// arsenal·Post-ExploitAdvancedFOSS

BloodHound

Active Directory attack-path visualizer — graphs the shortest path to Domain Admin.

Post-Exploit

$ bloodhound --help

BloodHound

BloodHound logoSpecterOps

// what it is

Description

@CptJesus / @harmj0y / @wald0's Neo4j-backed AD attack-path tool. Ingests JSON from SharpHound and lets you query 'shortest path from <owned user> to Domain Admin', 'where can this user RDP', and so on.

// use cases

What people use it for

Find shortest path to Domain Admin
Enumerate AD ACL misconfigs
Discover Kerberoastable accounts

// commands

The commands you'll type

Run BloodHound CE

$ docker run -p 8080:8080 specterops/bloodhound:latest

// facts

category: Post-Exploit
platforms: LIN · WIN · MAC
license: FOSS
difficulty: Advanced

// links

// related in Post-Exploit

Post-ExploitAdvanced

Mimikatz

Benjamin Delpy's Windows credential-theft Swiss Army knife.

Impacket

SecureAuth (now Fortra) Python toolkit for low-level Windows network protocols.

CrackMapExec/CME/

Swiss-army knife for AD post-exploitation — sprays credentials over SMB/WinRM/MSSQL/LDAP.

FOSS

LIN·WIN·MAC

open entry →