# Domain Enumeration ### BloodHound [BloodHound](https://github.com/BloodHoundAD/BloodHound) is an Active Directory reconaisssance tool that can reveal a significant amount of information such as hidden relationships, trusts, and attack paths. #### Running a Collector SharpHound is what we define as a 'collector'. Essentially, we need to run SharpHound and then import the data/files generated into BloodHound to view and analyze. ```bash # Running the precompiled binary on a domain joined Windows system SharpHound.exe # Specify domain within SharpHound SharpHound.exe -d $domain # Collection method all SharpHound.exe --CollectionMethod All --ZipFileName output.zip # Python collector ## https://github.com/fox-it/BloodHound.py bloodhound.py -d $domain -v --zip -c All -dc $dcfqdn -ns $dcip ``` #### Queries ```bash # Identify Users with an SPN Set: MATCH (u:User {hasspn:true}) RETURN u # Identify computers with unconstrained delegation enabled: MATCH (c:Computer {unconstraineddelegation:true}) RETURN c # Identify computers with constrained delegation configured: MATCH (c:Computer), (t:Computer), p=((c)-[:AllowedToDelegate]->(t)) RETURN p # Identify computers with LAPS enabled: MATCH (c:Computer {haslaps: true}) RETURN c ``` ### PowerView [PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1), while a little dated now is still a reliable tool to perform domain reconaissance with. It should be noted that high privileges are not required to run PowerView and that performing domain reconaissance with a standard authenticated user account is sufficient. ```bash # Import PowerView.ps1 . .\PowerView.ps1 # Return basic information about the domain and domain controllers Get-Domain # Return all domain users Get-DomainUser -Properties DisplayName, MemberOf | fl # Return all domain computers Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName # Return all domain trusts Get-DomainTrust ``` ### References {% embed url="" %} {% embed url="" %}