BloodHound And SharpHound

We will try to understand Installation and post exploitation using Bloodhound.

Bloodhound is an application used to visualize Active directory environments. Before the release of bloodhound the process was performed by penetration testers that were looking to exploit trust-based relationships within an active directory domain.

Since the release of bloodhound the process of identifying potential useful relationship for privilege esclation purposes has been largely automated.

The frontend of bloodhound is built on electron and the backend on Neo4j database. Neo4j is a graph database management system, which uses NoSql as a graph database.

Install bloodhound in kali machine

# apt-get install bloodhound

Now we will start Neo4j to see it works without any errors

# sudo neo4j console

If there is no errors we will navigate to http://localhost:7474 with a browser to update the database password that we will use to login to the bloodhound application.

Default credentials are neo4j:neo4j

default credentials are neo4j:neo4j

Update Username and password

update username and password

So neo4j is configured and ready to integrate with bloodhound.

Now collecting the data can be a pain in the ass for that there is a prebuilt injestor which is called Sharphound. It comes as a regular command line .exe or poweshell script name SharpHound.ps1 containing the same assembly as the .exe

SharpHound collects all the information about active sessions, AD permissions and a lot more by only using the permisiions of a regular user.It even collects information about active sessions, AD permissions and a lot more by only using the permissions of a regular user.

SharpHound outputs JSON files that are then fed into the Neo4j databse and later visualized by the GUI.

Lets collect the data we are gonna use Powershell script because .exe file in real world scenerio can be easily detected by Antivirus because many a Antivirus have signature in them and consider sharphound as a potential threat.

cmd> powershell -ev bypassPS> . .\sharpHound.PS1PS> Invoke-BloodHound -CollectionMethod All -Domain Controller.local -zipFileName

So we have collected loot but now we have to move the from remote machine to kali machine for this we are gonna use sftp (SSH file transfer protocol). You can learn more about SFTP here

# sftp Administrator@ we can use get command to download zip file to our own kali machine

So we have got our file in our kali machine lets start bloodhound to analyze the file.

# sudo bloodhound

Start neo4j as well to connect database and use username and password we have set earlier while configuring the neo4j.

bloodhound console

There is a upload button in the right corner of the bloodHound console.

upload button

Select the button and upload the file for analysis.

unzipping file

To view the graphical network open the menu and select queries this will give a list of precompiled Queries for Choose. These Queries are far sufficient for the time being but we can make our own custom queries.


Lets use

  • List all kerberoastable accounts.
  • Shortest paths to unconstrained Delegation system.

There are tons of other queries as well you can try yourself.

Don’t know source Sorry :)

Jai Hind

I am a student, Bug Bounty Hunter, CTF player and a geek for sure. Who is currently sharpening the axe.