Bloodhound is a great tool, created by Rohan Vazarkar (@CptJesus) and Will Schroeder (@harmj0y). It can help you find your way around a domain and can map routes/paths to target machines or accounts in Active Directory. It’s really useful when you first find yourself on a network and just requires a domain joined machine to run it from.
In the most recent Kali update apparently Bloodhound is included as a package but alternatively a really useful set of instructions can be found on the github wiki page here: https://github.com/BloodHoundAD/BloodHound/wiki
Bloodhound consists of two stages:
- The collection of data
- Import & analysis
The collection of data
To run the Bloodhound query you need the Bloodhound.ps1 script which can be found here: https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/PowerShell/BloodHound.ps1
On the domain joined machine:
- Launch powershell.
- In many cases the running of scripts is disabled – you will likely be able to get around that by running the following command:
Powershell –exec bypass
- Now import the script into Powershell:
- Then collect data:
- You should see 3 or 4 CSV files created, as long as some of them actually contain some data then it has worked.
Import & Analysis
Take these CSVs back to your Kali box and Import them into Bloodhound for perusal at your leisure.