8. Perform Remote AD Recon with BloodHound

Now that we’ve dumped the domain structure, the next step is visualizing it using BloodHound to hunt for privilege escalation paths 🕵️‍♂️.

What is BloodHound ?

🕵️‍♂️ BloodHound is a powerful Active Directory (AD) enumeration and attack path analysis tool used during post-exploitation.

📌 What does BloodHound do?

BloodHound maps relationships and permissions between:

• Users

• Groups

• Computers

• Domains

It shows how a low-privileged user (like alfredo) could escalate privileges, using misconfigurations or weak permissions.

---

🔧 BloodHound Collection Command:

bloodhound-python -u 'alfredo' -p 'Password1' -ns 192.168.10.4 -d megachange.nyx -c All --zip

Options explained:

• -u: Username (just the name, not domain)

• -p: Password for alfredo

• -ns: IP of the domain controller (nameserver)

• -d: Domain name (e.g., megachange.nyx)

• -c All: Collect all information (sessions, trusts, ACLs, etc.)

• --zip: Output a .zip file for use in BloodHound GUI

---

📊 After That:

1. Open the BloodHound GUI (on Kali: bloodhound).

2. Upload the .zip file.

   
3. Use pre-built queries like:

   • "Find Principals with DCSync Rights"

   • "Shortest Paths to Domain Admins"

   • "Users with Admin Rights on Computers"

---

🎯 What to Look For:

• Paths from alfredo to:

  • Domain Admins

  • Machines with Admin access

  • Users with weak permissions (e.g., GenericWrite, ForceChangePassword, AddMember)