Domain Enumeration: Bloodhound

https://github.com/BloodHoundAD/BloodHound

Supply data to bloodhound :

PS C:\Users\victim.SECURITY\Downloads\BloodHound-master\BloodHound-master\Ingestors> Import-Module .\SharpHound.ps1

PS C:\Users\victim.SECURITY\Downloads\BloodHound-master\BloodHound-master\Ingestors> Invoke-BloodHound -CollectionMethod all –Verbose

Now download the file

https://neo4j.com/download-center/#community

extract the file  and go to bin folder

PS C:\Users\victim.SECURITY\Downloads\neo4j-community-3.5.9-windows\neo4j-community-3.5.9> cd .\bin\

PS C:\Users\victim.SECURITY\Downloads\neo4j-community-3.5.9-windows\neo4j-community-3.5.9\bin> dir

Now on terminal

C:\Users\victim.SECURITY\Downloads\neo4j-community-3.5.9-windows\neo4j-community-3.5.9\bin>neo4j.bat install-service

C:\Users\victim.SECURITY\Downloads\neo4j-community-3.5.9-windows\neo4j-community-3.5.9\bin>neo4j.bat start

Now download

https://github.com/BloodHoundAD/BloodHound/releases

BloodHound-win32-x64.zip file

After extraction double click on BloodHound.exe file.

Before get it login we have to change the credential through browser.

Now on browser

http://localhost:7474/browser/

After putting credential click login and we are in and pop uo with change password request . Now set the new password and click change password.

Now go back to BloodHound.exe open session

Username : neo4j

Password : test@123

And we are in

Now the file which we generated by bloodhound command on PS we get once zip file in out use that file here.

Now data is uploaded.

Click on queries -> click on Find all domain admins.

Find shortest path to domain admins.

When we select dcsync right option from the list we get.

Now try domain trust .

Now select shortest paths to unconstrained delegation system:

If we like to see the source and target connection.

Other option you all can also try to figure out other facts.

@Saksham Dixit