{"id":1305,"date":"2025-01-25T06:57:31","date_gmt":"2025-01-25T06:57:31","guid":{"rendered":"https:\/\/hackmybox.com\/?p=1305"},"modified":"2025-09-08T16:27:02","modified_gmt":"2025-09-08T16:27:02","slug":"bloodhound","status":"publish","type":"post","link":"https:\/\/hackmybox.com\/index.php\/2025\/01\/25\/bloodhound\/","title":{"rendered":"BloodHound:  Tool for Analyzing and Securing Active Directory"},"content":{"rendered":"<div class=\"vce-row-container\" data-vce-boxed-width=\"true\"><div class=\"vce-row vce-row--col-gap-30 vce-row-equal-height vce-row-content--top\" id=\"el-f0438e0d\" data-vce-do-apply=\"all el-f0438e0d\"><div class=\"vce-row-content\" data-vce-element-content=\"true\"><div class=\"vce-col vce-col--md-auto vce-col--xs-1 vce-col--xs-last vce-col--xs-first vce-col--sm-last vce-col--sm-first vce-col--md-last vce-col--lg-last vce-col--xl-last vce-col--md-first vce-col--lg-first vce-col--xl-first\" id=\"el-57734219\"><div class=\"vce-col-inner\" data-vce-do-apply=\"border margin background  el-57734219\"><div class=\"vce-col-content\" data-vce-element-content=\"true\" data-vce-do-apply=\"padding el-57734219\"><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-84f86760\" data-vce-do-apply=\"all el-84f86760\"><p style=\"text-align: center;\"><span style=\"color: #00ff00; font-size: 14pt;\">(Insights from HTB Academy)<\/span><\/p><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-501caa3b\" data-vce-do-apply=\"all el-501caa3b\"><p>From the previous module we learned credential enumeration techniques on Active Directory typically involve using a variety of methods to identify valid usernames and passwords on a network. These methods can include:<\/p><p style=\"padding-left: 40px;\"><span style=\"color: #00ff00;\">\u2022 Password spraying:<\/span> This technique involves trying a list of common passwords against a large number of usernames.<\/p><p style=\"padding-left: 40px;\"><span style=\"color: #00ff00;\">\u2022 Hash cracking:<\/span> This technique involves stealing hashed passwords from a network and then using a computer program to try to crack the hashes into plain text passwords.<\/p><p style=\"padding-left: 40px;\"><span style=\"color: #00ff00;\">\u2022 Social engineering:<\/span> This technique involves tricking users into revealing their passwords or other sensitive information.<\/p><p style=\"text-align: center;\"><span style=\"font-size: 14pt;\"><span style=\"color: #ffff00;\">TOOLS<\/span> &nbsp;<\/span><\/p><p><span style=\"color: #00ff00;\">BloodHound:<\/span>&nbsp; A free and open-source tool that can be used to visualize Active Directory relationships. BloodHound can be used to identify potential attack paths and to identify users who have high-level privileges.<\/p><p><span style=\"color: #00ff00;\">SharpHound:<\/span> A C# library that can be used to collect data from Active Directory. SharpHound can be used to collect the same data as PowerView, but it can also be used to collect additional data, such as the password hashes of users.<\/p><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><div class=\"vce-row-container\" data-vce-boxed-width=\"true\"><div class=\"vce-row vce-row--col-gap-30 vce-row-equal-height vce-row-content--top\" id=\"el-0c9043ae\" data-vce-do-apply=\"all el-0c9043ae\"><div class=\"vce-row-content\" data-vce-element-content=\"true\"><div class=\"vce-col vce-col--md-auto vce-col--xs-1 vce-col--xs-last vce-col--xs-first vce-col--sm-last vce-col--sm-first vce-col--md-last vce-col--lg-last vce-col--xl-last vce-col--md-first vce-col--lg-first vce-col--xl-first\" id=\"el-c1997b4b\"><div class=\"vce-col-inner\" data-vce-do-apply=\"border margin background  el-c1997b4b\"><div class=\"vce-col-content\" data-vce-element-content=\"true\" data-vce-do-apply=\"padding el-c1997b4b\"><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-8a1f6f58\" data-vce-do-apply=\"all el-8a1f6f58\"><h2><span style=\"color: #00ff00;\">Components of the Command:<\/span><\/h2><p>SharpHound.exe is part of the BloodHound toolset, which is used for Active Directory (AD) enumeration and mapping attack paths.<\/p><p>It helps identify misconfigurations and permissions in Active Directory environments that can lead to privilege escalation or lateral movement.<\/p><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-cbdf1426\" data-vce-do-apply=\"all el-cbdf1426\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 857px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 49.825%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"857\" height=\"427\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/01\/sharphount-320x159.