Bloodhound

Bloodhound Usage

Linux

Rusthound

The most opsec

GitHub - NH-RED-TEAM/RustHound: Active Directory data ingestor for BloodHound Legacy written in Rust. 🦀GitHub

rusthound -d "$DOMAIN" -u "$USER"@"$DOMAIN" -p "$PASSWORD" --zip --ldaps --adcs --old-bloodhound

NXC

nxc ldap <ip> -u user -p pass --bloodhound --collection All

nxc ldap 192.168.1.48 -u raj -p Password@1 --bloodhound --collection All --dns-server 192.168.1.48

Bloodhound.py

To get all data in Bloodhound, use SharpHond.exe - Exegol compatible version https://github.com/BloodHoundAD/SharpHound/releases/download/v1.0.4/SharpHound-v1.0.4.zip

Bloodhound.py don't get all data, probably because of DNS resolution

With password

$ sudo bloodhound-python -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c all 

INFO: Found AD domain: inlanefreight.local
INFO: Connecting to LDAP server: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
INFO: Found 1 domains
INFO: Found 2 domains in the forest
INFO: Found 564 computers
INFO: Connecting to LDAP server: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
INFO: Found 2951 users
INFO: Connecting to GC LDAP server: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
INFO: Found 183 groups
INFO: Found 2 trusts
INFO: Starting computer enumeration with 10 workers

Timeout errors - add dns-tcp

bloodhound.py --zip -c All -d "INLANEFREIGHT.LOCAL" -u "forend" -p "Klmcargo2" -ns "172.16.5.5" --dns-tcp

Even better

$ cat /etc/resolv.conf 

# Generated by Docker Engine.
# This file can be edited; Docker Engine will not make further changes once it
# has been modified.

nameserver 127.0.0.53
search lan
options edns0 trust-ad

# Based on host file: '/etc/resolv.conf'
# Overrides: []

domain FREIGHTLOGISTICS.LOCAL
nameserver 172.16.5.238

bloodhound.py --zip -c All -d FREIGHTLOGISTICS.LOCAL -ns 172.16.5.238 -c All -u forend@inlanefreight.local -p Klmcargo2 --dns-tcp
INFO: Found AD domain: freightlogistics.local
INFO: Getting TGT for user

With Kerberos (ccache)

When "password" is prompted, just press enter

# export KRB5CCNAME=krb5cc.florence.ramirez
# bloodhound.py --zip -c All -d "domain.htb" -u "florence.ramirez" -k -ns 10.10.11.24
Password:

LDAPSearch - Avoid Detection

proxychains ldapsearch -LLL -H ldap://dc03.eu-ifrit.vl -D 'EU-IFRIT\Grace.Dunn' -w 'PenEuIfrit527#' -b "DC=EU-IFRIT,DC=VL" -N -o ldif-wrap=no -E '!1.2.840.113556.1.4.801=::MAMCAQc=' "(&(objectClass=*))" | tee objects.txt

GitHub - fortalice/bofhound: Generate BloodHound compatible JSON from logs written by ldapsearch BOF and pyldapsearchGitHub

# git clone https://github.com/fortalice/bofhound
# cd bofhound
# pip install .
# cd ..

# wget https://gist.githubusercontent.com/kozmer/725cde788e4b3c8bdd870468c243916b/raw/a797b4020bef960124d79d7295cb6ad1849b47a1/ldapsearch_parser.py
# python3 ldapsearch_parser.py objects.txt object-conv.txt
# bofhound -i object-conv.txt

JSON files can be ingest int o Bloodhound and we now have ACLs

Can also see:

GitHub - SySS-Research/ldif2bloodhound: Convert an LDIF file to JSON files ingestible by BloodHoundGitHub

Windows

Sharphound.exe

For Exegol compatible version: https://github.com/BloodHoundAD/SharpHound/releases/download/v1.0.4/SharpHound-v1.0.4.zip

