Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Info Collection (From Linux)
# Password
bloodhound-python -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' -dc <DC> -ns <DC_IP> -c all --zip
Sample Output:
$ python3 bloodhound.py -d rebound.htb -u oorend -p '1GR8t@$$4u' -dc dc01.rebound.htb -ns 10.10.11.231 -c all --zip
INFO: Found AD domain: rebound.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 1 domains
---[SNIP]---
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.rebound.htb
INFO: Done in 00M 50S
INFO: Compressing output into 20240923035110_bloodhound.zip
# NTLM
bloodhound-python -d <DOMAIN> -u '<USER>' --hashes ':<HASH>' -dc <DC> -ns <DC_IP> -c all --zip
Sample Output:
TO-DO# Kerberos
sudo ntpdate -s <DC_IP> && bloodhound-python -u '<USER>' -k -d <DOMAIN> -dc <DC> -ns <DC_IP> -c all --zip -no-pass --use-ldaps
Sample Output:
TO-DONote: passing '-no-pass' will still ask for password, press enter
Fix Name Resolving Issue
# Build a DNS server to proxy name resolving request
python3 dnschef.py --fakeip <DC_IP>
Sample Output:
TO-DO# Password
bloodhound-python -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' -dc <DC> -ns 127.0.0.1 -c all --zip
Sample Output:
TO-DORef: bloodhound-python Ref: dnschef
# Password
nxc ldap <DC> -u '<USER>' -p '<PASSWORD>' --bloodhound --collection All --dns-server <DC_IP>
Sample Output:
TO-DO# NTLM
nxc ldap <DC> -u '<USER>' -H '<HASH>' --bloodhound --collection All --dns-server <DC_IP>
Sample Output:
TO-DO# Kerberos
nxc ldap <DC> -u '<USER>' -k --use-kcache --bloodhound --collection All --dns-server <DC_IP>
Sample Output:
TO-DO# Socks5
proxychains4 -q nxc ldap <DC> -u '<USER>' -p '<PASSWORD>' --bloodhound --collection All --dns-tcp --dns-server <DC_IP>
Sample Output:
TO-DO1. Installation
sudo apt install libsasl2-modules-gssapi-mit
Sample Output:
TO-DO2. Config '/etc/krb5.conf'
# In UPPER case
[libdefaults]
default_realm = <DOMAIN>
[realms]
<DOMAIN> = {
kdc = <DC>:88
admin_server = <DC>
default_domain = <DOMAIN>
}
[domain_realm]
.domain.internal = <DOMAIN>
domain.internal = <DOMAIN>
Sample Output:
[libdefaults]
default_realm = LUSTROUS2.VL
[realms]
LUSTROUS2.VL = {
kdc = LUS2DC.LUSTROUS2.VL:88
admin_server = LUS2DC.LUSTROUS2.VL
default_domain = LUSTROUS2.VL
}
[domain_realm]
.domain.internal = LUSTROUS2.VL
domain.internal = LUSTROUS2.VL
3. Request a TGT
sudo ntpdate -s <DC_IP> && impacket-getTGT '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip <DC_IP>
Sample Output:
$ sudo ntpdate -s 10.10.84.194 && impacket-getTGT 'lustrous2.vl/Thomas.Myers:Lustrous2024' -dc-ip 10.10.84.194
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in Thomas.Myers.ccache
4. Check
# Import ticket
export KRB5CCNAME='<USER>.ccache'
Sample Output:
$ export KRB5CCNAME='Thomas.Myers.ccache'
# Check ticket
klist
Sample Output:
$ klist
Ticket cache: FILE:Thomas.Myers.ccache
Default principal: Thomas.Myers@LUSTROUS2.VL
Valid starting Expires Service principal
2025-08-05T05:32:51 2025-08-05T15:32:51 krbtgt/LUSTROUS2.VL@LUSTROUS2.VL
renew until 2025-08-06T05:32:50
5. LDAP Search
# Password
ldapsearch -LLL -H ldap://<DC> -D '<DOMAIN>\<USER>' -w '<PASSWORD>' -b "DC=<EXAMPLE>,DC=<COM>" -N -o ldif-wrap=no -E '!1.2.840.113556.1.4.801=::MAMCAQc=' "(&(objectClass=*))" | tee ldap.txt
Sample Output:
TO-DO# Kerberos
ldapsearch -LLL -H ldap://<DC> -Y GSSAPI -b "DC=<EXAMPLE>,DC=<COM>" -N -o ldif-wrap=no -E '!1.2.840.113556.1.4.801=::MAMCAQc=' "(&(objectClass=*))" | tee ldap.txt
Sample Output:
$ ldapsearch -LLL -H ldap://LUS2DC.lustrous2.vl -Y GSSAPI -b "DC=LUSTROUS2,DC=VL" -N -o ldif-wrap=no -E '!1.2.840.113556.1.4.801=::MAMCAQc=' "(&(objectClass=*))" | tee ldap.txt
SASL/GSSAPI authentication started
SASL username: Thomas.Myers@LUSTROUS2.VL
SASL SSF: 256
SASL data security layer installed.
dn: DC=Lustrous2,DC=vl
objectClass: top
objectClass: domain
objectClass: domainDNS
distinguishedName: DC=Lustrous2,DC=vl
instanceType: 5
---[SNIP]---
6. Convert to BofHound Format
python3 ldapsearch_parser.py ldap.txt ldap2.txt
Sample Output:
TO-DO7. Convert to Bloodhound Format
bofhound --input ldap2.txt --output <DC>_bloodhound --zip
Sample Output:
TO-DORef: ldapsearch_parser
Ref bofhound
certipy-ad find -u '<USER>' -p '<PASSWORD>' -target <TARGET>
Sample Output:
TO-DOInfo Collection (From Windows)
# Without Cred
.\SharpHound.exe -c all --outputdirectory C:\ProgramData
Sample Output:
TO-DO# With Cred
.\SharpHound.exe -c all --outputdirectory C:\ProgramData --ldapusername '<USER>' --ldappassword '<PASSWORD>'
Sample Output:
TO-DO# Import module
. .\SharpHound.ps1
Sample Output:
TO-DO# Run
Invoke-BloodHound -CollectionMethods All -OutputDirectory C:\ProgramData
Sample Output:
TO-DORef: sharphound.ps1
Info Collection (From C2)
sharp-hound-4 -- '-c all --outputdirectory C:\ProgramData'
Sample Output:
TO-DONote: passing '-no-pass' will still ask for password, press enter
Bloodhound
# Start neo4j server
sudo neo4j console
Sample Output:
TO-DO# Start bloodhound
bloodhound
Sample Output:
TO-DOBloodhound (with PKI Support)
# Fix: GPU process isn't usable. Goodbye.
./BloodHound --no-sandbox
Sample Output:
TO-DO