Whoami
  • Welcome
  • Home Lab: C2 Detection, Ransomware Defense & YARA Automation
    • SOC Lab – What is this Lab about ?
    • Part 1 - Setting Up the Environment
    • Part 2 - Detecting C2 Activity
    • Part 3 - Credential Dumping & Threat Detection
    • Part 4 - Blocking Ransomware
    • Part 5 - Reducing False Positives
    • Part 6 - Automated YARA Scanning
  • Automation Lab - Home Project
    • Sysmon Installation
    • Wazuh & TheHive: Installation, Configuration, and Optimization
    • Tracking Mimikatz Activity with Wazuh & Sysmon Logs
    • End-to-End Alert Automation: Wazuh → Shuffle → TheHive
  • Active Directory Attack Lab: Recon-to-Root
    • Reconnaissance Phase
      • 1. Full TCP Port Scan on Target Host
      • 2. Service and Version Detection
      • 3. Null Session SMB Enumeration
      • 4. LDAP Anonymous Bind Check
      • 5. Kerberos Username Enumeration
      • 6. Password Brute Force via SMB Login
    • Exploitation Phase
      • 7. Dump Domain Information via LDAP
      • 8. Perform Remote AD Recon with BloodHound
      • 9. Set Up Neo4j and Launch BloodHound GUI
      • 10. Abuse ForceChangePassword Right via RPC
      • 11. Validate New Credentials via WinRM
      • 12. Enumerate Local Privileges and AutoLogon
      • 13. Reuse Administrator Credentials
      • 14. Capture the User Flag
  • QRadar101 Lab Challenge
    • Scenario and Instructions
    • The Walkthrough
Powered by GitBook
On this page
  • What is BloodHound ?
  • 📌 What does BloodHound do?
  1. Active Directory Attack Lab: Recon-to-Root
  2. Exploitation Phase

8. Perform Remote AD Recon with BloodHound

Now that we’ve dumped the domain structure, the next step is visualizing it using BloodHound to hunt for privilege escalation paths 🕵️‍♂️.

What is BloodHound ?

🕵️‍♂️ BloodHound is a powerful Active Directory (AD) enumeration and attack path analysis tool used during post-exploitation.

📌 What does BloodHound do?

BloodHound maps relationships and permissions between:

  • Users

  • Groups

  • Computers

  • Domains

It shows how a low-privileged user (like alfredo) could escalate privileges, using misconfigurations or weak permissions.

🔧 BloodHound Collection Command:

bloodhound-python -u 'alfredo' -p 'Password1' -ns 192.168.10.4 -d megachange.nyx -c All --zip

Options explained:

  • -u: Username (just the name, not domain)

  • -p: Password for alfredo

  • -ns: IP of the domain controller (nameserver)

  • -d: Domain name (e.g., megachange.nyx)

  • -c All: Collect all information (sessions, trusts, ACLs, etc.)

  • --zip: Output a .zip file for use in BloodHound GUI

📊 After That:

  1. Open the BloodHound GUI (on Kali: bloodhound).

  2. Upload the .zip file.

  3. Use pre-built queries like:

    • "Find Principals with DCSync Rights"

    • "Shortest Paths to Domain Admins"

    • "Users with Admin Rights on Computers"

🎯 What to Look For:

  • Paths from alfredo to:

    • Domain Admins

    • Machines with Admin access

    • Users with weak permissions (e.g., GenericWrite, ForceChangePassword, AddMember)

Previous7. Dump Domain Information via LDAPNext9. Set Up Neo4j and Launch BloodHound GUI

Last updated 25 days ago