From d797981a6d42e213fbd474bbd43d024cc8a0485f Mon Sep 17 00:00:00 2001 From: gurkenhabicht Date: Wed, 21 May 2025 21:57:34 +0200 Subject: [PATCH] added bloodhound information --- Enumeration/Windows/BloodHound.md | 33 ++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/Enumeration/Windows/BloodHound.md b/Enumeration/Windows/BloodHound.md index 3d92bb8..05c109d 100644 --- a/Enumeration/Windows/BloodHound.md +++ b/Enumeration/Windows/BloodHound.md @@ -1,3 +1,34 @@ # Bloodhound -* DNS +Bloodhound contain two parts of interest. One is Bloodhound itself including +the Neo4j database. The other are data collectors named `SharpHound.exe`, +`SharpHound.ps1`, `AzureHound.ps1` and `Bloodhound.py`. + +## Data Collection + +Sharphound is a portable executable which can be executed in the following way. +The runas command uses the user from the commandline parameter to respond to +network requests. So, runas is called as a cover up measurement. + +``` +runas /netonly /user:OnTheINTERNET\NobodyKnowsYoureADOG cmd.exe +SharpHound.exe --CollectionMethods All --Domain $TARGET_DOMAIN --ExcludeDCs +``` + +If there is no issue getting detected `--ExcludeDCs` can be ommited, so +information is gathered for DCs as well. + +Alternativly, Bloodhound can be directly from the attacker or any other +machine. It connects to the the target network to collect information. + +```sh +bloodhound-python -u $USER -p $PASSWORD -d $TARGET_DOMAIN -ns $DNS_NAMESERVER -c All --zip +``` + +## Data Exploration + +Once the data has been collected and has been uploaded to the BloodHound +database, insights can be gained through the `Explore` option. Further, there +is `Pathfinding` and `Cypher`. The former shows connection between users and +objects, the latter contains predefined queries, e.g. `All Domain Admins` , +`Map OU Structure` or `Map domain trusts` and multiple others.