search

Bloodhound

NB: You may have to download the newest release from github

https://github.com/fox-it/BloodHound.pyarrow-up-right

https://github.com/BloodHoundAD/BloodHound/releasesarrow-up-right

https://github.com/BloodHoundAD/BloodHound/tree/master/Collectorsarrow-up-right

hashtag
Bloodhound-python Ingestor - Used From Kali

bloodhound-python -d domain.com -u username -p passwsord -dc domain.com -ns $dcIP -c all

  • You can limit collection with comma-separated queries. see official doc above but I usually grab everything

hashtag
SharpHound.exe Ingestor - Used From Victim Windows Host

https://bloodhound.readthedocs.io/en/latest/data-collection/sharphound.htmlarrow-up-right

https://bloodhound.readthedocs.io/en/latest/data-collection/sharphound-all-flags.htmlarrow-up-right

NB: Collection method -All does not include GPOLocalGroup, so I normally add that!

https://bloodhound.readthedocs.io/en/latest/_images/SharpHoundCheatSheet.pngarrow-up-right

SharpHound.exe --CollectionMethod All,GPOLocalGroup --Domain $domain

hashtag
SharpHound.ps1 - Used From Victim Windows Host

. .\SharpHound.ps1

  • adPEAS.ps1 will also dump this automatically!

hashtag
Analyzing Data In BloodHound GUI

  • Check out “Outbound Control Rights” to see what the a user has access to in the domain

  • Sometimes the “shortest path to X” selection might work but usually it's many steps away or some ways aren't clear

PreviousCredential AttacksNextPersistence

Last updated