Enumeration with Bloodhound (GUI)

Introduction

Bloodhound is a graphical interface that allows you to visually map out the network. This tool along with SharpHound which similar to PowerView takes the user, groups, trusts etc. of the network and collects them into .json files to be used inside of Bloodhound.

BloodHound Installation

apt-get install bloodhound
neo4j console - default credentials -> neo4j:neo4j

Getting loot w/ SharpHound

powershell -ep bypass same as with PowerView
. .\SharpHound.ps1
Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip
Transfer the loot.zip folder to your Attacker Machine

note: you can use scp to transfer the file if you’re using ssh

Mapping the network w/ BloodHound

bloodhound Run this on your attacker machine not the victim machine
Sign In using the same credentials you set with Neo4j
Inside of Bloodhound search for this icon and import the loot.zip folder
- Note: On some versions of BloodHound the import button does not work to get around this simply drag and drop the loot.zip folder into Bloodhound to import the .json files
To view the graphed network open the menu and select queries this will give you a list of pre-compiled queries to choose from.

The queries can be as simple as find all domain admins -

Or as complicated as shortest path to high value targets -

There are plenty of queries to choose from and enumerate connections inside of the network

PreviousEnumeration with Powerview NextDumping Hashes with mimikatz

Last updated 1 year ago