OFFSITE.DARK
← Tools
  • ad
  • graph

Market

BloodHound

Overview

BloodHound models Active Directory as a graph: users, groups, computers, GPOs, OUs, and the edges that grant control (GenericAll, WriteDACL, MemberOf, AdminTo, HasSession, etc.). Attackers query paths from owned principals to high-value targets like Domain Admins or Enterprise Admins.

Data collection uses SharpHound (Windows/.NET) or bloodhound.py (Linux/Python) ingestors. Collectors pull LDAP, SMB session data, local group membership, ACLs, and CA enrollment templates. Output JSON zip bundles import into the BloodHound UI (legacy) or BloodHound CE with Neo4j backend.

Pre-built Cypher queries surface kerja misconfigs: Kerberoastable users, AS-REP roastable accounts, unconstrained delegation, DCSync rights (GetChanges/GetChangesAll on domain NC), and paths to Tier-0 assets.

BloodHound does not exploit anything—it prioritizes attack paths. Blue teams use the same graph to identify and break dangerous edges before attackers traverse them.

Primary use cases

  • Post-compromise AD mapping after initial foothold on a workstation
  • Identifying ACL abuse paths (GenericWrite → UserForceChangePassword → DCSync chain)
  • Finding session hops via HasSession edges to Tier-0 systems
  • Audit of tiering violations and excessive group nesting
  • Tracking remediation by re-ingesting after ACL hardening

Key commands

SharpHound all collection (Windows)

SharpHound.exe -c All --zipfilename loot.zip

bloodhound.py LDAP-only (stealthier)

bloodhound-python -u user -p 'pass' -d corp.local -ns 10.0.0.1 -c DCOnly

BloodHound CE ingest

Upload ZIP via UI → Explore → Pre-built queries → Find all Domain Admins

Notable modules / features

  • Nodes: User, Group, Computer, GPO, OU, Domain, Container, CertTemplate
  • Edges encode AD rights and session relationships with abuse semantics
  • Custom Cypher queries in Neo4j for bespoke path analysis
  • AzureHound extends graph model to Entra ID / Azure RBAC (separate collector)

Detection / defense notes

  • Remove unnecessary ACL grants; audit GenericAll/WriteDACL on domain root
  • Tier admin accounts; deny interactive logon to lower tiers
  • Monitor LDAP enumeration volume from non-admin workstations
  • Protect BloodHound ingest credentials—collectors need broad read access

Related tools

  • ImpacketPython protocol implementations. secretsdump, psexec, getTGT, and SMB/Kerberos tooling for Windows networks.
  • crackmapexecSwiss army knife for AD pentesting. SMB, WinRM, LDAP, MSSQL lateral movement.
  • responderLLMNR/NBT-NS/mDNS poisoner. Captures NetNTLM hashes on local networks.
  • bloodhound.pyPython BloodHound ingestor. Collects AD data for SharpHound-compatible graphs.
→ official site