Thursday, August 18, 2022

Installing BloodHound on Parrot OS 5.1

        Today while working on an assessment, I decided to spin up BloodHound on my Parrot OS 5.1 instance. To my demise, BloodHound wasn't already installed. Normally this is quickly solved with a simple apt install bloodhound neo4j but today that wouldn't be the case! Upon trying to startup neo4j, it immediately started throwing errors and a quick Google search showed that I wasn't the only one with the issue but no one had posted any solutions yet. Hopefully this guide will be useful to others.

    First install bloodhound and neo4j. 

┌─[user@Parrot]─[~]
└──╼ $ sudo apt install bloodhound neo4j -y

    Attempting to start neo4j is where the first issues began. Initially trying to start the service resulted in normal output but the service would never start listening on port 7474. So I reverted to watching the console output. Immediately a number of errors where thrown. The first error was neo4j complaining about the limit on open files. That's an easy fix with ulimit -n 40000 but ultimately it wasn't the reason for neo4j not starting. Turns out that Parrot OS comes with both OpenJDK 11 and OpenJDK 17 installed with OpenJDK 17 set to the default. Dual Java JDK's was causing an odd error while launching neo4j.

WARNING! You are using an unsupported Java runtime. 
* Please use Oracle(R) Java(TM) 11, OpenJDK(TM) 11 to run Neo4j.
* Please see https://neo4j.com/docs/ for Neo4j installation instructions.
Directories in use:
  home:         /usr/share/neo4j
  config:       /usr/share/neo4j/conf
  logs:         /usr/share/neo4j/logs
  plugins:      /usr/share/neo4j/plugins
  import:       /usr/share/neo4j/import
  data:         /usr/share/neo4j/data
  certificates: /usr/share/neo4j/certificates
  run:          /usr/share/neo4j/run
Starting Neo4j.
WARNING: Max 1024 open files allowed, minimum of 40000 recommended. See the Neo4j manual.
OpenJDK 64-Bit Server VM warning: Option UseBiasedLocking was deprecated in version 15.0 and will likely be removed in a future release.
2022-08-18 17:26:03.926+0000 INFO  Starting...
2022-08-18 17:26:07.804+0000 INFO  ======== Neo4j 4.2.1 ========
WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance.
2022-08-18 17:26:14.767+0000 ERROR Failed to start Neo4j on dbms.connector.http.listen_address, a socket address. If missing port or hostname it is acquired from dbms.default_listen_address.
java.lang.RuntimeException: Error starting Neo4j database server
<...Trimmed for Brevity...>
2022-08-18 17:26:14.772+0000 INFO  Neo4j Server shutdown initiated by request
2022-08-18 17:26:14.772+0000 INFO  Stopped.

    The above error is not exactly clear as to what the issue might be. After some research it was an easy fix. 

    First determine which java versions are installed/available:

┌─[user@Parrot]─[~]
└──╼ $ sudo update-alternatives --config java
There are 2 choices for the alternative java (providing /usr/bin/java).

  Selection    Path                                         Priority   Status
------------------------------------------------------------
* 0            /usr/lib/jvm/java-17-openjdk-amd64/bin/java   1711      auto mode
  1            /usr/lib/jvm/java-11-openjdk-amd64/bin/java   1111      manual mode
  2            /usr/lib/jvm/java-17-openjdk-amd64/bin/java   1711      manual mode

Press <enter> to keep the current choice[*], or type selection number:

    Neo4j requires OpenJDK 11 but as seen above Parrot is defaulting to OpenJDK 17. While we could update the system to use OpenJDK 11 by default, there is likely a reason the Parrot Devs chose OpenJDK 17. So we can temporarily start neo4j using OpenJDK 11 by prepending the binary path to OpenJDK 11's binary folder.

