Domain Enum with Bloodhound

We need neo4j first:

sudo neo4j console

It creates “Bold enabled on localhost:7687” and gives us a clickable link for remote interface. Click on it!

run bloodhound

sudo bloodhound

run bloodhound ingesters:

FIX:

sudo apt -y remove crackmapexec

sudo apt -y install pipx python3-venv

pipx ensurepath 

python3 -m pip install pipx --user

sudo git clone https://github.com/mpgn/CrackMapExec /opt/CrackMapExec 

cd /opt/CrackMapExec

pipx install . --force

getshell=$(echo $SHELL | cut -d "/" -f4)

echo "export PATH=$PATH:$HOME/.local/bin" >> "$HOME/.$getshell"rc

source ~/.zshrc

cme

echo "export PATH=\$HOME/.local/bin:\$PATH" >> "$HOME/.$getshell"rc"

cd ~/.local/pipx/venvs/crackmapexec/bin/

./bloodhound-python -d MARVEL.local -u fcastle -p Password1 -ns 192.168.218.136 -c all --zip

mv 20231005021847_bloodhound.zip /home/kali/bloodhound
cd /home/kali/bloodhound
ls
unzip 2023 tab

#sudo python3 /home/kali/.local/pipx/venvs/crackmapexec/bin/bloodhound-python -d MARVEL.local -u fcastle -p Password1 -ns 192.168.218.136 -c all

-d for domain

-u for user found earlier

-p for password we cracked

-ns for name server, the domain controller

-c for what we are collecting. All for all data that we possibly can.

Upload jsons to the bloodhound sesh opened earlier

You can visualize the network and perms. You can mark targets as owned and see shortest path to domain admin/controller!