BloodHound & Other Active Directory Enumeration Tools
Reading time: 3 minutes
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
NOTE: This page groups some of the most useful utilities to enumerate and visualise Active Directory relationships. For collection over the stealthy Active Directory Web Services (ADWS) channel check the reference above.
AD Explorer
AD Explorer (Sysinternals) is an advanced AD viewer & editor which allows:
- GUI browsing of the directory tree
- Editing of object attributes & security descriptors
- Snapshot creation / comparison for offline analysis
Quick usage
- Start the tool and connect to
dc01.corp.local
with any domain credentials. - Create an offline snapshot via
File ➜ Create Snapshot
. - Compare two snapshots with
File ➜ Compare
to spot permission drifts.
ADRecon
ADRecon extracts a large set of artefacts from a domain (ACLs, GPOs, trusts, CA templates …) and produces an Excel report.
# On a Windows host in the domain
PS C:\> .\ADRecon.ps1 -OutputDir C:\Temp\ADRecon
BloodHound (graph visualisation)
BloodHound uses graph theory + Neo4j to reveal hidden privilege relationships inside on-prem AD & Azure AD.
Deployment (Docker CE)
curl -L https://ghst.ly/getbhce | docker compose -f - up
# Web UI ➜ http://localhost:8080 (user: admin / password from logs)
Collectors
SharpHound.exe
/Invoke-BloodHound
– native or PowerShell variantAzureHound
– Azure AD enumeration- SoaPy + BOFHound – ADWS collection (see link at top)
Common SharpHound modes
SharpHound.exe --CollectionMethods All # Full sweep (noisy)
SharpHound.exe --CollectionMethods Group,LocalAdmin,Session,Trusts,ACL
SharpHound.exe --Stealth --LDAP # Low noise LDAP only
The collectors generate JSON which is ingested via the BloodHound GUI.
Group3r
Group3r enumerates Group Policy Objects and highlights misconfigurations.
# Execute inside the domain
Group3r.exe -f gpo.log # -s to stdout
PingCastle
PingCastle performs a health-check of Active Directory and generates an HTML report with risk scoring.
PingCastle.exe --healthcheck --server corp.local --user bob --password "P@ssw0rd!"
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.