# Bloodhound

<figure><img src="/files/V2DjjtL33jfPPsbCq6ru" alt=""><figcaption></figcaption></figure>

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. As of version 4.0, BloodHound now also supports Azure. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.

<https://bloodhound.readthedocs.io/en/latest/index.html>

***

Download [AzureHound](https://github.com/BloodHoundAD/AzureHound/releases) and/or [SharpHound](https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors) to collect your first data set.

```jsx
C:\> SharpHound.exe or SharpHound.ps1
```

Collecting your first data set with AzureHound:

```jsx
PS C:\> Import-Module Az
PS C:\> Import-Module AzureADPreview
PS C:\> Connect-AzureAD
PS C:\> Connect-AzAccount
PS C:\> . .\AzureHound.ps1
PS C:\> Invoke-AzureHound
```

Invoking SharpHound:

```jsx
SharpHound.ps1
```

Next Invoking bloodhound and actually getting data from the node

```bash
Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip
```

Now we can import the data in BloodHound and see some interesting results, for example the shortest path to domain admin

## Running bloodhound-python:

```python
bloodhound-python -d blackfield.local -u support -p 'password' -ns 10.10.10.192 -c All
```

## Custom queries

* Get more info from bloodhound by using custom queries

{% embed url="<https://github.com/hausec/Bloodhound-Custom-Queries>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.incendium.rocks/pentesting-notes/windows-pentesting/tools/bloodhound.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.