1.3 KiB
Bloodhound
Bloodhound contain two parts of interest. One is Bloodhound itself including
the Neo4j database. The other are data collectors named SharpHound.exe,
SharpHound.ps1, AzureHound.ps1 and Bloodhound.py.
Data Collection
Sharphound is a portable executable which can be executed in the following way. The runas command uses the user from the commandline parameter to respond to network requests. So, runas is called as a cover up measurement.
runas /netonly /user:OnTheINTERNET\NobodyKnowsYoureADOG cmd.exe
SharpHound.exe --CollectionMethods All --Domain $TARGET_DOMAIN --ExcludeDCs
If there is no issue getting detected --ExcludeDCs can be ommited, so
information is gathered for DCs as well.
Alternativly, Bloodhound can be directly from the attacker or any other machine. It connects to the the target network to collect information.
bloodhound-python -u $USER -p $PASSWORD -d $TARGET_DOMAIN -ns $DNS_NAMESERVER -c All --zip
Data Exploration
Once the data has been collected and has been uploaded to the BloodHound
database, insights can be gained through the Explore option. Further, there
is Pathfinding and Cypher. The former shows connection between users and
objects, the latter contains predefined queries, e.g. All Domain Admins ,
Map OU Structure or Map domain trusts and multiple others.