is an Active Directory reconaisssance tool that can reveal a significant amount of information such as hidden relationships, trusts, and attack paths.
Running a Collector
SharpHound is what we define as a 'collector'. Essentially, we need to run SharpHound and then import the data/files generated into BloodHound to view and analyze.
# Running the precompiled binary on a domain joined Windows system
SharpHound.exe
# Specify domain within SharpHound
SharpHound.exe -d $domain
# Collection method all
SharpHound.exe --CollectionMethod All --ZipFileName output.zip
# Python collector
## https://github.com/fox-it/BloodHound.py
bloodhound.py -d $domain -v --zip -c All -dc $dcfqdn -ns $dcip
Queries
# Identify Users with an SPN Set:
MATCH (u:User {hasspn:true}) RETURN u
# Identify computers with unconstrained delegation enabled:
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c
# Identify computers with constrained delegation configured:
MATCH (c:Computer), (t:Computer), p=((c)-[:AllowedToDelegate]->(t)) RETURN p
# Identify computers with LAPS enabled:
MATCH (c:Computer {haslaps: true}) RETURN c
PowerView
# Import PowerView.ps1
. .\PowerView.ps1
# Return basic information about the domain and domain controllers
Get-Domain
# Return all domain users
Get-DomainUser -Properties DisplayName, MemberOf | fl
# Return all domain computers
Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName
# Return all domain trusts
Get-DomainTrust
References
, while a little dated now is still a reliable tool to perform domain reconaissance with. It should be noted that high privileges are not required to run PowerView and that performing domain reconaissance with a standard authenticated user account is sufficient.
