# BloodHound {% hint style="info" %} * [SpectreOps documentation](https://bloodhound.specterops.io/home) * [Attacking Active Directory - Bloodhound](https://www.youtube.com/watch?v=aJqjH3MsbLM) {% endhint %} ## Ingestors {% hint style="info" %} [`bloodhound-convert`](https://github.com/szymex73/bloodhound-convert) can convert dumps from the legacy pre 4.1 (v3) format to 4.1+ format. {% endhint %} ### X-Platform [RustHound-CE](https://github.com/g0h4n/RustHound-CE) is a cross-platform BloodHound CE collector written in Rust, compatible with Linux, Windows, and macOS. {% code overflow="wrap" %} ```bash # RustHound rusthound-ce -d voleur.htb -u ryan.naylor -p HollowOct31Nyt -z ``` {% endcode %} ### Linux [Bloodhound-python](https://github.com/dirkjanm/BloodHound.py) is Sharphound's Python version: {% code overflow="wrap" %} ```bash bloodhound-python -u molly -p 'Pass123!' -dc dc.mollysec.local -c all -d mollysec.local -ns 10.10.10.5 ``` {% endcode %} Netexec's [`--bloodhound`](https://www.netexec.wiki/ldap-protocol/bloodhound-ingestor) ingestor uses `bloodhound-python` behind the scenes: {% code overflow="wrap" %} ```bash nxc ldap dc.mollysec.local -u molly -p 'Pass123!' --bloodhound -c All --dns-server 10.10.10.5 ``` {% endcode %} In restricted environments, [`ldapsearch`](https://docs.ldap.com/ldap-sdk/docs/tool-usages/ldapsearch.html) can be used along with [`ldapsearch_parser`](https://gist.github.com/CSpanias/df68c7f764d2fd40a9115d929c76ee39) and [`bofhound`](https://github.com/coffeegist/bofhound): {% code overflow="wrap" %} ```bash # Dump domain data via LDAP $ ldapsearch -LLL -H ldap://dc01.mollysec.local -Y GSSAPI -b "DC=MOLLYSEC,DC=LOCAL" -N -o ldif-wrap=no -E '!1.2.840.113556.1.4.801=::MAMCAQc=' "(&(objectClass=*))" | tee ldap.txt # Convert output to bofhound-ready format $ python3 ldapsearch_parser.py ldap.txt ldap-2.txt # Convert output to BH-ready format $ uv tool install git+https://github.com/coffeegist/bofhound $ bofhound --input ldap-2.txt --output ./ --zip ``` {% endcode %} ### Windows [SharpHound](https://github.com/SpecterOps/SharpHound) collects data using Windows API calls and LDAP queries. It generates an additional `.bin` cache file to speed up future runs and also supports **looping** for continuous data collection. {% hint style="warning" %} **OPSEC**: The `--excludedcs` option avoids querying DCs. {% endhint %} ```powershell # Collect all available domain information .\SharpHound.exe -c all ``` Its PowerShell version import [`Sharphound.ps1`](https://github.com/SpecterOps/BloodHound-Legacy/tree/master/Collectors) directly into memory. {% code overflow="wrap" %} ```powershell # Execution policy bypass powershell -ep bypass # Import module Import-Module .\Sharphound.ps1 # Collect all available domain information Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Users\stephanie\Desktop\ -OutputPrefix "corp audit" ``` {% endcode %} [SOAPHound](https://github.com/FalconForceTeam/SOAPHound) talks to AD Web Services (ADWS) on port `9389` (open by default) instead of LDAP queries (same as AD Module). It has almost no network-based detection (e.g. MDI) due to the limited LDAP queries, it retrieves info about all objects (`objectGuid=*`) and then process them. {% code overflow="wrap" %} ```powershell # Build a cache that includes basic info about domain objects SOAPHound.exe --buildcache -c c:\ad\tools\cache.txt # Collect data SOAPHound.exe -c c:\ad\tools\cache.txt --bhdump -o c:\ad\tools\bloodhound-output -nolaps ``` {% endcode %} ## BloodHound [BloodHound](https://github.com/SpecterOps/BloodHound) is a graphical tool that visualizes Active Directory relationships and permissions to identify attack paths and privilege escalation opportunities in enterprise environments. Once the data is collected by one of the above tools, they can be uploaded to BloodHound. BloodHound used `neo4j`, a graph database that stores data as nodes and relationships; perfect for mapping complex AD environments. The default Neo4j credentials are `neo4j:neo4j`. ### Cypher Queries {% hint style="success" %} Custom cypher queries: [BloodHound Queries For All](https://queries.specterops.io/?_gl=1*7tyx8q*_up*MQ..*_ga*NzY0MDQxMzcyLjE3NTAyMjk4OTI.*_ga_53SGLN9EBJ*czE3NTAyMjk4OTAkbzEkZzAkdDE3NTAyMjk4OTAkajYwJGwwJGgw). {% endhint %} {% code overflow="wrap" %} ```sql -- List all but MemberOf relationships MATCH p=(source)-[r]->(target) WHERE (source:Computer or source:User) AND type(r) <> 'MemberOf' return p ``` {% endcode %} ### BloodHound Automation [Bloodhound automation](https://github.com/Tanguy-Boisset/bloodhound-automation) automatically runs and populates a new instance of BH CE: {% code overflow="wrap" %} ```bash # Create & start a project ./bloodhound-automation.py start -bp 10001 -np 10501 -wp 8001 my_project # Import data ./bloodhound-automation.py data -z test.zip my_project # Delete & clear data ./bloodhound-automation.py delete my_project ./bloodhound-automation.py clear my_project ``` {% endcode %} ### AD-miner [AD Miner](https://github.com/AD-Security/AD_Miner) is an Active Directory auditing tool (supporting both on-prem and Entra ID) that analyzes BloodHound data in a Neo4j database using Cypher queries. It generates a static, web-based report highlighting AD weaknesses with dynamic graphs, risk ratings, historical indicators, and detailed mitigation paths. It requires a Neo4j database populated with AD data from tools like SharpHound, RustHound-CE, BloodHound.py, or AzureHound. For optimal performance, BloodHound Automation is recommended, as it installs the Graph Data Science plugin which enables faster analysis and smarter pathfinding compared to default BloodHound setups. {% code overflow="wrap" %} ```bash # Basic usage AD-miner -cf My_Report -u neo4j -p mypassword ``` {% endcode %} AD Miner generates cache files after each Neo4j request, allowing the process to be paused or stopped without losing progress (`-c`). Cache files are saved in the `cache_neo4j` folder, and the report name must match the cache file's prefix to reuse cached data. {% code overflow="wrap" %} ```bash AD-miner -c -cf My_Report -u neo4j -p mypassword ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://x7331.gitbook.io/boxes/tl-dr/active-directory/ad-tools/bloodhound.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.