# Domain Enumeration

### BloodHound

[BloodHound](https://github.com/BloodHoundAD/BloodHound) is an Active Directory reconaisssance tool that can reveal a significant amount of information such as hidden relationships, trusts, and attack paths.&#x20;

#### Running a Collector

SharpHound is what we define as a 'collector'. Essentially, we need to run SharpHound and then import the data/files generated into BloodHound to view and analyze.&#x20;

```bash
# Running the precompiled binary on a domain joined Windows system
SharpHound.exe 

# Specify domain within SharpHound
SharpHound.exe -d $domain

# Collection method all
SharpHound.exe --CollectionMethod All --ZipFileName output.zip

# Python collector
## https://github.com/fox-it/BloodHound.py
bloodhound.py -d $domain -v --zip -c All -dc $dcfqdn -ns $dcip
```

#### Queries

```bash
# Identify Users with an SPN Set:
MATCH (u:User {hasspn:true}) RETURN u

# Identify computers with unconstrained delegation enabled:
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c

# Identify computers with constrained delegation configured:
MATCH (c:Computer), (t:Computer), p=((c)-[:AllowedToDelegate]->(t)) RETURN p

# Identify computers with LAPS enabled:
MATCH (c:Computer {haslaps: true}) RETURN c
```

### PowerView

[PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1), while a little dated now is still a reliable tool to perform domain reconaissance with. It should be noted that high privileges are not required to run PowerView and that performing domain reconaissance with a standard authenticated user account is sufficient.

```bash
# Import PowerView.ps1 
. .\PowerView.ps1

# Return basic information about the domain and domain controllers
Get-Domain

# Return all domain users
Get-DomainUser -Properties DisplayName, MemberOf | fl

# Return all domain computers
Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName

# Return all domain trusts
Get-DomainTrust
```

### References

{% embed url="<https://bloodhound.readthedocs.io/en/latest/data-collection/sharphound-all-flags.html>" %}

{% embed url="<https://www.hackingarticles.in/active-directory-enumeration-powerview/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ttp.parzival.sh/pentesting/infrastructure/active-directory/domain_enumeration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.