> For the complete documentation index, see [llms.txt](https://notes.incendium.rocks/pentesting-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://notes.incendium.rocks/pentesting-notes/windows-pentesting/tools/bloodhound.md).

# Bloodhound

<figure><img src="/files/V2DjjtL33jfPPsbCq6ru" alt=""><figcaption></figcaption></figure>

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. As of version 4.0, BloodHound now also supports Azure. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.

<https://bloodhound.readthedocs.io/en/latest/index.html>

***

Download [AzureHound](https://github.com/BloodHoundAD/AzureHound/releases) and/or [SharpHound](https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors) to collect your first data set.

```jsx
C:\> SharpHound.exe or SharpHound.ps1
```

Collecting your first data set with AzureHound:

```jsx
PS C:\> Import-Module Az
PS C:\> Import-Module AzureADPreview
PS C:\> Connect-AzureAD
PS C:\> Connect-AzAccount
PS C:\> . .\AzureHound.ps1
PS C:\> Invoke-AzureHound
```

Invoking SharpHound:

```jsx
SharpHound.ps1
```

Next Invoking bloodhound and actually getting data from the node

```bash
Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip
```

Now we can import the data in BloodHound and see some interesting results, for example the shortest path to domain admin

## Running bloodhound-python:

```python
bloodhound-python -d blackfield.local -u support -p 'password' -ns 10.10.10.192 -c All
```

## Custom queries

* Get more info from bloodhound by using custom queries

{% embed url="<https://github.com/hausec/Bloodhound-Custom-Queries>" %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://notes.incendium.rocks/pentesting-notes/windows-pentesting/tools/bloodhound.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.