BloodHound
Ingestors
SOAPHound talks to AD Web Services (ADWS) on port 9389 instead of LDAP queries (same as AD Module). The ADWS port is open by default. It has almost no network-based detection (e.g. MDI) and it retrieves info about all objects (objectGuid=*) and then process them. This means limited LDAP queries - less chance of endpoint detection.
# Build a cache that includes basic info about domain objects
SOAPHound.exe --buildcache -c c:\ad\tools\cache.txt
# Collect BH compatible data
SOAPHound.exe -c c:\ad\tools\cache.txt --bhdump -o c:\ad\tools\bloodhound-output -nolapsRustHound-CE is a cross-platform BloodHound collector written in Rust, compatible with Linux, Windows, and macOS, that generates JSON files for analysis in BloodHound CE.
rusthound-ce -d domain -u x7331@domain -p Pass123! -zSharpHound's Python-based version:
# Plaintext creds
bloodhound-python -u <user> -p <password> -dc <FQDN> -c all -d <domain> -ns <dc-ip>
# PtH
bloodhound-python -u <user> --hashes :<NTML> -dc <FQDN> -c all -d <domain> -ns <dc-ip>NetExec uses bloodhound-python under the hood on its --bloodhound ingestor:
nxc ldap <dc-ip/FQDN> -u <user> -p <password> --bloodhound -c All --dns-server <dc-ip>BloodHound
BloodHound is a graphical tool that visualizes Active Directory relationships and permissions to identify attack paths and privilege escalation opportunities in enterprise environments. Once the data is collected via SharpHound, we can upload the .zip file to BloodHound.
BloodHound used neo4j, a graph database that stores data as nodes and relationships—perfect for mapping complex AD environments. The default Neo4j credentials are neo4j:neo4j.
Custom cypher queries: BloodHound Queries For All.
Bloodhound automation automatically runs and populates a new instance of BH CE:
# Create & start a project
./bloodhound-automation.py start -bp 10001 -np 10501 -wp 8001 my_project
# Import data
./bloodhound-automation.py data -z test.zip my_project
# Delete & clear data
./bloodhound-automation.py delete my_project
./bloodhound-automation.py clear my_project# start the Neo4j service
$ sudo neo4j start
# Launch BloodHound
$ bloodhoundsudo curl -L https://ghst.ly/getbhce | docker compose -f - upAD-miner
AD Miner is an Active Directory auditing tool (supporting both on-prem and Entra ID) that analyzes BloodHound data in a Neo4j database using Cypher queries. It generates a static, web-based report highlighting AD weaknesses with dynamic graphs, risk ratings, historical indicators, and detailed mitigation paths. It requires a Neo4j database populated with AD data from tools like SharpHound, RustHound-CE, BloodHound.py, or AzureHound.
For optimal performance, BloodHound Automation is recommended, as it installs the Graph Data Science plugin—enabling faster analysis and smarter pathfinding compared to default BloodHound setups.
Basic usage:
AD-miner -cf My_Report -u neo4j -p mypasswordAD Miner generates cache files after each Neo4j request, allowing the process to be paused or stopped without losing progress (-c). Cache files are saved in the cache_neo4j folder, and the report name must match the cache file's prefix to reuse cached data:
AD-miner -c -cf My_Report -u neo4j -p mypasswordResources
A nice demo of how to use Bloodhound (video)
Last updated
Was this helpful?