# BloodHound

## Linux/Unix

### Ingestor/collector BloodHound.py

```shell
bloodhound-python -ns <IP-address-DC> -d <ACME.LOCAL> -u "<user>" -p "<password>" -c all
```

### BloodHound

```shell
sudo neo4j start
bloodhound
```

## Windows

### Ingestor/collector SharpHound

#### Ejecutable (.exe)

```shell
.\SharpHound.exe -c All --zipfilename sharphound
```

#### PowerShell

```powershell
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All
```

## Consultas de análisis

* Find Computers where Domain Users are Local Admin
* Find Workstations where Domain Users can RDP
* Find Servers where Domain Users can RDP
* List all Kerberoastable Accounts
* Find Computers with Unsupported Operating Systems

### CanPSRemote (PowerShell Remoting)

```
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2
```

### SQLAdmin (SQLAdmin)

```
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:SQLAdmin*1..]->(c:Computer) RETURN p2
```