Bloodhound

Bloodhound,

Linux

NXC

nxc ldap <ip> -u user -p pass --bloodhound --collection All

Bloodhound.py

To get all data in Bloodhound, use SharpHond.exe - Exegol compatible version https://github.com/BloodHoundAD/SharpHound/releases/download/v1.0.4/SharpHound-v1.0.4.zip

Bloodhound.py don't get all data, probably because of DNS resolution

$ sudo bloodhound-python -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c all 

INFO: Found AD domain: inlanefreight.local
INFO: Connecting to LDAP server: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
INFO: Found 1 domains
INFO: Found 2 domains in the forest
INFO: Found 564 computers
INFO: Connecting to LDAP server: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
INFO: Found 2951 users
INFO: Connecting to GC LDAP server: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
INFO: Found 183 groups
INFO: Found 2 trusts
INFO: Starting computer enumeration with 10 workers

Timeout errors - add dns-tcp

bloodhound.py --zip -c All -d "INLANEFREIGHT.LOCAL" -u "forend" -p "Klmcargo2" -ns "172.16.5.5" --dns-tcp

Even better

$ cat /etc/resolv.conf 

# Generated by Docker Engine.
# This file can be edited; Docker Engine will not make further changes once it
# has been modified.

nameserver 127.0.0.53
search lan
options edns0 trust-ad

# Based on host file: '/etc/resolv.conf'
# Overrides: []

domain FREIGHTLOGISTICS.LOCAL
nameserver 172.16.5.238
bloodhound.py --zip -c All -d FREIGHTLOGISTICS.LOCAL -ns 172.16.5.238 -c All -u forend@inlanefreight.local -p Klmcargo2 --dns-tcp
INFO: Found AD domain: freightlogistics.local
INFO: Getting TGT for user

Windows

Sharphound.exe

PS C:\htb> .\SharpHound.exe -c All --zipfilename ILFREIGHT

# removes noisy collection methods like RDP, DCOM, PSRemote and LocalAdmin

SharpHound.exe –-steatlh

Sharphound.ps1

C:\AD\Tools\BloodHound-master\Collectors\SharpHound.ps1 
Invoke-BloodHound -CollectionMethod All

# removes noisy collection methods like RDP, DCOM, PSRemote and LocalAdmin

Invoke-BloodHound –Steatlh

# avoid detections like MDI

Invoke-BloodHound -ExcludeDCs

SOAPHound

Run Bloodhound

Then upload zip file generate from Sharphound or bloodhound-python

Bloodhound-quickwin

bloodhound-quickwin -u neo4j -p exegol4thewin

AD Miner

Autobloody

Last updated