Bloodhound

Steps:

From the target machine:

1)

  Sharphound.exe --CollectionMethods METHODS (Default all) --Domain DOMAIN --ExcludeDCs

OR in case the above command doesn't work, try to use SharpHound via LDAP credentials

 .\SharpHound.exe --outputdirectory c:\temp --ldapusername USERNAME --ldappassword PASS

2) Collect Bloodhound.zip file

From attacking machine:

1)

  sudo neo4j console start

2)

  bloodhound --no-sandbox

3) Use default credentials (neo4j:neo4j) Or you can go to http://localhost:7474 to change default credentials

4) Drag and drop zip file in Bloodhound GUI

5) EZ ENUMERATION!1!1!!!1!

BENEFITS

1) GUI

2) Shows attack paths

3) More profound insights into AD Objects

DRAWBACKS

1) Requires Sharphound which is VERY noisy

USAGE OF BLOODHOUND REMOTELY

1)

  bloodhound-python -d DOMAIN.LOCAL -u 'USER' -p 'PASSWORD -dc DC.DOMAIN.LOCAL -c all -ns IP --zip

TIP: If you receive DNS errors, you can set up a fake DNS server with the DNSChef tool https://github.com/iphelix/dnschef

2)

  python3 dnschef.py --fakeip TARGET_IP --nameserver TARGET_IP

3)

  bloodhound-python -d DOMAIN.LOCAL -u 'USER' -p 'PASSWORD' -dc DC.DOMAIN.LOCAL -c all -ns 127.0.0.1

BLOODHOUND CYPHER QUERIES CHEATSHEET

https://raw.githubusercontent.com/LuemmelSec/Custom-BloodHound-Queries/main/README.md

PreviousActive Directory Module RSAT tool NextPowerview cont.

Last updated 3 months ago

hashtagSteps:

hashtagFrom the target machine:

hashtag1)

hashtagOR in case the above command doesn't work, try to use SharpHound via LDAP credentials

hashtag2) Collect Bloodhound.zip file

hashtagFrom attacking machine:

hashtag1)

hashtag2)

hashtag3) Use default credentials (neo4j:neo4j) Or you can go to http://localhost:7474 to change default credentials

hashtag4) Drag and drop zip file in Bloodhound GUI

hashtag5) EZ ENUMERATION!1!1!!!1!

hashtagBENEFITS

hashtag1) GUI

hashtag2) Shows attack paths

hashtag3) More profound insights into AD Objects

hashtagDRAWBACKS

hashtag1) Requires Sharphound which is VERY noisy

hashtagUSAGE OF BLOODHOUND REMOTELY

hashtag1)

hashtagTIP: If you receive DNS errors, you can set up a fake DNS server with the DNSChef tool https://github.com/iphelix/dnschef

hashtag2)

hashtag3)

hashtagBLOODHOUND CYPHER QUERIES CHEATSHEET

hashtaghttps://raw.githubusercontent.com/LuemmelSec/Custom-BloodHound-Queries/main/README.md

Steps:

From the target machine:

1)

OR in case the above command doesn't work, try to use SharpHound via LDAP credentials

2) Collect Bloodhound.zip file

From attacking machine:

1)

2)

3) Use default credentials (neo4j:neo4j) Or you can go to http://localhost:7474 to change default credentials

4) Drag and drop zip file in Bloodhound GUI

5) EZ ENUMERATION!1!1!!!1!

BENEFITS

1) GUI

2) Shows attack paths

3) More profound insights into AD Objects

DRAWBACKS

1) Requires Sharphound which is VERY noisy

USAGE OF BLOODHOUND REMOTELY

1)

TIP: If you receive DNS errors, you can set up a fake DNS server with the DNSChef tool https://github.com/iphelix/dnschef

2)

3)

BLOODHOUND CYPHER QUERIES CHEATSHEET

https://raw.githubusercontent.com/LuemmelSec/Custom-BloodHound-Queries/main/README.md