# BloodHound
## Bloodhound Legacy
### Install
```bash
# Install and run neo4j
sudo apt-get install neo4j
sudo neo4j console
# Download Bloodhound legacy binary, unpack and execute
wget "https://github.com/SpecterOps/BloodHound-Legacy/releases/download/v4.3.1/BloodHound-linux-x64.zip"
unzip BloodHound-linux-x64.zip
cd BloodHound-linux-x64
./BloodHound --no-sandbox --disable-gpu
```
### Ingestors
Standard
```bash
# Standard local execution
./SharpHound.exe --CollectionMethods All,GPOLocalGroup
Invoke-BloodHound -CollectionMethod "All,GPOLocalGroup"
```
ShadowHound
```python
# ShadowHound (PowerShell): https://github.com/Friends-Security/ShadowHound
ShadowHound-DS -Server "DC01.securirty.local" -OutputFile "$PWD\ldap_output.txt"
# Split large output files if required (https://github.com/Friends-Security/ShadowHound/blob/main/split_output.py)
python3 split_output.py -i ldap_output.txt -o pyldapsearch_ldap -n 100
# use bofhound to convert into JSON data (pipx install bofhound)
python3 bofhound.py -i ./folder -p All --parser ldapsearch
```
### Custom Queries
Replace the `customqueries.json` with one of the below files to update the custom queries within Bloodhound. Remember to restart Bloodhound after changing the JSON file.
**Locate custom queries file**
```
find ~/ -type f -name customqueries.json 2>/dev/null
```
Add **one** of the queries below:
# Exegol
curl -sSL "https://raw.githubusercontent.com/ThePorgs/Exegol-images/3d6d7a41e46acb6898da996c4198971be02e4d77/sources/bloodhound/customqueries.json" -o ~/.config/bloodhound/customqueries.json
# CompassSecurity
curl -sSL "https://raw.githubusercontent.com/CompassSecurity/BloodHoundQueries/master/BloodHound_Custom_Queries/customqueries.json" -o ~/.config/bloodhound/customqueries.json
# hausec
curl -sSL "https://raw.githubusercontent.com/hausec/Bloodhound-Custom-Queries/refs/heads/master/customqueries.json" -o ~/.config/bloodhound/customqueries.json
# ZephrFish
curl -sSL "https://raw.githubusercontent.com/ZephrFish/Bloodhound-CustomQueries/refs/heads/main/customqueries.json" -o ~/.config/bloodhound/customqueries.json
### Purging Neo4j Database
This will wipe the database of all data. Requires setting new credentials again on
```bash
# Remove relevent database files (Ensure to restart neo4j after)
sudo rm -Rf /etc/neo4j/data/databases/* data/transactions/*
sudo rm -Rf /etc/neo4j/data/transactions/*
```
## Bloodhound Community Edition
### Install
```bash
sudo apt-get install docker-compose
curl -L https://ghst.ly/getbhce | docker compose -f - up
# When finished search through the terminal (if first run) for a generated password.
# go to http://localhost:8080 and login with Admin and the password
```
{% hint style="info" %}
Keep in mind that Bloodhound captures a 'snapshot' of the current state of Active Directory at the time of capture and as such results may change when captured again in the future.
{% endhint %}
## Resources
*
*
*
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/tools/bloodhound.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.