Reconaissance

Bloodhound, SharpADWS

Bloodhound

To get all data in Bloodhound, use SharpHond.exe - Exegol compatible version https://github.com/BloodHoundAD/SharpHound/releases/download/v1.0.4/SharpHound-v1.0.4.zip

Bloodhound.py don't get all data, probably because of DNS resolution

$ sudo bloodhound-python -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c all 

INFO: Found AD domain: inlanefreight.local
INFO: Connecting to LDAP server: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
INFO: Found 1 domains
INFO: Found 2 domains in the forest
INFO: Found 564 computers
INFO: Connecting to LDAP server: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
INFO: Found 2951 users
INFO: Connecting to GC LDAP server: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
INFO: Found 183 groups
INFO: Found 2 trusts
INFO: Starting computer enumeration with 10 workers

Timeout errors - add dns-tcp

bloodhound.py --zip -c All -d "INLANEFREIGHT.LOCAL" -u "forend" -p "Klmcargo2" -ns "172.16.5.5" --dns-tcp

Even better

Windows

For Exegol compatible version: https://github.com/BloodHoundAD/SharpHound/releases/download/v1.0.4/SharpHound-v1.0.4.zip

Run Bloodhound

Then upload zip file generate from Sharphound or bloodhound-python

Bloodhound-quickwin

LogoGitHub - kaluche/bloodhound-quickwin: Simple script to extract useful informations from the combo BloodHound + Neo4jGitHub

AD Miner

LogoGitHub - AD-Security/AD_Miner: AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknessesGitHub

SharpADWS

PreviousLDAP Pass Back AttackNextBloodhound

Last updated