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/01\/sharphount-480x239.png 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/01\/sharphount-800x399.png 800w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/sharphount-857x427.png 857w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/sharphount-857x427.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/01\/sharphount.png\" data-attachment-id=\"1326\"  alt=\"\" title=\"sharphount\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-96d610a9\" data-vce-do-apply=\"all el-96d610a9\"><p><span style=\"color: #ffff00;\">Step 1:<\/span><\/p><p><span style=\"color: #00ff00;\">\\SharpHound.exe -c All --zipfilename ILFREIGHT<\/span><\/p><p>The .\\ indicates that the executable file SharpHound.exe is located in the current directory (. refers to the current directory).<\/p><p><span style=\"color: #00ff00;\">&nbsp;-c All:<\/span><br>The -c flag specifies the collection method or category of data to collect.<br>All means that SharpHound will collect all available data during the scan, which can include:<\/p><ul><li style=\"list-style-type: none;\"><ul><li>Group memberships<\/li><li>Admins on domain controllers<\/li><li>Trusts<\/li><li>Sessions<\/li><li>Other useful information for mapping attack paths within Active Directory<\/li><\/ul><\/li><\/ul><p>This is a comprehensive scan that tries to collect all relevant data.<\/p><p><span style=\"color: #00ff00;\">&nbsp;--zipfilename ILFREIGHT:<\/span><br>This option specifies the name of the output zip file. &nbsp;In this case, the output will be saved as a .zip file named ILFREIGHT.<\/p><p>The resulting zip file will contain the collected information (e.g., group memberships, trusts, and relationships) in a format that can be used later for analysis<\/p><\/div><\/div><div class=\"vce-raw-html\"><div class=\"vce-raw-html-wrapper\" id=\"el-5396f3c8\" data-vce-do-apply=\"all el-5396f3c8\"><script async=\"\" src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-1499161372675368\" crossorigin=\"anonymous\"><\/script>\n<ins class=\"adsbygoogle\" style=\"display:block\" data-ad-format=\"fluid\" data-ad-layout-key=\"-c2+73+2h-1m-4u\" data-ad-client=\"ca-pub-1499161372675368\" data-ad-slot=\"8728040126\"><\/ins>\n<script>\n     (adsbygoogle = window.adsbygoogle || []).push({});\n<\/script><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-cd437426\" data-vce-do-apply=\"all el-cd437426\"><p><span style=\"color: #ffff00;\">Step 2:<\/span><\/p><p>Run <span style=\"color: #ffff00;\">BloodHound<\/span> then upload the data collected using <span style=\"color: #ffff00;\">SharpHound<\/span> from step 1.<\/p><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-b6a243c5\" data-vce-do-apply=\"all el-b6a243c5\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 602px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 71.9269%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"602\" height=\"433\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/01\/Blood1-320x230.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/01\/Blood1-480x345.png 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/Blood1-602x433.png 602w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/Blood1-602x433.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/01\/Blood1.png\" data-attachment-id=\"1318\"  alt=\"\" title=\"Blood1\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-e53a77d1\" data-vce-do-apply=\"all el-e53a77d1\"><p>Once the upload is complete, click on the Analysis tab. Here, you can see the pre-built queries. In this example will select Kerberostable accounts.<\/p><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-5aef0395\" data-vce-do-apply=\"all el-5aef0395\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 602px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 72.2591%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"602\" height=\"435\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/01\/Blood2-320x231.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/01\/Blood2-480x347.png 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/Blood2-602x435.png 602w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/Blood2-602x435.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/01\/Blood2.png\" data-attachment-id=\"1320\"  alt=\"\" title=\"Blood2\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-c11ca256\" data-vce-do-apply=\"all el-c11ca256\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 602px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 70.9302%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"602\" height=\"427\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/01\/Blood3-320x227.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/01\/Blood3-480x340.png 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/Blood3-602x427.png 602w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/Blood3-602x427.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/01\/Blood3.png\" data-attachment-id=\"1321\"  alt=\"\" title=\"Blood3\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-d511498b\" data-vce-do-apply=\"all el-d511498b\"><p>Feel free to try all queries , another example is <span style=\"color: #ffff00;\">\"Find all Domain Admins\"<\/span> under Domain information.<\/p><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-3931e157\" data-vce-do-apply=\"all el-3931e157\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 602px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 71.0963%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"602\" height=\"428\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/01\/blood5-320x228.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/01\/blood5-480x341.png 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/blood5-602x428.png 602w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/blood5-602x428.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/01\/blood5.png\" data-attachment-id=\"1322\"  alt=\"\" title=\"blood5\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-0b769a62\" data-vce-do-apply=\"all el-0b769a62\"><p>In conclusion, Active Directory (AD) is crucial for managing IT environments, but it can present security risks like privilege creep and unsafe configurations that may be exploited by attackers.<\/p><p>BloodHound helps by analyzing AD environments to identify potential vulnerabilities, allowing Red Teamers to find paths to higher privileges and lateral movement while Blue Teamers can use it to audit and secure AD configurations.<\/p><\/div><\/div><div class=\"vce vce-separator-container vce-separator--align-center vce-separator--style-solid\" id=\"el-ec9ee42e\" data-vce-do-apply=\"margin el-ec9ee42e\"><div class=\"vce-separator vce-separator--color-bfc0c1 vce-separator--width-60 vce-separator--thickness-1\" data-vce-do-apply=\"border padding background  el-ec9ee42e\"><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-2dc06586\" data-vce-do-apply=\"all el-2dc06586\"><p style=\"text-align: center;\">Want to learn more and gain hands-on experience? Sign up with HTB Academy by clicking the link below<\/p><\/div><\/div><div class=\"vce-button--style-basic-container vce-button--style-basic-container--align-center\"><span class=\"vce-button--style-basic-wrapper vce\" id=\"el-33a3c8ca\" data-vce-do-apply=\"margin el-33a3c8ca\"><a class=\"vce-button vce-button--style-basic vce-button--style-basic--border-rounded vce-button--style-basic--size-medium vce-button--style-basic--color-b-138-198-10--fff\" href=\"https:\/\/hacktheboxltd.sjv.io\/19DPP6\" title=\"\" data-vce-do-apply=\"padding border background  el-33a3c8ca\">JOIN NOW<\/a><\/span><\/div><\/div><\/div><\/div><\/div><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>(Insights from HTB Academy)From the previous module we learned credential enumeration techniques on Active Directory typically involve using a variety of methods to identify valid usernames and passwords on a network. These methods can include:\u2022 Password spraying: This technique involves trying a list of common passwords against a large number of usernames.\u2022 Hash cracking: This [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2016,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","site-transparent-header":"default","prose-style":"enable","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[18],"tags":[],"class_list":["post-1305","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-active-directory"],"_links":{"self":[{"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/posts\/1305","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/comments?post=1305"}],"version-history":[{"count":23,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/posts\/1305\/revisions"}],"predecessor-version":[{"id":2066,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/posts\/1305\/revisions\/2066"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/media\/2016"}],"wp:attachment":[{"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/media?parent=1305"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/categories?post=1305"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/tags?post=1305"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}