Exploit Notes

BloodHound SharpHound for Active Directory

Last modified: 2023-02-07

Active Directory Windows

BloodHound is a web application to reveal the hidden and intended relationships within an Active Directory. SharpHound is a C# data collector for BloodHound.

Enumerate Active Directory

1. Collect Information with Sharphound

In target machine, download SharpHound and run.

# Enumerate the AD information that can be visualized in Bloodhound
Sharphound.exe --CollectionMethods All --Domain dc.example.com --ExcludeDCs 

Then the zip file will be generated. This file can be displayed in Bloodhound.
To transfer the zip file to local machine, run the following command in local machine.

scp <ad_username>@example.com:C:/Path/To/<sharphound_result>.zip .

2. Start Bloodhound

In local machine, start neo4j console.

sudo neo4j console

After that, in another terminal, start Bloodhound.

bloodhound --no-sandbox

This shows the authentication GUI. The default credential is:


However, we may need to change the neo4j password via http://localhost:7474/.

3. Visualize a ZIP File

In Bloodhound, drag and drop the zip file which we transferd in the previous section.
Json files will be imported.

4. Attack Paths

After importing, we can view the several attack paths. Click the three stripe icon on the top-left of the window.

Tools by HDKS


Automatic web fuzzer.


Auto reconnaissance CLI.

Hash Cracker

Hash identifier.