Domain Enumeration


BloodHound is an Active Directory reconaisssance tool that can reveal a significant amount of information such as hidden relationships, trusts, and attack paths.

Running a Collector

SharpHound is what we define as a 'collector'. Essentially, we need to run SharpHound and then import the data/files generated into BloodHound to view and analyze.

# Running the precompiled binary on a domain joined Windows system

# Specify domain within SharpHound
SharpHound.exe -d $domain

# Collection method all
SharpHound.exe --CollectionMethod All --ZipFileName

# Python collector
## -d $domain -v --zip -c All -dc $dcfqdn -ns $dcip


# Identify Users with an SPN Set:
MATCH (u:User {hasspn:true}) RETURN u

# Identify computers with unconstrained delegation enabled:
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c

# Identify computers with constrained delegation configured:
MATCH (c:Computer), (t:Computer), p=((c)-[:AllowedToDelegate]->(t)) RETURN p

# Identify computers with LAPS enabled:
MATCH (c:Computer {haslaps: true}) RETURN c


PowerView, while a little dated now is still a reliable tool to perform domain reconaissance with. It should be noted that high privileges are not required to run PowerView and that performing domain reconaissance with a standard authenticated user account is sufficient.

# Import PowerView.ps1 
. .\PowerView.ps1

# Return basic information about the domain and domain controllers

# Return all domain users
Get-DomainUser -Properties DisplayName, MemberOf | fl

# Return all domain computers
Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName

# Return all domain trusts


Last updated