Domain Enumeration using BloodHound

Aditya Jha
2 min readJul 15


Bloodhound Overview

Bloodhound is a tool which is used to download the data essentially of Active directory and it will visualize the data in a graph. So that we are going to be able to identify a lot of information about a network very quickly.

Command to install Bloodhound: sudo apt install bloodhound

Now we have to setup neo4j,

Command: neo4j console

Now we have to open that localhost link and have to set a new password.

Default credentials are neo4j and neo4j as username and password respectively.

After changing the password, we will close the browser and open another tab in the terminal and execute the command: bloodhound

and we will get the login page of bloodhound. We will login with our credentials.

Grabbing Data with Invoke-Bloodhound

Now we will firstly download the sharphound.ps1 file from GitHub and now we will open the Command prompt in our windows 10 machine and execute the command: powershell -ep bypass

Now we will execute the command to collect the data of Domain.

Command: Invoke-BloodHound -collectionMethod All -Domain <Domain name> -ZipFileName

Now a file will be created, Now we will copy this file and paste it in our Host OS and then copy from there and paste it in our Kali Machine.

Enumerating Domain Data with BloodHound

Now we have the file in our Kali machine and now we will open BloodHound and click on upload Data(on the right side).

And then we will select the file.

Now after selecting the file, we will click on the hamburger sign(on the left top)

Now we can see:

Now if we go to Queries then we can see that there are pre-built queries.

And if we click on “Find all Domain Admins”: