# Bloodhound

## Documentation

{% embed url="<https://bloodhound.readthedocs.io/en/latest/data-analysis/bloodhound-gui.html>" %}

## Install

```
git clone https://github.com/BloodHoundAD/BloodHound
```

```
wget https://github.com/BloodHoundAD/BloodHound/releases/download/v4.3.1/BloodHound-linux-x64.zip
```

```
```

## Bloodhound  database

```
pip install neo4j-driver
git clone https://github.com/BloodHoundAD/BloodHound-Tools.git
python DBCreator.py
```

<pre><code><strong> /opt/BloodHound/BloodHound-linux-x64/BloodHound-Tools/DBCreator/
</strong></code></pre>

<figure><img src="/files/kB2Z6c2nqvti5ibGLCeR" alt=""><figcaption></figcaption></figure>

```
apt install bloodhound
apt install neo4j

neo4j console
```

<figure><img src="/files/gV7K1OTUrB4JpJlvWUjz" alt=""><figcaption></figcaption></figure>

visit neo4j broweser first <http://localhost:7474>

<figure><img src="/files/ASczXXZfT0Wh5FMOOoAi" alt=""><figcaption></figcaption></figure>

## Bloodhound Start

```
Bloodhound --no-sandbox
```

<figure><img src="/files/bAJc8K6WFZjZW9DvOUs5" alt=""><figcaption></figcaption></figure>

## Bloodhound Kali collector

{% embed url="<https://github.com/fox-it/BloodHound.py>" %}

### Install

<pre><code><strong>pip install impacter
</strong>pip install ldap3
pip install bloodhound
</code></pre>

```
git clone https://github.com/fox-it/BloodHound.py.git
```

### Start

```
./bloodhound.py -u svc-alfresco -p s3rvice -d htb.local -ns 10.129.95.210
```

<figure><img src="/files/tVr2B6KhbzmnHUFxrfXu" alt=""><figcaption></figcaption></figure>

### Collection Method ALL

-c stands for connection method as you can see in help

```
./bloodhound.py -c all -u svc-alfresco -p s3rvice -d htb.local -ns 10.129.95.210
```

### Help

```
┌──(kali㉿kali)-[/opt/BloodHound/BloodHound.py]
└─$ ./bloodhound.py --help    
usage: bloodhound.py [-h] [-c COLLECTIONMETHOD] [-d DOMAIN] [-v] [-u USERNAME] [-p PASSWORD] [-k] [--hashes HASHES] [-no-pass]
                     [-aesKey hex key] [--auth-method {auto,ntlm,kerberos}] [-ns NAMESERVER] [--dns-tcp]
                     [--dns-timeout DNS_TIMEOUT] [-dc HOST] [-gc HOST] [-w WORKERS] [--exclude-dcs] [--disable-pooling]
                     [--disable-autogc] [--zip] [--computerfile COMPUTERFILE] [--cachefile CACHEFILE]

Python based ingestor for BloodHound
For help or reporting issues, visit https://github.com/Fox-IT/BloodHound.py

options:
  -h, --help            show this help message and exit
  -c COLLECTIONMETHOD, --collectionmethod COLLECTIONMETHOD
                        Which information to collect. Supported: Group, LocalAdmin, Session, Trusts, Default (all previous),
                        DCOnly (no computer connections), DCOM, RDP,PSRemote, LoggedOn, Container, ObjectProps, ACL, All (all
                        except LoggedOn). You can specify more than one by separating them with a comma. (default: Default)
  -d DOMAIN, --domain DOMAIN
                        Domain to query.
  -v                    Enable verbose output

authentication options:
  Specify one or more authentication options. 
  By default Kerberos authentication is used and NTLM is used as fallback. 
  Kerberos tickets are automatically requested if a password or hashes are specified.

  -u USERNAME, --username USERNAME
                        Username. Format: username[@domain]; If the domain is unspecified, the current domain is used.
  -p PASSWORD, --password PASSWORD
                        Password
  -k, --kerberos        Use kerberos
  --hashes HASHES       LM:NLTM hashes
  -no-pass              don't ask for password (useful for -k)
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)
  --auth-method {auto,ntlm,kerberos}
                        Authentication methods. Force Kerberos or NTLM only or use auto for Kerberos with NTLM fallback

collection options:
  -ns NAMESERVER, --nameserver NAMESERVER
                        Alternative name server to use for queries
  --dns-tcp             Use TCP instead of UDP for DNS queries
  --dns-timeout DNS_TIMEOUT
                        DNS query timeout in seconds (default: 3)
  -dc HOST, --domain-controller HOST
                        Override which DC to query (hostname)
  -gc HOST, --global-catalog HOST
                        Override which GC to query (hostname)
  -w WORKERS, --workers WORKERS
                        Number of workers for computer enumeration (default: 10)
  --exclude-dcs         Skip DCs during computer enumeration
  --disable-pooling     Don't use subprocesses for ACL parsing (only for debugging purposes)
  --disable-autogc      Don't automatically select a Global Catalog (use only if it gives errors)
  --zip                 Compress the JSON output files into a zip archive
  --computerfile COMPUTERFILE
                        File containing computer FQDNs to use as allowlist for any computer based methods
  --cachefile CACHEFILE
                        Cache file (experimental)
                                                                                                                                 

```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hackerlab.gitbook.io/wiki.hackerlab.cz/infra-pentesting/active-directory-ad-initial-attacks/bloodhound.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.