35 lines
1.3 KiB
Markdown
35 lines
1.3 KiB
Markdown
# Bloodhound
|
|
|
|
Bloodhound contain two parts of interest. One is Bloodhound itself including
|
|
the Neo4j database. The other are data collectors named `SharpHound.exe`,
|
|
`SharpHound.ps1`, `AzureHound.ps1` and `Bloodhound.py`.
|
|
|
|
## Data Collection
|
|
|
|
Sharphound is a portable executable which can be executed in the following way.
|
|
The runas command uses the user from the commandline parameter to respond to
|
|
network requests. So, runas is called as a cover up measurement.
|
|
|
|
```
|
|
runas /netonly /user:OnTheINTERNET\NobodyKnowsYoureADOG cmd.exe
|
|
SharpHound.exe --CollectionMethods All --Domain $TARGET_DOMAIN --ExcludeDCs
|
|
```
|
|
|
|
If there is no issue getting detected `--ExcludeDCs` can be ommited, so
|
|
information is gathered for DCs as well.
|
|
|
|
Alternativly, Bloodhound can be directly from the attacker or any other
|
|
machine. It connects to the the target network to collect information.
|
|
|
|
```sh
|
|
bloodhound-python -u $USER -p $PASSWORD -d $TARGET_DOMAIN -ns $DNS_NAMESERVER -c All --zip
|
|
```
|
|
|
|
## Data Exploration
|
|
|
|
Once the data has been collected and has been uploaded to the BloodHound
|
|
database, insights can be gained through the `Explore` option. Further, there
|
|
is `Pathfinding` and `Cypher`. The former shows connection between users and
|
|
objects, the latter contains predefined queries, e.g. `All Domain Admins` ,
|
|
`Map OU Structure` or `Map domain trusts` and multiple others.
|