BloodHound Tutorial
Intermediate · ⏱ 20 min read · Penetration Testing & Red Team
Map every path to Domain Admin. Master BloodHound.
BloodHound uses graph theory to reveal hidden relationships within Active Directory showing attack paths to Domain Admin. Essential for any AD pentest or red team engagement.
Prerequisites
- BloodHound CE or Legacy installed
- Access to an AD environment (lab or authorized)
- SharpHound or BloodHound.py collector
- Basic Active Directory knowledge
Installation (BloodHound CE)
BloodHound Community Edition runs as Docker containers with a web UI.
Legacy vs CE
CE is newer web-based with API. Legacy (Electron + Neo4j) still works but not actively developed.
Data Collection with SharpHound
SharpHound collects AD relationships: users, groups, sessions, ACLs, GPOs, trusts. Outputs ZIP files for import.
Importing Data & Graph Exploration
Upload ZIP to BloodHound. Search for specific users/computers and explore relationships.
Pre-Built Queries
Shortest Path to Domain Admin, Kerberoastable Users, Users with DCSync Rights, and more.
Custom Cypher Queries
Write custom queries to find specific relationships in the Neo4j database.
Common Attack Paths
GenericAll, WriteDACL, ForceChangePassword, AddMember, DCSync, Constrained Delegation.
Defense & Blue Team Use
Blue teams use BloodHound to identify and remediate dangerous paths before attackers find them.
Frequently Asked Questions
Is BloodHound free?
Yes. CE is free and open-source. SpecterOps offers commercial BloodHound Enterprise with continuous monitoring.
Does it require Domain Admin?
No. SharpHound works with any domain user. More privileges yield more data but standard user reveals most paths.
Can defenders use it?
Absolutely. Many blue teams run it regularly to find and fix dangerous ACL paths and excessive privileges.