Hounds

SharpHound

SharpHound is the data collection component of BloodHound. It uses Windows API calls and LDAP queries to gather key domain information like group memberships, session data, and AD permissions. Its PowerShell version import Sharphound.ps1 directly into memory.

# Execution policy bypass
powershell -ep bypass
# Import the module
Import-Module .\Sharphound.ps1
# Collect domain information
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Users\stephanie\Desktop\ -OutputPrefix "corp audit"
# Collect domain information using the executable version
.\SharpHound.exe -c all

This collects and compresses domain data (in JSON format) into a .zip file. SharpHound may also generate a .bin cache file to speed up future runs—this file isn't required for analysis and can be ignored or deleted.

SharpHound also supports looping for continuous data collection if needed.

Data collection can be also performed via our attacker machine.

Bloodhound.py

bloodhound-python -u <user> -p <password> -dc <FQDN> -c all -d <domain> -ns <dc-ip>

NXC

nxc ldap <dc-ip/FQDN> -u <user> -p <password> --bloodhound -c All --dns-server <dc-ip>

BloodHound

Once the data is collected, we can upload the .zip file generated from SharpHound to BloodHound and begin exploring the domain graph.

# start the Neo4j service
$ sudo neo4j start
# Launch BloodHound
$ bloodhound

Neo4j is a graph database that stores data as nodes and relationships—perfect for mapping complex AD environments. The default Neo4j credentials are neo4j:neo4j.

Misc

Docker Run

sudo curl -L https://ghst.ly/getbhce | docker compose -f - up

Resources

Demo

BH Repo

GitHub - SpecterOps/BloodHound: Six Degrees of Domain AdminGitHub

SH Repo

GitHub - SpecterOps/SharpHound: C# Data Collector for BloodHoundGitHub

Documentation

https://support.bloodhoundenterprise.io/hc/en-us/categories/1260801932169-Generalsupport.bloodhoundenterprise.io