Bloodhound

NB: You may have to download the newest release from github

https://github.com/fox-it/BloodHound.py

https://github.com/BloodHoundAD/BloodHound/releases

https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors

Bloodhound-python Ingestor - Used From Kali

bloodhound-python -d domain.com -u username -p passwsord -dc domain.com -ns $dcIP -c all

• You can limit collection with comma-separated queries. see official doc above but I usually grab everything

SharpHound.exe Ingestor - Used From Victim Windows Host

https://bloodhound.readthedocs.io/en/latest/data-collection/sharphound.html

https://bloodhound.readthedocs.io/en/latest/data-collection/sharphound-all-flags.html

NB: Collection method -All does not include GPOLocalGroup, so I normally add that!

https://bloodhound.readthedocs.io/en/latest/_images/SharpHoundCheatSheet.png

SharpHound.exe --CollectionMethod All,GPOLocalGroup --Domain $domain

SharpHound.ps1 - Used From Victim Windows Host

. .\SharpHound.ps1

Invoke-Bloodhound -CollectionMethod All,GPOLocalGroup -Domain domain.local

• adPEAS.ps1 will also dump this automatically!

Analyzing Data In BloodHound GUI

neo4j start

bloodhound --no-sandbox

• Check out “Outbound Control Rights” to see what the a user has access to in the domain

• Sometimes the “shortest path to X” selection might work but usually it's many steps away or some ways aren't clear