Mapping Network using Sharphound

Bloodhound is the de facto tool when it comes to mapping the network in the Internal Assessment's post exploitation phase. BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.

Earlier Bloodhound was using powershell (v2) script as ingestor to enumerate all the information. But this ps1 script was lacking threading capabilities, which plays important role in mapping large network's. So later that Sharphound a C# based ingestor was introduced which overcomes all and maps network seamlessly. 

Lets see how to use this tool, suppose you compromised the valid internal Domain user credentials and you want to map the network to find path to privileged users. Download latest binary of Sharphound and from attacker machine you can connect to domain by typing runas.exe /netonly /user:<DOMAIN>\Username cmd.exe. If the credentials are correct, new cmd prompt would be launched with compromised user privileges. In newly opened cmd prompt, type below shown command were IP address represents DC IP and -c represents All (Group, LocalGroup, Session, LoggedOn, ComputerOnly, Trusts, ACL, ObjectProps, Container) collection methods.

Sharphound also have some new collection methods, to generate less requests over wire.
Stealth - Performs stealth collection methods. All stealth options are single threaded.
ExcludeDc - Excludes domain controllers from session enumeration (avoids Microsoft ATA flags :) )

Running above command would generate the multiple CSV's with all data. But if you want to enumerate more sessions in the network, Sharphound got new collection method called SessionLoop. It runs the session's collection loop for infinite time (or until you dont stop it), you would see the increase in size of sessions.csv file. This method enumerates more no. of sessions over the network in turn more path's to derivative admins.

Now you can take all the generated CSV and import in Bloodhound UI to draw different mapping and gain derivative admins. If you never installed Bloodhound, you can install using standalone powershell script by @SadProcessor on Windows 10 (64 bit machine).



  1. Great blog. All posts have something to learn. Your work is very good and i appreciate you and hopping for some more informative posts. Offshore dedicated hosting

  2. This comment has been removed by the author.

  3. To find computers connected to your PC through a network, click the Navigation Pane's Network category. Clicking Network lists every PC that's connected to your own PC in a traditional network. Clicking Homegroup in the Navigation Pane lists Windows PCs in your Homegroup, a simpler way to share files. windows 10 hosting

  4. The processor is among the foremost critical parts of the portable workstation since it allows the computer to operate. It can peruse the code put away within the memory of the computer and tell the other parts to do what the code states. flash storage

  5. It is really a helpful blog to find some different source to add my knowledge. IT Support Brisbane

  6. Hello, I must say it was a very helpful blog post. Very Informative and interesting as well, I am looking forward to reading more. Thanks for sharing.

    If you’ve been entrusted with a IELTS Coaching In Delhi and are looking for information, come here. They’ll consult with you and help you figure out what you need to know.


Post a Comment

Popular Posts