Active Directory

BloodHound is a web application to reveal the hidden and intended relationships within an Active Directory. SharpHound is a C# data collector for BloodHound.

Enumerate Active Directory

1. Collect Information with Sharphound

In target machine, download SharpHound and run.

# Enumerate the AD information that can be visualized in Bloodhound
Sharphound.exe --CollectionMethods All --Domain dc.example.com --ExcludeDCs

Then the zip file will be generated. This file can be displayed in Bloodhound.
To transfer the zip file to local machine, run the following command in local machine.

scp <ad_username>@example.com:C:/Path/To/<sharphound_result>.zip .

2. Start Bloodhound

In local machine, start neo4j console.

sudo neo4j console

After that, in another terminal, start Bloodhound.

bloodhound --no-sandbox

This shows the authentication GUI. The default credential is:

neo4j:neo4j

However, we may need to change the neo4j password via http://localhost:7474/.

3. Visualize a ZIP File

In Bloodhound, drag and drop the zip file which we transferd in the previous section.
Json files will be imported.

4. Attack Paths

After importing, we can view the several attack paths. Click the three stripe icon on the top-left of the window.

BloodHound SharpHound for Active Directory

Enumerate Active Directory

1. Collect Information with Sharphound

2. Start Bloodhound

3. Visualize a ZIP File

4. Attack Paths

References

ON THIS PAGE