross‑Platform Attack Paths
With the combined dataset, you can now run BloodHound queries that traverse Windows and Linux.
Example Cypher query to find all Linux users who have SSH access to a Windows domain admin’s machine:
MATCH p=(u:User)-[:CanSSH]->(c:Computer) WHERE c.operatingsystem CONTAINS 'Linux' AND u.name IN ['DOMAIN\administrator', 'EC2-ADMIN'] RETURN p
Find all paths from a compromised Linux host to a Domain Admin:
MATCH p=(start:Computer {name: 'linux-jumpbox.local'})-[1..5]->(da:User {domainadmin:true})
RETURN p
The graph will show intermediate hops, such as SSH keys reused on a Windows server, or a service account with local admin rights on both platforms.
6. Advanced Usage: Integrating with SharpHound and AzureHound
To get the full picture, run all three collectors:
- SharpHound (Windows AD): `SharpHound.exe -c All`
– AzureHound (Azure AD): `azurehound collect`
– GoLinHound (Linux/SSH)
Then load all JSON files into BloodHound. The graph will contain Windows users, Azure roles, and Linux nodes, all interlinked. For example, an Azure AD user who has a Linux VM with SSH key access that also belongs to an Active Directory group.
Tip: Use the BloodHound `Find All Paths` feature with the start and end nodes from different platforms to see the full blast radius.
7. Defensive Recommendations
Once you identify critical attack paths, prioritize mitigations:
- Rotate SSH keys used across multiple systems.
- Restrict sudo to only necessary commands and users.
- Enforce Multi‑Factor Authentication for SSH (e.g., with pam_google_authenticator).
- Monitor for unusual SSH login patterns using tools like auditd or Falco.
- Segment Linux and Windows environments with firewalls to limit lateral movement.
What Undercode Say:
- Key Takeaway 1: GoLinHound exposes the invisible trust relationships between Linux and Windows systems, revealing chained attacks that were previously undetectable in siloed monitoring tools.
- Key Takeaway 2: By integrating with BloodHound, defenders can apply graph‑theory analysis to prioritize remediation of the most critical paths, reducing overall risk more efficiently than patching isolated vulnerabilities.
Analysis: The emergence of GoLinHound signals a maturation in cross‑platform security. As hybrid infrastructures become the norm, attackers increasingly pivot between OS environments. Tools that unify telemetry into a single graph database empower blue teams to think like adversaries—mapping the entire attack surface, not just a single domain. The open‑source nature encourages community contributions, but organizations must handle credential collection with care, ideally using short‑lived tokens or dedicated service accounts with minimal privileges.
Prediction:
Future iterations of GoLinHound will likely incorporate container orchestration data (Kubernetes pods, service accounts) and cloud‑specific Linux instances (AWS EC2, Azure VMs). BloodHound itself may evolve to support real‑time attack path detection, integrating with SIEMs and EDRs to alert on active traversal attempts. Ultimately, unified attack path management will become a cornerstone of modern cybersecurity operations.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Jonas Bk – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


