☠️
Pentesting Articles and Notes
  • Welcome!
  • Windows
    • Active Directory
      • Kerberos Authentication
      • Enumeration
        • Basic Enumeration
        • Access Control Lists
        • Domain Trusts and Forests Enumeration
        • User Hunting
        • Domain Enumeration With BloodHound
      • Credential Dumping
        • DCSync Attack
      • Privilege Escalation
        • AS-REP Roasting
        • Kerberoasting
        • DNS Administrators
        • Setting Object SPN's
        • Unconstrained Delegation
        • Constrained Delegation
      • Persistence
        • Abusing ACLs
        • AdminSDHolder
        • Custom Security Service Providers (SSP's)
        • Directory Services Restore Mode (DSRM)
        • Modifying Remote Protocol Security Descriptors
        • Golden Tickets
        • Silver Tickets
        • Skeleton Keys
      • Powershell Remoting
      • Lateral Movement
        • Child to Parent Movement Across Trusts
        • Trust Abuse Between Forests
        • MSSQL Server Trust Abuse
        • Overpass the Hash
  • Coding
    • Pentesting With Python
      • Basic Threading
  • Network Attacks
    • Man-In-The-Middle Attacks
      • ARP Spoofing
      • DNS Spoofing Attacks
Powered by GitBook
On this page
  1. Windows
  2. Active Directory
  3. Enumeration

Domain Enumeration With BloodHound

PreviousUser HuntingNextCredential Dumping

Last updated 2 years ago

BloodHound is a fantastic application to visualize the relationships the objects in the domain have with each other. I will not go into any detail here. You can go to the to learn more.

I should note that this may be something you might want to avoid using if you are in a Red Team engagement as creating the data will produce a lot of noise.

I use the SharpHound.ps1 ingestor script which can be found .

You can replace 'Invoke-Bloodhound' with SharpHound.exe if you are using that instead.

Collecting Data

  • Note: You may have to use '-CollectionMethod LoggedOn' because it sometimes misses sessions.

  • If you wish to avoid Advanced Threat Analytics (ATA) detection, use '-ExcludeDC'

Invoke-BloodHound -CollectionMethod All [-ExcludeDC]

  • Using from linux

bloodhound-python -u <user> -p <pass> -d <domain> -ns <ip> -c All
BloodHound GitHub page
here
BloodHound.py