BloodHound has been developed by SpecterOps as a way to visualize relationships between objects in AD. Because of the scale and complexity of most AD networks, manually auditing these relationships is a nightmare. Instead, the original BloodHound relied on Neo4j’s Graph Theory to visualize this information to escalate between objects.
There are currently three versions of BloodHound you need to know about:
We need to gather the data from the AD environment in order to feed it into BloodHound for analysis. There are two major collectors you need to know about:
It’s important to realize that at the time of this writing, bloodhound.py does not natively support BloodHound-CE.
⚠️You must use the bloodhound-ce branch of the bloodhound.pypython collector if you choose to use this. We cannot mix legacy collectors with Community Edition collectors — this will cause the ingest to fail (and it’s frustrating!).
pipx install bloodhound-ce
Enumerate infos abount AD domain:
bloodhound-ce-python -d <DOMAIN.LOCAL> -c All -u '[email protected]' -p 'password' -ns <nameserver IP of domain> --zip
Enumerate infos passing through a Forest/Domain Trust between Domain A and Domain B:
bloodhound-ce-python -d <DOMAIN_B.LOCAL> -c All -u 'user@DOMAIN_A.LOCAL' -p 'password' -ns <nameserver IP of domain B> --zip
Download BloodHound CE using Docker: