⚠️ Pracivo Security Lab — Advanced AD attack techniques beyond Kerberoasting. Includes AS-REP Roasting, DCSync, Golden Tickets, and BloodHound.
Lab Credentials: ram / pracivo | john.smith / Welcome1 | administrator / Admin@2024
BloodHound — AD Attack Path Mapping
ENUMERATION
# BloodHound visualizes attack paths to Domain Admin using graph theory.
# Step 1: Collect data with SharpHound (Windows) or BloodHound.py (Linux)
# Windows — run as domain user:
.\SharpHound.exe -c All --zipfilename output.zip
# Linux with credentials:
python3 bloodhound.py -d corp.local -u ram -p pracivo -dc dc01.corp.local -c All
# Step 2: Install BloodHound + Neo4j
# Download: https://github.com/BloodHoundAD/BloodHound/releases
neo4j start
bloodhound # open the GUI
# Step 3: Import the zip file into BloodHound
# Drag and drop output.zip into the BloodHound UI
# Step 4: Run pre-built queries
# "Find Shortest Paths to Domain Admins"
# "Find All Domain Admins"
# "Find Computers where Domain Users are Local Admin"
# "Shortest Path from Owned Principals"
# Step 5: Mark your compromised users as owned
# Right-click user → Mark as Owned
# BloodHound shows shortest path from owned users to DA
# Key attack path types BloodHound finds:
# GenericAll — full control over object
# WriteDACL — can modify permissions
# GenericWrite — can modify attributes
# ForceChangePassword — can reset password
# DCSync — has replication rights
# AddMember — can add users to groups