HackTricks
BloodHound & Other Active Directory Enumeration Tools
Tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking:HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the π¬ Discord group or the telegram group or follow us on Twitter π¦ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
NOTE: This page groups some of the most useful utilities to enumerate and visualise Active Directory relationships. For collection over the stealthy Active Directory Web Services (ADWS) channel check the reference above.
AD Explorer
AD Explorer (Sysinternals) is an advanced AD viewer & editor which allows:
- GUI browsing of the directory tree
- Editing of object attributes & security descriptors
- Snapshot creation / comparison for offline analysis
Quick usage
- Start the tool and connect to
dc01.corp.localwith any domain credentials. - Create an offline snapshot via
File β Create Snapshot. - Compare two snapshots with
File β Compareto spot permission drifts.
ADRecon
ADRecon extracts a large set of artefacts from a domain (ACLs, GPOs, trusts, CA templates β¦) and produces an Excel report.
# On a Windows host in the domain
PS C:\> .\ADRecon.ps1 -OutputDir C:\Temp\ADRecon
BloodHound (graph visualisation)
BloodHound uses graph theory + Neo4j to reveal hidden privilege relationships inside on-prem AD & Azure AD.
Deployment (Docker CE)
curl -L https://ghst.ly/getbhce | docker compose -f - up
# Web UI β http://localhost:8080 (user: admin / password from logs)
Collectors
SharpHound.exe/Invoke-BloodHoundβ native or PowerShell variantAzureHoundβ Azure AD enumeration- SoaPy + BOFHound β ADWS collection (see link at top)
Common SharpHound modes
SharpHound.exe --CollectionMethods All # Full sweep (noisy)
SharpHound.exe --CollectionMethods Group,LocalAdmin,Session,Trusts,ACL
SharpHound.exe --Stealth --LDAP # Low noise LDAP only
The collectors generate JSON which is ingested via the BloodHound GUI.
Privilege & logon-right collection
Windows token privileges (e.g., SeBackupPrivilege, SeDebugPrivilege, SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege) can bypass DACL checks, so mapping them domain-wide exposes local LPE edges that ACL-only graphs miss. Logon rights (SeInteractiveLogonRight, SeRemoteInteractiveLogonRight, SeNetworkLogonRight, SeServiceLogonRight, SeBatchLogonRight and their SeDeny* counterparts) are enforced by LSA before a token even exists, and denies take precedence, so they materially gate lateral movement (RDP/SMB/scheduled task/service logon).
Run collectors elevated when possible: UAC creates a filtered token for interactive admins (via NtFilterToken), stripping sensitive privileges and marking admin SIDs as deny-only. If you enumerate privileges from a non-elevated shell, high-value privileges will be invisible and BloodHound wonβt ingest the edges.
Two complementary SharpHound collection strategies now exist:
-
GPO/SYSVOL parsing (stealthy, low-privilege):
- Enumerate GPOs over LDAP (
(objectCategory=groupPolicyContainer)) and read eachgPCFileSysPath. - Fetch
MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inffrom SYSVOL and parse the[Privilege Rights]section that maps privilege/logon-right names to SIDs. - Resolve GPO links via
gPLinkon OUs/sites/domains, list computers in the linked containers, and attribute the rights to those machines. - Upside: works with a normal user and is quiet; downside: only sees rights pushed via GPO (local tweaks are missed).
- Enumerate GPOs over LDAP (
-
LSA RPC enumeration (noisy, accurate):
- From a context with local admin on the target, open the Local Security Policy and call
LsaEnumerateAccountsWithUserRightfor each privilege/logon right to enumerate assigned principals over RPC. - Upside: captures rights set locally or outside GPO; downside: noisy network traffic and admin requirement on every host.
- From a context with local admin on the target, open the Local Security Policy and call
Example abuse path surfaced by these edges: CanRDP β host where your user also has SeBackupPrivilege β start an elevated shell to avoid filtered tokens β use backup semantics to read SAM and SYSTEM hives despite restrictive DACLs β exfiltrate and run secretsdump.py offline to recover the local Administrator NT hash for lateral movement/privilege escalation.
Prioritising Kerberoasting with BloodHound
Use graph context to keep roasting targeted:
- Collect once with an ADWS-compatible collector and work offline:
rusthound-ce -d corp.local -u svc.collector -p 'Passw0rd!' -c All -z - Import the ZIP, mark the compromised principal as owned, and run built-in queries (Kerberoastable Users, Shortest Paths to Domain Admins) to surface SPN accounts with admin/infra rights.
- Prioritise SPNs by blast radius; review
pwdLastSet,lastLogon, and allowed encryption types before cracking. - Request only selected tickets, crack offline, then re-query BloodHound with the new access:
netexec ldap dc01.corp.local -u svc.collector -p 'Passw0rd!' --kerberoasting kerberoast.txt --spn svc-sql
Group3r
Group3r enumerates Group Policy Objects and highlights misconfigurations.
# Execute inside the domain
Group3r.exe -f gpo.log # -s to stdout
PingCastle
PingCastle performs a health-check of Active Directory and generates an HTML report with risk scoring.
PingCastle.exe --healthcheck --server corp.local --user bob --password "P@ssw0rd!"
References
- HackTheBox Mirage: Chaining NFS Leaks, Dynamic DNS Abuse, NATS Credential Theft, JetStream Secrets, and Kerberoasting
- RustHound-CE
- Beyond ACLs: Mapping Windows Privilege Escalation Paths with BloodHound
Tip
Learn & practice AWS Hacking:
Learn & practice GCP Hacking:
Learn & practice Az Hacking:Support HackTricks
- Check the subscription plans!
- Join the π¬ Discord group or the telegram group or follow us on Twitter π¦ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.