8. Perform Remote AD Recon with BloodHound

Now that we’ve dumped the domain structure, the next step is visualizing it using BloodHound to hunt for privilege escalation paths 🕵️‍♂️.

What is BloodHound ?

🕵️‍♂️ BloodHound is a powerful Active Directory (AD) enumeration and attack path analysis tool used during post-exploitation.

📌 What does BloodHound do?

BloodHound maps relationships and permissions between:

  • Users

  • Groups

  • Computers

  • Domains

It shows how a low-privileged user (like alfredo) could escalate privileges, using misconfigurations or weak permissions.

🔧 BloodHound Collection Command:

bloodhound-python -u 'alfredo' -p 'Password1' -ns 192.168.10.4 -d megachange.nyx -c All --zip

Options explained:

  • -u: Username (just the name, not domain)

  • -p: Password for alfredo

  • -ns: IP of the domain controller (nameserver)

  • -d: Domain name (e.g., megachange.nyx)

  • -c All: Collect all information (sessions, trusts, ACLs, etc.)

  • --zip: Output a .zip file for use in BloodHound GUI

📊 After That:

  1. Open the BloodHound GUI (on Kali: bloodhound).

  2. Upload the .zip file.

  3. Use pre-built queries like:

    • "Find Principals with DCSync Rights"

    • "Shortest Paths to Domain Admins"

    • "Users with Admin Rights on Computers"

🎯 What to Look For:

  • Paths from alfredo to:

    • Domain Admins

    • Machines with Admin access

    • Users with weak permissions (e.g., GenericWrite, ForceChangePassword, AddMember)

Previous7. Dump Domain Information via LDAPNext9. Set Up Neo4j and Launch BloodHound GUI

Last updated