BloodHound

Data Collection

bloodhound-python (Linux — no domain join required)

# Full collection (All methods)
bloodhound-python -u user -p pass -d domain.local -ns DC_IP -c All

# If DNS doesn't work via the resolver:
bloodhound-python -u user -p pass -d domain.local -ns DC_IP -c All --dns-tcp

# Hash auth
bloodhound-python -u user --hashes :NTHASH -d domain.local -ns DC_IP -c All

# Kerberos auth (using .ccache)
KRB5CCNAME=ticket.ccache bloodhound-python -u user -k -no-pass -d domain.local -ns DC_IP -c All

Outputs .json files in the current directory — zip them and upload to BloodHound.

SharpHound (Windows — domain-joined or with creds)

# Full collection
.\SharpHound.exe -c All --zipfilename collection.zip

# From a non-domain-joined machine with explicit creds
.\SharpHound.exe -c All -d domain.local --ldapusername user --ldappassword pass --domaincontroller DC_IP

# Stealth — session collection only (less noisy)
.\SharpHound.exe -c Session

# Specific DC
.\SharpHound.exe -c All --domaincontroller DC_IP

nxc BloodHound module

nxc ldap DC_IP -u user -p pass --bloodhound -c All

Install BloodHound CE (Docker)

git clone https://github.com/SpecterOps/BloodHound
cd BloodHound/examples/docker-compose
docker compose up -d
# Access at http://localhost:8080  default admin / admin (change on first login)

Upload zip: Administration → File Ingest → Upload File.

Key Node Types

Key Edge Types (Attack Relevance)

Pre-Built Queries (GUI)

In BloodHound UI → Analysis tab:

• Find All Domain Admins — baseline who you’re targeting
• Shortest Paths to Domain Admins — THE critical query
• Shortest Paths from Owned Principals — paths from your compromised accounts
• Find Principals with DCSync Rights — who can DCSync besides Domain Admins
• Find Computers with Unsupported Operating Systems — legacy attack surface
• Find Kerberoastable Users with High Value Targets — priority targets
• Find ASREP-Roastable Users — no preauth accounts
• Shortest Paths to Unconstrained Delegation Systems — escalation via delegation
• Find Computers where Domain Users are Local Admin — mass compromise candidates
• Find Computers with Local Admin Privileges — where your user has admin rights

Custom Cypher Queries

All users with GenericAll on other users

MATCH (n:User)-[r:GenericAll]->(m:User)
RETURN n.name, m.name

Find paths from a specific user to DA

MATCH p=shortestPath((u:User {name: "ATTACKER@DOMAIN.LOCAL"})-[*1..]->(g:Group {name: "DOMAIN ADMINS@DOMAIN.LOCAL"}))
RETURN p

Find all computers where user has admin

MATCH (u:User {name: "USER@DOMAIN.LOCAL"})-[r:AdminTo]->(c:Computer)
RETURN c.name

Find all paths involving WriteDACL

MATCH p=(n)-[:WriteDACL]->(m)
WHERE n.name =~ ".*"
RETURN p LIMIT 25

Computers with unconstrained delegation (not DCs)

MATCH (c:Computer {unconstraineddelegation: true}) 
WHERE NOT c.name ENDS WITH "DC" 
RETURN c.name

Users with DONT_REQ_PREAUTH (ASREP roastable)

MATCH (u:User {dontreqpreauth: true}) RETURN u.name

All service accounts (Kerberoastable)

MATCH (u:User) WHERE u.hasspn=true RETURN u.name, u.serviceprincipalnames

Cross-domain trust edges

MATCH (d1:Domain)-[r:TrustedBy]->(d2:Domain) RETURN d1.name, r, d2.name

Workflow: Owned → DA

1. Mark your compromised accounts as Owned: right-click node → Mark User as Owned
2. Run: Shortest Paths from Owned Principals
3. Identify the cheapest edge chain (fewest hops)
4. Click each edge to see abuse info (step-by-step exploit commands)
5. Execute and re-mark the next node as Owned
6. Repeat until Domain Admin

BloodHound CE API (automation)

# Get API token
curl -s -X POST http://localhost:8080/api/v2/login \
  -H 'Content-Type: application/json' \
  -d '{"login_name":"admin","secret":"YOUR_PASSWORD"}' | jq '.data.session_token'

# List all domains
curl -H "Authorization: Bearer TOKEN" http://localhost:8080/api/v2/available-domains