┌─[user@Parrot]─[~]
└──╼ $ PATH="/usr/lib/jvm/java-11-openjdk-amd64/bin:$PATH"
┌─[user@Parrot]─[~]
└──╼ $ ulimit -n 40000
┌─[user@Parrot]─[~]
└──╼ $ sudo env "PATH=$PATH" neo4j console
Directories in use:
  home:         /usr/share/neo4j
  config:       /usr/share/neo4j/conf
  logs:         /usr/share/neo4j/logs
  plugins:      /usr/share/neo4j/plugins
  import:       /usr/share/neo4j/import
  data:         /usr/share/neo4j/data
  certificates: /usr/share/neo4j/certificates
  run:          /usr/share/neo4j/run
Starting Neo4j.
2022-08-18 17:40:56.101+0000 INFO  Starting...
2022-08-18 17:41:01.485+0000 INFO  ======== Neo4j 4.2.1 ========
2022-08-18 17:41:05.507+0000 INFO  Initializing system graph model for component 'security-users' with version -1 and status UNINITIALIZED
2022-08-18 17:41:05.520+0000 INFO  Setting up initial user from defaults: neo4j
2022-08-18 17:41:05.521+0000 INFO  Creating new user 'neo4j' (passwordChangeRequired=true, suspended=false)
2022-08-18 17:41:05.539+0000 INFO  Setting version for 'security-users' to 2
2022-08-18 17:41:05.548+0000 INFO  After initialization of system graph model component 'security-users' have version 2 and status CURRENT
2022-08-18 17:41:05.561+0000 INFO  Performing postInitialization step for component 'security-users' with version 2 and status CURRENT
2022-08-18 17:41:06.442+0000 INFO  Bolt enabled on localhost:7687.
2022-08-18 17:41:09.023+0000 INFO  Remote interface available at http://localhost:7474
2022-08-18 17:41:09.024+0000 INFO  Started.

    Success! What is really interesting about this fix is that once this has been run once and succeeds, neo4j appears to run just fine with OpenJDK 17 afterwards. Now probably not recommended since neo4j specifically requests OpenJDK 11 but it was still interesting to notice! After running the previous commands neo4j and BloodHound can subsequently be launched as follows.

┌─[user@Parrot]─[~]
└──╼ $ PATH="/usr/lib/jvm/java-11-openjdk-amd64/bin:$PATH";ulimit -n 40000; sudo "PATH=$PATH" neo4j start
Directories in use:
  home:         /usr/share/neo4j
  config:       /usr/share/neo4j/conf
  logs:         /usr/share/neo4j/logs
  plugins:      /usr/share/neo4j/plugins
  import:       /usr/share/neo4j/import
  data:         /usr/share/neo4j/data
  certificates: /usr/share/neo4j/certificates
  run:          /usr/share/neo4j/run
Starting Neo4j.
Started neo4j (pid 3215). It is available at http://localhost:7474/
There may be a short delay until the server is ready.
See /usr/share/neo4j/logs/neo4j.log for current status.
┌─[user@Parrot]─[~]
└──╼ $ bloodhound &

    It is unlikely that anyone would want to have to type all of that out each time so it is possible to modify the wrapper script for neo4j to contain these fixes. The file is located at /usr/bin/neo4j and the should look as such (simply add the bold lines).

#!/bin/sh

#ARCH=$(dpkg --print-architecture)
#export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-$ARCH/jre/
PATH="/usr/lib/jvm/java-11-openjdk-amd64/bin:$PATH"
ulimit -n 40000

cd /usr/share/neo4j
exec ./bin/neo4j "$@"

    Now simply start neo4j and BloodHound. 

┌─[user@Parrot]─[~]
└──╼ $ sudo neo4j start
Directories in use:
  home:         /usr/share/neo4j
  config:       /usr/share/neo4j/conf
  logs:         /usr/share/neo4j/logs
  plugins:      /usr/share/neo4j/plugins
  import:       /usr/share/neo4j/import
  data:         /usr/share/neo4j/data
  certificates: /usr/share/neo4j/certificates
  run:          /usr/share/neo4j/run
Starting Neo4j.
Started neo4j (pid 3824). It is available at http://localhost:7474/
There may be a short delay until the server is ready.
See /usr/share/neo4j/logs/neo4j.log for current status.
┌─[user@Parrot]─[~]
└──╼ $ bloodhound &

    I hope this helps other get BloodHound up and running on their Parrot OS systems as well. Happy Hacking!

at
Labels: , , ,

1 comment:

  1. Moto XAugust 13, 2023 at 8:06 PM

    Thank you so much for your effort to track down and resolve this issue. As a newbie it was very helpful.

    ReplyDelete

Have a thought or question? Please share!

Subscribe to: Post Comments (Atom)