# 3.3.2 - BloodHound

## **BloodHound** <a href="#bloodhound" id="bloodhound"></a>

Most famous tool that provides GUI for AD entities and relationship for the data collected. It utilzies graph theory mapping shortest path for interesting things like Domain Admins, and contains built-in queries for more interesting path.

There two free versions of BloodHound:

* BloodHound Legacy (present into C:\AD\Tools): <https://github.com/BloodHoundAD/BloodHound>
* BloodHound CE (Community Edition): <https://github.com/SpecterOps/BloodHound>

<div align="left"><figure><img src="/files/DqF3Pm9mtXEVKSY7p0Ts" alt="" width="200"><figcaption></figcaption></figure></div>

### BloodHound Installation <a href="#bloodhound-installation" id="bloodhound-installation"></a>

Steps to do on attacker machine (Kali)

1\) `apt-get install bloodhound`

2\) `neo4j console`

3\) open browser and go to URL indicated by neo4j console (usually: [http://localhost:7474](http://localhost:7474/))

In this certification is provided BloodHound WebUI to solve labs.

insert default credentials -> neo4j:neo4j and click to connect.

<figure><img src="https://dev-angelist.gitbook.io/~gitbook/image?url=https%3A%2F%2F677614291-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FrRWtuMw6xkkeDjZfkcWC%252Fuploads%252FFKxVRkXw5IuHzJZ5E5hK%252Fimage.png%3Falt%3Dmedia%26token%3D5306a709-ef24-4b88-9096-a8018f5f4053&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=cb2af27f&#x26;sv=2" alt=""><figcaption></figcaption></figure>

### Collecting Data

[SharpHound Documentation](https://bloodhound.readthedocs.io/en/latest/data-collection/sharphound.html)

#### BloodHound CE using SharpHound.exe and .ps1

**CRTP Lab**

```powershell
C:\AD\Tools\Loader.exe -Path C:\AD\Tools\Sharphound\SharpHound.exe -args --collectionmethods All
```

**Other Lab**

**`Using SharpHound.ps1`**

* Download and upload `SharpHound.ps1` to the target.
* Run:

  ```powershell
  Import-Module .\SharpHound.ps1
  Invoke-BloodHound -CollectionMethod All
  ```

**Using `SharpHound.exe`**

* Run directly:

  ```powershell
  .\SharpHound.exe -c all
  ```

**Using `bloodhound.py`**

```bash
python3 bloodhound.py -u 'jdoe' -p 'Password123' -d DC.LOCAL -ns 192.168.1.1 --zip -c All
```

### Collect Data in Stealthy Mode

#### SharpHound

The process of collection info/data isn't more stealthy, than in particular contest can be useful to remove noisy methods like RDP, DCOM, PSRemote and LocalAdmin (using flag `--excludedcs`)

```powershell
C:\AD\Tools\Loader.exe -Path C:\AD\Tools\Sharphound\SharpHound.exe -args --collectionmethods Group,GPOLocalGroup,Session,Trusts,ACL,Container,ObjectProps,SPNTargets,CertServices --excludedcs
```

#### SOAPHound

A really good method to collect data in stealth mode is using SOAPHound, it talks to AD Web Services (ADWS - Port 9389) sending LDAP queries, it doesn't send network-based data detection (like MDI) and retrieve info about all objects and process taking LDAP queries.

```powershell
#Build a cache that includes basic info about domain objects
SOAPHound.exe --buildcache -c C:\AD\Tools\cache.txt
#Collect BloodHound compatible data
SOAPHound.exe -c C:\AD\Tools\cache.txt --bhdump -o C:\AD\Tools\bloodhound-output --nolaps
```

Download the resulting `.zip` file and upload it to BloodHound for analysis.

## Labs

* [Post-Exploitation Basics THM Lab](https://dev-angelist.gitbook.io/writeups-and-walkthroughs/thm/post-exploitation-basics)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dev-angelist.gitbook.io/crtp-notes/readme/network-security-1/3.3-domain-enumeration/3.3.2-bloodhound.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.