Mapping Network using Sharphound

Bloodhound is the de facto tool when it comes to mapping the network in the Internal Assessment's post exploitation phase. BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.

Earlier Bloodhound was using powershell (v2) script as ingestor to enumerate all the information. But this ps1 script was lacking threading capabilities, which plays important role in mapping large network's. So later that Sharphound a C# based ingestor was introduced which overcomes all and maps network seamlessly. 

Lets see how to use this tool, suppose you compromised the valid internal Domain user credentials and you want to map the network to find path to privileged users. Download latest binary of Sharphound and from attacker machine you can connect to domain by typing runas.exe /netonly /user:<DOMAIN>\Username cmd.exe. If the credentials are correct, new cmd prompt would be launched with compromised user privileges. In newly opened cmd prompt, type below shown command were IP address represents DC IP and -c represents All (Group, LocalGroup, Session, LoggedOn, ComputerOnly, Trusts, ACL, ObjectProps, Container) collection methods.

Sharphound also have some new collection methods, to generate less requests over wire.
Stealth - Performs stealth collection methods. All stealth options are single threaded.
ExcludeDc - Excludes domain controllers from session enumeration (avoids Microsoft ATA flags :) )

Running above command would generate the multiple CSV's with all data. But if you want to enumerate more sessions in the network, Sharphound got new collection method called SessionLoop. It runs the session's collection loop for infinite time (or until you dont stop it), you would see the increase in size of sessions.csv file. This method enumerates more no. of sessions over the network in turn more path's to derivative admins.

Now you can take all the generated CSV and import in Bloodhound UI to draw different mapping and gain derivative admins. If you never installed Bloodhound, you can install using standalone powershell script by @SadProcessor on Windows 10 (64 bit machine).



  1. Great blog. All posts have something to learn. Your work is very good and i appreciate you and hopping for some more informative posts. Offshore dedicated hosting

  2. Thanks for sharing an informative blog keep rocking bring more details.I like the helpful info you provide in your articles. I’ll bookmark your weblog and check again here regularly. I am quite sure I will learn much new stuff right here! Good luck for the next!
    mobile application development training online
    mobile app development course
    mobile application development course
    learn mobile application development
    mobile app development training
    app development training
    mobile application development training
    mobile app development course online
    online mobile application development


Post a Comment

Popular Posts