BloodHound

Collector (on victim)

.\SharpHound.exe -c all
.\SharpHound.exe -c all -d comply.com

-c all, CollectionMethod All, compared to Default this also includes SPNTargets and LoggedOn

Now boot BloodHound

bloodhound

First boot will prompt you to change the Neo4j password and alter the config file, do as prompted. Run 'bloodhound' again, will now display URL its running under. You will need to change default CE creds as well (default is admin:admin).

You can import the resulting .zip file from SharpHound we ran earlier into your BloodHound instance.

GitHub - SpecterOps/SharpHound: C# Data Collector for BloodHoundGitHub

Parser (on Kali)

sudo apt update && sudo apt install -y bloodhound
sudo neo4j console

Interesting Queries

Execute in Neo4j browser, will print list of groups with most members and the description, used to find interesting groups. Alter the 1..6 if it takes to long (bring down to 1..5).

MATCH (u:User)-[:MemberOf*1..6]->(g:Group)
RETURN g.name AS groupName, g.description AS groupDescription, COUNT(DISTINCT u) AS numberOfMembers
ORDER BY numberOfMembers DESC

More cool queries:

BloodHound CE and neo4j queries — statistics, ADCS and moreMedium

DirkJans Python Bloodhound

git clone -b bloodhound-ce https://github.com/dirkjanm/BloodHound.py.git
python3 bloodhound.py -u aepike -d alchemy.htb -c All --zip -ns 172.16.0.2

Last updated 6 months ago