⚔️5.2 - Bloodhound

Bloodhound is a nice tool for the quick and easy enumeration of AD. We need two things, the bloodhound and the python ingestor

BloodHound General

Installation & Speed Use

BloondHound & Ingestor | Checklists | brain_fuckeldeim.gitbook.io

With this commands we can install the bloodhound and ingestor ez, gg wp

Bloodhound-python Ingestor

sudo bloodhound-python --zip -c All -d north.sevenkingdoms.local -u brandon.stark -p iseedeadpeople -dc winterfell.north.sevenkingdoms.local -ns 192.168.56.11

-d : Domain by recolet information

-u : Username for connect

-p : Password for connect

-dc : Domain Controler (DC) - Name of host

-ns : DNS server - His IP

Maybe, you need to use the flag -ns and insert the ip of server. Then it save with a name, example: 20250530073027_bloodhound.zip. Now we need do with all domains ...

---

BloodHound CE

After logging in to the BloofdHound:

File Ingest Upload

1ºGo to http://localhost:8080/ui/login 2ºLog in with admin credentials 3ºDrag and upload the ZIP file generated by bloodhound-python

Search Custom Queries

## show all domains and computer
MATCH p = (d:Domain)-[r:Contains*1..]->(n:Computer) RETURN p
## show all the users
MATCH p = (d:Domain)-[r:Contains*1..]->(n:User) RETURN p
## overall map of domains/groups/users
MATCH q=(d:Domain)-[r:Contains*1..]->(n:Group)<-[s:MemberOf]-(u:User) RETURN q
## see the users ACL
MATCH p=(u:User)-[r1]->(n) WHERE r1.isacl=true and not tolower(u.name) contains 'vagrant' RETURN p