BloodHound

1. Installation

sudo apt install -y neo4j bloodhound

2. Setup

sudo neo4j console &

Navigate to http://localhost:7474
Login is neo4j and change the default password

sudo bloodhound &

Log into the neo4j user account with the new password

3. Data Collection

Run the BloodHound collector agent on the compromised host
This will generate a .zip file
Transfer the .zip file back to Kali
Drag and drop the .zip file onto the BloodHound UI

Collector Agents

https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors

4. Data Queries

There are pre-built queries into BloodHound which readily provide some insightful data.

Official Documentation

https://bloodhound.readthedocs.io/en/latest/index.html

Enumerating Hosts and Identifying the Domain Controllers

LLMNR Poisoning (Internal)

SMB Relay (Internal/External)

IPv6 DNS Spoofing (Internal)

NULL Session Enumeration (Internal/External)

Using Faketime for Ad-Hoc Kerberos Authentication

Kerberos Pre-Auth Username Enumeration

AS-REP Roasting (Internal/External)

Passback Attacks (Internal/External)

PrintNightmare (Internal/External)

NTLM Credential Stuffing (Internal/External)

PowerShell AD Module on Any Domain Host as Any User

Dumping DNS Records with adidnsdump

CrackMapExec

PowerView

BloodHound

Remote Bloodhound

LdapDomainDump

LdapSearch

Enum4Linux

GetADUsers.py

GetUserSPNs.py

Manual Enumeration

Extracting Kerberos AS-REQ Pre-Auth Hashes from PCAPs

Mimikatz

Dumping Passwords from Windows Credential Manager

Dumping Hashes without Mimikatz

Impacket-Addcomputer

DCSync

Pass the Password

Pass the Hash

Pass the Ticket

Pass the Key

Password & Credential Brute Force

Token Impersonation

Spawn Processes as Other Users

Kerberoasting

Group Policy Preferences (GPP)

PrintNightmare

ZeroLogon

xfreerdp

BloodHound

1. Installation

2. Setup

3. Data Collection

Collector Agents

4. Data Queries

Official Documentation