Bloodhound

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. As of version 4.0, BloodHound now also supports Azure. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.

https://bloodhound.readthedocs.io/en/latest/index.html

Download AzureHound and/or SharpHound to collect your first data set.

C:\> SharpHound.exe or SharpHound.ps1

Collecting your first data set with AzureHound:

PS C:\> Import-Module Az
PS C:\> Import-Module AzureADPreview
PS C:\> Connect-AzureAD
PS C:\> Connect-AzAccount
PS C:\> . .\AzureHound.ps1
PS C:\> Invoke-AzureHound

Invoking SharpHound:

SharpHound.ps1

Next Invoking bloodhound and actually getting data from the node

Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip

Now we can import the data in BloodHound and see some interesting results, for example the shortest path to domain admin

Running bloodhound-python:

bloodhound-python -d blackfield.local -u support -p 'password' -ns 10.10.10.192 -c All

Custom queries

  • Get more info from bloodhound by using custom queries

LogoGitHub - hausec/Bloodhound-Custom-Queries: Custom Query list for the Bloodhound GUI based off my cheatsheetGitHub
PreviousPowerviewNextImpacket

Last updated