# BloodHound ### **BloodHound** [BloodHound ](https://github.com/BloodHoundAD/BloodHound)is an application developed to find relationships within an Active Directory (AD) and to discover attack paths. It does this by using graph theory to find the shortest path an attacker needs to take to elevate their privileges within the domain. [BloodHound ](https://github.com/BloodHoundAD/BloodHound)is developed by [@\_wald0](https://www.twitter.com/_wald0), [@CptJesus](https://twitter.com/CptJesus), **et** [@harmj0y](https://twitter.com/harmj0y). BloodHound is based on neo4j, which must therefore be installed and launched before using BlooHound. {% hint style="warning" %} Bloodhound has become [BloodHound CE ](https://github.com/SpecterOps/BloodHound)and the GitHub repo has changed {% endhint %} {% tabs %} {% tab title="Windows" %} **Install neo4j :** 1. Download neo4j Community Server Edition zip from [https://neo4j.com/download-center/#community. ](https://neo4j.com/download-center/#community) 2. Unzip the neo4j zip file. 3. Open a command prompt, as an administrator. 4. Change directory to reach the unzipped neo4j folder. 5. Change the directory to the bin directory in the Neo4j folder. ```powershell neo4j.bat install-service ``` **Launch neo4j :** ```powershell net start neo4j ``` {% endtab %} {% tab title="Unix" %} **Install neo4j :** ```bash sudo apt install neo4j ``` **Launch neo4j :** ```bash sudo systemctl start neo4j ``` {% endtab %} {% endtabs %} {% hint style="warning" %} There are several Ingestor for Bloodhound: * [SharpHound.exe](https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe) (Official) * [SharpHound.ps1](https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1) (Official) * [Python-Bloodhound](https://github.com/fox-it/BloodHound.py) Not all support the same methods, choose your Ingestor wisely. It is important to note that Sharphound can be run from a computer that is not enrolled in the AD domain, by running it in a domain user context using Runas, Pass-The-Hash (PTH) or Pass-The-Ticket(PTT) {% endhint %} {% tabs %} {% tab title="Windows CMD" %} ```powershell # From a non enrolled machine SharpHound.exe -c all -d --ldapusername --ldappassword "" # or runas /netonly /user:DOMAIN\USERNAME cmd.exe SharpHound.exe -d ``` {% endtab %} {% tab title="Windows Powershell" %} ```powershell # Import SharpHound.ps1 module . .\SharpHound.ps1 # Use the Invoke-Bloodhound function Invoke-BloodHound -c All -d --ldapusername --ldappassword "" ``` BloodHound est très peu discret dans un réseau, vous pouvez donc utiliser cette option pour éviter la détection par l'ATA (Advanced Threat Analytics) par exemple : ```powershell Invoke-BloodHound -c All -d --ldapusername --ldappassword "" --excludedcs ``` {% endtab %} {% tab title="UNIX" %} From experience, python-bloodhound is much faster than SharpHound.exe and .ps1. It then becomes useful in a large Active Directory with many users and machines. ```python python3 bloodhound.py -c all -u -p -d --zip ``` {% endtab %} {% endtabs %} ## References: {% embed url="" %} {% embed url="" %} {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blog.hacktive.bebzounette.com/active-directory/untitled/bloodhound.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.