BloodHound

Identify hidden and unintended attack paths in AD

Overview

BloodHound is a single page Javascript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a C# data collector. It uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify.

Key Features

Visual mapping of Active Directory attack paths.
Discovers hidden permissions and group delegations.
Pre-built queries to quickly find shortest paths to Domain Admin.
Azure AD / Entra ID support via AzureHound collector.

Typical Workflow

Collection: Use SharpHound.exe (or the python bloodhound ingestor) on a domain-joined machine to harvest AD data.
Ingestion: Import the .zip files generated by the ingestor into the BloodHound GUI.
Analysis: Use the pre-built queries to uncover paths, such as "Shortest Path from Owned Principals to Domain Admin".

Usage Examples

Data Collection (SharpHound)

Run SharpHound from a compromised domain-joined machine or via an established beacon:

                        BASH
                        
                            # Standard collection (all data types including group memberships, local admins, sessions, etc)
SharpHound.exe -c All

# Collect data stealthily (avoiding noisy API queries like session hunting)
SharpHound.exe -c DCOnly

# Specify an alternate domain and domain controller
SharpHound.exe -d target.local --domaincontroller 10.10.10.5 -c Default

Data Collection from Linux (Python Ingestor)

If you are on a Linux attacking machine and have credentials but no code execution on a target workstation, use the Python version:

                        BASH
                        
                            # Basic collection using standard credentials
bloodhound-python -d target.local -u 'Administrator' -p 'Password123' -gc Administrator -c all -ns 10.10.10.5

Data Collection (AzureHound)

For Azure AD/Entra ID enumeration:

                        BASH
                        
                            # Authenticate using a device code
azurehound -u "john.doe@target.onmicrosoft.com" list --tenant "target.onmicrosoft.com" -o azurehound_output.json

Advanced Analysis

Mark Nodes as Owned

In BloodHound, you can right-click a user or computer node and select Mark User as Owned. Then, run the query "Shortest Path from Owned Principals" to see exactly what privileges you currently possess based on your foothold.

Edge Analysis

Hover over edges (lines between nodes) and right click to select Help. BloodHound provides built-in abuse documentation detailing how to exploit the specific permission (e.g., ForceChangePassword, GenericAll) directly within the interface.

Back to Network Pentesting