⚔️
DWSec Wiki
  • Welcome to the DWSec Notes
  • Windows Privilege Escalation
  • Active Directory
    • Fundamentals
      • Introduction
      • Protocols
      • Authentication
      • Glossary of terms
      • Objects
      • AD CS
    • Pentest Methodology
    • Insecure Logins
    • Bloodhound & ldapdomaindump
    • NTLMRelaying (445)
    • SMB Coercing (445)
    • Pre2k
    • DACL Abuse
    • Kerberoasting
    • Utility Tools
    • Powershell
  • Networking
    • Fundamentals
    • Pivoting, Tunneling and Portforwarding
    • DNS
    • Ligolo-ng
    • Toolbox
    • Protocols
      • 80/443 - HTTP/HTTPS
      • 389 - LDAP
      • 445 - SMB
  • Web
    • Active Enumeration
    • Passive Enumeration
  • ADPwn
  • Tools
    • Tools overview
Powered by GitBook
On this page
  • Basics
  • Bloodhound
  • ldapdomaindump

Was this helpful?

  1. Active Directory

Bloodhound & ldapdomaindump

Basics

Bloodhound is one of the most important enumeration tools for Active Directory domains. With this tool you are able to analyze important relationships between objects such as users, computers, groups or policies. In particular, Bloodhound displays these relationships which can be used for lateral movement and privilege escalations, as a graph that can be analyzed in a very easy and user-friendly way.

Bloodhound

bloodhound-python

bloodhound-python -u <USER> -d <DOMAIN> -p <PASSWORD> -c all -ns <NAMESERVER/DC_IP> --zip

Kerberos-only: 

bloodhound-python -u <USER> -d <DOMAIN> -p <PASSWORD> -c all -k -ns <NAMESERVER/DC_IP> --zip

NetExec

nxc ldap <IP> -u <USER> -p <PASSWORD> --bloodhound --collection All

Kerberos-only:

nxc ldap <IP> -u <USER> -p <PASSWORD> -k --bloodhound --collection All

ldapdomaindump

ldapdomaindump --no-json --no-grep -o <OUT_FILE> -r >DC_IP> -u <DOMAIN>\\<USERNAME> -p '<PASSWORD>'

Currently no support for kerberos authentication & always fetch as html for better visualization in browser

PreviousInsecure LoginsNextNTLMRelaying (445)

Last updated 5 months ago

Was this helpful?