active directory

Let Slip the Hounds of War

When I first started learning how to use BloodHound, I remember trying to figure out how to best utilize this tool to discover possible vulnerabilities when attacking Active Directory environments. This post is intended to be a quick, little usage guide to visualizing some of the misconfigurations that can be exploited to laterally move and/or priv esc within an environment using AD.

Collecting the Goods, and Bringing Home the Bounty

When attempting to use BloodHound, we need to first do a collection using SharpHound. This hound can be executed using either PowerShell or a C# ingestor. As stated in the wiki, both versions "support the same set of options". An example of data collection using the .ps1 version can be seen below.

Depending on the assessment being done and overall goals, some of the different options listed here should be used.

Once the collection is successful, it's time to import the results to BloodHound. Transfer the .zip file that SharpHound put together to the system running BloodHound. Then use the Upload Data button on the right side of the interface, to import the newly collected data. Once the results have been processed, the Database Info should update, reflecting the number of Users, Computers, Groups, etc.

I won't rewrite much of the steps to interacting with the BloodHound interface since I feel the wiki does a solid job of documenting some of the basics to using it. Another awesome reference is The Dog Whisperer's Handbook. This resource was one of the more enjoyable pieces of technical documentation to read, so definitely check it out.

I'll throw out a couple quick tips that I found useful when using BloodHound as I was getting started learning how to use it.

  • Make use of the Pre-Built Analytics Queries to get a quick overview of some important information regarding the environment that is targeted.

  • When viewing the different connections bewteen nodes, right-click --> Help, to view some super useful information. For example, when using the Find Shortest Path to Domain Admins query, one of the nodes along the path has WriteDacl, or Write access to the Discretionary Access Control List against the next node in the path. The Abuse Info tab gives some insight on how to abuse this relationship.


  • Leave a Reply

    Your email address will not be published. Required fields are marked *

    three × 4 =