PS C:\htb> .\SharpHound.exe -c All --zipfilename ILFREIGHT

# removes noisy collection methods like RDP, DCOM, PSRemote and LocalAdmin

SharpHound.exe –-steatlh

Sharphound.ps1

C:\AD\Tools\BloodHound-master\Collectors\SharpHound.ps1 
Invoke-BloodHound -CollectionMethod All

# removes noisy collection methods like RDP, DCOM, PSRemote and LocalAdmin

Invoke-BloodHound –Steatlh

# avoid detections like MDI

Invoke-BloodHound -ExcludeDCs

SOAPHound

GitHub - FalconForceTeam/SOAPHound: SOAPHound is a custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the Active Directory Web Services (ADWS) protocol.GitHub

ShadowHound

2 options: ADWS or LDAP

ShadowHound: A SharpHound Alternative Using Native PowerShellSecurity Friends' Research Blog

GitHub - Friends-Security/ShadowHound: PowerShell scripts for alternative SharpHound enumeration, including users, groups, computers, and certificates, using the ActiveDirectory module (ADWS) or System.DirectoryServices class (LDAP).GitHub

# 1/
ShadowHound-ADM -OutputFilePath "C:\Résultats\output.txt"

# 2/
python3 bofhound.py -i output.txt -p All

ADExplorer64 - Avoid Detection

ADExplorer64.exe is a sysinternal signed binary

https://live.sysinternals.com/ADExplorer64.exe

C:\Windows\Temp\ is a default AppLocker Exclusion Path

Z:\>copy C:\Users\Grace.Dunn\Desktop\ADExplorer64.exe C:\Windows\Temp\
Overwrite C:\Windows\Temp\ADExplorer64.exe? (Yes/No/All): Yes
        1 file(s) copied.
        
Z:\>C:\Windows\Temp\ADExplorer64.exe

File -> Create a Snapshot

Unhide C:\ProgramData - It is hidden by default - View and check "Hidden Items"

Parse the snapshot to ingest it in Bloodhound

GitHub - c3c/ADExplorerSnapshot.py: ADExplorerSnapshot.py is an AD Explorer snapshot parser. It is made as an ingestor for BloodHound, and also supports full-object dumping to NDJSON.GitHub

Unable to Pickle wchar[] · Issue #45 · c3c/ADExplorerSnapshot.pyGitHub

[Jan 18, 2025 - 07:04:10 (EST)] exegol-default ADExplorerSnapshot.py # vim adexpsnapshot/__init__.py

Change self.preprocessCached() by self.preprocess()

python3 ADExplorerSnapshot.py ../snapshot.dat

Can now be used in Bloodhound

It doesn't include ACL datas

To get ACL datas see LDAPSearch

Run Bloodhound

Then upload zip file generate from Sharphound or bloodhound-python

Bloodhound-quickwin

GitHub - kaluche/bloodhound-quickwin: Simple script to extract useful informations from the combo BloodHound + Neo4jGitHub

bloodhound-quickwin -u neo4j -p exegol4thewin

AD Miner

GitHub - Mazars-Tech/AD_Miner: AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknessesGitHub

Autobloody

GitHub - CravateRouge/autobloody: Tool to automatically exploit Active Directory privilege escalation paths shown by BloodHoundGitHub

Bloodhound Query Library

BloodHound Query Libraryqueries.specterops.io

Interesting Book

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Pentesting Active Directory and Windows-based Infrastructure Enhance your skill set to pentest against real-world Microsoft infrastructure with hands-on exercises and by following attack/detect guidelines with OpSec considerations
Infrastructure Attack Strategies for Ethical Hacking Encompassing both external and internal enumeration techniques, the book delves into attacking routers and services, establishing footholds, privilege escalation, lateral movement, and exploiting databases and Active Directory.
RTFM: Red Team Field Manual v2 A quick reference when there is no time to scour the Internet for that perfect command
Red Team Development and Operations: A practical guide The authors have moved beyond SANS training and use this book to detail red team operations in a practical guide.
Cybersecurity Attacks – Red Team Strategies A practical guide to building a penetration testing program having homefield advantage

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousReconaissance NextEnumeration from Windows Host

Last updated 4 days ago