Quick Reference
BloodHound Quick Reference
Hackers Manifest - hackersmanifest.com
Active Directory attack path mapping, data collection, and Cypher queries.
🚀 Setup
| Install Neo4j | sudo apt install neo4j |
| Start Neo4j | sudo neo4j start |
| Neo4j Browser | http://localhost:7474 |
| Default creds | neo4j / neo4j |
| Start BloodHound | bloodhound |
| No sandbox | ./BloodHound --no-sandbox |
🐕 SharpHound (Windows)
| Collect all | .\SharpHound.exe -c All |
| With creds | .\SharpHound.exe -c All --ldapusername user --ldappassword pass |
| Specific domain | .\SharpHound.exe -c All -d domain.local |
| Stealth mode | .\SharpHound.exe -c All --stealth |
| Specific DC | .\SharpHound.exe -c All --domaincontroller dc01.domain.com |
| Loop sessions | .\SharpHound.exe -c Session --loop --loopduration 02:00:00 |
🐍 BloodHound-Python (Linux)
| With creds | bloodhound-python -u user -p pass -d domain.local -dc dc01.domain.local -c All |
| With hash | bloodhound-python -u user --hashes :NTLM -d domain.local -c All |
| Custom DNS | bloodhound-python -u user -p pass -d domain.local -ns DNS_IP -c All |
| Output ZIP | bloodhound-python -u user -p pass -d domain.local -c All --zip |
📦 Collection Methods
| All | Everything (default) |
| Default | Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, DCOM, PSRemote |
| Group | Group memberships |
| LocalAdmin | Local admin rights |
| Session | Active sessions |
| ACL | ACL data for objects |
| Trusts | Domain trusts |
| ObjectProps | Object properties |
🔍 Pre-Built Queries
Find all Domain Admins
Shortest Paths to Domain Admins
Principals with DCSync Rights
Users with Foreign Domain Group Membership
Computers where Domain Users are Local Admin
Shortest Path from Kerberoastable Users
Shortest Path from Owned Principals
🎯 Node Marking
| Mark as Owned | Right-click → Mark as Owned |
| Mark as High Value | Right-click → Mark as High Value |
| Set as Start Node | Right-click → Set as Start Node |
| Set as End Node | Right-click → Set as End Node |
| Shortest Path | Start node → Target → Shortest Path |
📝 Custom Cypher Queries
All Domain Admins
MATCH (u:User)-[:MemberOf*1..]->(g:Group) WHERE g.name =~ '.*DOMAIN ADMINS.*' RETURN u.name Kerberoastable Users
MATCH (u:User) WHERE u.hasspn=true RETURN u.name, u.serviceprincipalnames AS-REP Roastable Users
MATCH (u:User) WHERE u.dontreqpreauth=true RETURN u.name Unconstrained Delegation Computers
MATCH (c:Computer) WHERE c.unconstraineddelegation=true RETURN c.name DCSync Rights
MATCH (n)-[:MemberOf|GetChanges|GetChangesAll*1..]->(d:Domain) RETURN n.name GenericAll on Users
MATCH p=(n)-[:GenericAll]->(u:User) RETURN p Shortest Path to DA from Owned
MATCH p=shortestPath((n)-[*1..]->(g:Group)) WHERE n.owned=true AND g.name =~ '.*DOMAIN ADMINS.*' RETURN p Generated from Hackers Manifest | For authorized security testing only | hackersmanifest.com