Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Info Collection (From Linux)
# Password
bloodhound-python -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' -dc <DC> -ns <DC_IP> -c all --zip
Sample Output:
$ python3 bloodhound.py -d rebound.htb -u oorend -p '1GR8t@$$4u' -dc dc01.rebound.htb -ns 10.10.11.231 -c all --zip
INFO: Found AD domain: rebound.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 1 domains
...[SNIP]...
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.rebound.htb
INFO: Done in 00M 50S
INFO: Compressing output into 20240923035110_bloodhound.zip
# NTLM
bloodhound-python -d <DOMAIN> -u '<USER>' --hashes ':<HASH>' -dc <DC> -ns <DC_IP> -c all --zip
Sample Output:
TO-DO# Kerberos
sudo ntpdate -s <DC> && bloodhound-python -u '<USER>' -k -d <DOMAIN> -dc <DC> -ns <DC_IP> -c all --zip -no-pass --use-ldaps
Sample Output:
TO-DONote: passing '-no-pass' will still ask for password, press enter
Ref: BloodHound.py
# Password
nxc ldap <DC> -u '<USER>' -p '<PASSWORD>' --bloodhound --collection All --dns-server <DC_IP>
Sample Output:
TO-DO# NTLM
nxc ldap <DC> -u '<USER>' -H '<HASH>' --bloodhound --collection All --dns-server <DC_IP>
Sample Output:
TO-DO# Kerberos
nxc ldap <DC> -u '<USER>' -k --use-kcache --bloodhound --collection All --dns-server <DC_IP>
Sample Output:
TO-DO# Socks5
proxychains4 -q nxc ldap <DC> -u '<USER>' -p '<PASSWORD>' --bloodhound --collection All --dcn-tcp --dns-server <DC_IP>
Sample Output:
TO-DOcertipy-ad find -u '<USER>' -p '<PASSWORD>' -target <TARGET>
Sample Output:
TO-DOInfo Collection (From Windows)
# Without Cred
.\SharpHound.exe -c all --outputdirectory C:\ProgramData
Sample Output:
TO-DO# With Cred
.\SharpHound.exe -c all --outputdirectory C:\ProgramData --ldapusername '<USER>' --ldappassword '<PASSWORD>'
Sample Output:
TO-DO# Import module
. .\SharpHound.ps1
Sample Output:
TO-DO# Run
Invoke-BloodHound -CollectionMethods All -OutputDirectory C:\ProgramData
Sample Output:
TO-DORef: sharphound.ps1
Info Collection (From C2)
sharp-hound-4 -- '-c all --outputdirectory C:\ProgramData'
Sample Output:
TO-DONote: passing '-no-pass' will still ask for password, press enter
bloodhound
# Start neo4j server
sudo neo4j console
Sample Output:
TO-DO# Start bloodhound
bloodhound
Sample Output:
TO-DObloodhound (with PKI support)
# Fix: GPU process isn't usable. Goodbye.
./BloodHound --no-sandbox
Sample Output:
TO-DO