Bloodhound is a great tool, created by Rohan Vazarkar (@CptJesus) and Will Schroeder (@harmj0y). It can help you find your way around a domain and can map routes/paths to target machines or accounts in Active Directory. It’s really useful when you first find yourself on a network and just requires a domain joined machine to run it from.

In the most recent Kali update apparently Bloodhound is included as a package but alternatively a really useful set of instructions can be found on the github wiki page here:


Bloodhound consists of two stages:

  1. The collection of data
  2. Import & analysis


The collection of data

To run the Bloodhound query you need the Bloodhound.ps1 script which can be found here:

On the domain joined machine:


  1. Launch powershell.
  2. In many cases the running of scripts is disabled – you will likely be able to get around that by running the following command:
    Powershell –exec bypass
  3. Now import the script into Powershell:
    Import-Module ./Bloodhound.ps1
  4. Then collect data:
  5. You should see 3 or 4 CSV files created, as long as some of them actually contain some data then it has worked.
Import & Analysis

Take these CSVs back to your Kali box and Import them into Bloodhound for perusal at your leisure.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s