Skip to content

BloodHound

BloodHound is a powerful tool used for analyzing Active Directory (AD) environments. It leverages graph theory to reveal hidden relationships and attack paths within an AD network. By collecting data about users, groups, computers, and their relationships, BloodHound helps penetration testers and security professionals identify potential vulnerabilities and misconfigurations that could be exploited by attackers.

Installation

Most Penetration testing Linux distributions have BloodHound pre-installed. You can also download it from the official GitHub repository: BloodHound GitHub

You can also download the BloodHound CLI tool from the releases page:

BloodHound-python

bloodhound-python is a popular BloodHound data collection tool written in Python. It allows you to gather information from an Active Directory environment and generate the necessary data files for BloodHound analysis. You can install bloodhound-python using the linux package manager:

sudo apt install -y bloodhound-python

Usage

BloodHound: Bloodhound-python

This example demonstrates how to use the bloodhound-python tool to collect data from an Active Directory environment and visualize it using the BloodHound GUI.

bloodhound-python -c All -d 'north.sevenkingdoms.local' -u 'samwell.tarly' -p 'Heartsbane' -ns 10.10.10.11 --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: north.sevenkingdoms.local
WARNING: Could not find a global catalog server, assuming the primary DC has this role
If this gives errors, either specify a hostname with -gc or disable gc resolution with --disable-autogc
INFO: Getting TGT for user
INFO: Connecting to LDAP server: winterfell.north.sevenkingdoms.local
INFO: Found 1 domains
INFO: Found 2 domains in the forest
INFO: Found 2 computers
INFO: Connecting to GC LDAP server: winterfell.north.sevenkingdoms.local
INFO: Connecting to LDAP server: winterfell.north.sevenkingdoms.local
INFO: Found 17 users
INFO: Found 51 groups
INFO: Found 3 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 1 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: castelblack.north.sevenkingdoms.local
INFO: Querying computer: winterfell.north.sevenkingdoms.local
INFO: Done in 00M 00S
INFO: Compressing output into 20251212192333_bloodhound.zip

After running the above command, a ZIP file named 20251212192333_bloodhound.zip will be created. You can then open this file using the BloodHound GUI to visualize the collected data and analyze the Active Directory environment.

BloodHound: NetExec

This example demonstrates how to use the netexec tool to execute BloodHound data collection on a remote Windows machine using valid credentials.

nxc ldap 10.1.81.88 -u faraday -p 'hacksmarter123' --bloodhound --collection ALL --dns-server 10.1.81.88
SMB         10.1.81.88      445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:hacksmarter.local) (signing:True) (SMBv1:False)
LDAP        10.1.81.88      389    DC01             [+] hacksmarter.local\faraday:hacksmarter123 
LDAP        10.1.81.88      389    DC01             Resolved collection methods: trusts, session, dcom, rdp, objectprops, localadmin, psremote, container, acl, group
LDAP        10.1.81.88      389    DC01             Done in 00M 04S
LDAP        10.1.81.88      389    DC01             Compressing output into /home/parrot/.nxc/logs/DC01_10.1.81.88_2025-11-20_224934_bloodhound.zip