maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/windows-hardening/active-directory-methodology/bloodhound.md
HackTricks News Bot 4b90965712 Add content from: FiberGateway GR241AG - Full Exploit Chain
2025-08-20 12:46:23 +00:00

2.6 KiB
Raw Blame History

BloodHound & Other Active Directory Enumeration Tools

{{#include ../../banners/hacktricks-training.md}}

{{#ref}} adws-enumeration.md {{#endref}}

NOTE: This page groups some of the most useful utilities to enumerate and visualise Active Directory relationships. For collection over the stealthy Active Directory Web Services (ADWS) channel check the reference above.

AD Explorer

AD Explorer (Sysinternals) is an advanced AD viewer & editor which allows:

  • GUI browsing of the directory tree
  • Editing of object attributes & security descriptors
  • Snapshot creation / comparison for offline analysis

Quick usage

  1. Start the tool and connect to dc01.corp.local with any domain credentials.
  2. Create an offline snapshot via File ➜ Create Snapshot.
  3. Compare two snapshots with File ➜ Compare to spot permission drifts.

ADRecon

ADRecon extracts a large set of artefacts from a domain (ACLs, GPOs, trusts, CA templates …) and produces an Excel report.

# On a Windows host in the domain
PS C:\> .\ADRecon.ps1 -OutputDir C:\Temp\ADRecon

BloodHound (graph visualisation)

BloodHound uses graph theory + Neo4j to reveal hidden privilege relationships inside on-prem AD & Azure AD.

Deployment (Docker CE)

curl -L https://ghst.ly/getbhce | docker compose -f - up
# Web UI ➜ http://localhost:8080  (user: admin / password from logs)

Collectors

  • SharpHound.exe / Invoke-BloodHound native or PowerShell variant
  • AzureHound Azure AD enumeration
  • SoaPy + BOFHound ADWS collection (see link at top)

Common SharpHound modes

SharpHound.exe --CollectionMethods All           # Full sweep (noisy)
SharpHound.exe --CollectionMethods Group,LocalAdmin,Session,Trusts,ACL
SharpHound.exe --Stealth --LDAP                      # Low noise LDAP only

The collectors generate JSON which is ingested via the BloodHound GUI.

Group3r

Group3r enumerates Group Policy Objects and highlights misconfigurations.

# Execute inside the domain
Group3r.exe -f gpo.log   # -s to stdout

PingCastle

PingCastle performs a health-check of Active Directory and generates an HTML report with risk scoring.

PingCastle.exe --healthcheck --server corp.local --user bob --password "P@ssw0rd!"

{{#include ../../banners/hacktricks-training.md}}