3.3.2 - BloodHound
Last updated
Last updated
Most famous tool that provides GUI for AD entities and relationship for the data collected. It utilzies graph theory mapping shortest path for interesting things like Domain Admins, and contains built-in queries for more interesting path.
There two free versions of BloodHound:
BloodHound Legacy (present into C:\AD\Tools):
BloodHound CE (Community Edition):
Steps to do on attacker machine (Kali)
1) apt-get install bloodhound
2) neo4j console
In this certification is provided BloodHound WebUI to solve labs.
insert default credentials -> neo4j:neo4j and click to connect.
CRTP Lab
Other Lab
Using SharpHound.ps1
Download and upload SharpHound.ps1 to the target.
Run:
Using SharpHound.exe
Run directly:
Using bloodhound.py
The process of collection info/data isn't more stealthy, than in particular contest can be useful to remove noisy methods like RDP, DCOM, PSRemote and LocalAdmin (using flag --excludedcs)
A really good method to collect data in stealth mode is using SOAPHound, it talks to AD Web Services (ADWS - Port 9389) sending LDAP queries, it doesn't send network-based data detection (like MDI) and retrieve info about all objects and process taking LDAP queries.
Download the resulting .zip file and upload it to BloodHound for analysis.
3) open browser and go to URL indicated by neo4j console (usually: )
