SharpHound Community Edition (CE) is the official data collector for BloodHound CE. It is written in C# and uses native Windows API functions and LDAP namespace functions to collect data from domain controllers and domain-joined Windows systems.
SharpHound CE can be obtained in a few ways:
- From the BloodHound CE interface as a pre-compiled binary
- ⚙️ → Download Collectors, and click the button Download SharpHound
- From the SharpHound repository releases as .ps1 and a pre-compiled binary
- Build it from source with the source code on the SharpHound repository
You can collect plenty of data with SharpHound CE by simply running the binary itself with no flags set:
SharpHound CE will automatically determine what domain your current user belongs to, find a domain controller for that domain, and start the “default” collection method. The default collection method will collect the following pieces of information from the domain controller:
- Security group memberships
- Domain trusts
- Abusable rights on Active Directory objects
- Group Policy links
- OU tree structure
- Several properties from computer, group and user objects
- SQL admin links
Additionally, SharpHound CE will attempt to collect the following information from each domain-joined Windows computer:
- The members of the local administrators, remote desktop, distributed COM, and remote management groups
- Active sessions, which SharpHound CE will attempt to correlate to systems where users are interactively logged on
When finished, SharpHound CE will create several JSON files and place them into a zip file. Drag and drop that zip file into the BloodHound GUI, and the interface will merge the data into the database.
The Session Loop Collection Method
BloodHound uses graph theory to find attack paths in Active Directory, and the more data you have, the more likely you are to find and execute attack paths successfully. Much of the data you initially collect with SharpHound CE will not likely change or require updating over the course of a typical red team assessment - security group memberships, Active Directory permissions, and Group Policy links change relatively rarely. That data can be collected one time, and not again.
User sessions are a bit different because users, especially privileged users, log on and off different systems daily. How many systems does a typical help desk user or server admin log into on any given day?
SharpHound CE’s Session Loop collection method makes this very easy:
C:\> SharpHound.exe --CollectionMethods Session --Loop
This will run SharpHound CE’s session collection method for 2 hours, generating a zip file after each loop ends. When done, collect all the zip files and drag and drop them into the BloodHound GUI.
If you want to specify a different loop time, use the --Loopduration flag with the HH:MM:SS format to specify how long you want SharpHound CE to perform looped session collection. For example, if you want SharpHound CE to perform looped session collection for 3 hours, 9 minutes, and 41 seconds:
C:\> SharpHound.exe --CollectionMethods Session --Loop --Loopduration 03:09:41
Running SharpHound CE from a Non Domain-Joined System
While not an officially supported collection method, and not a collection method we recommend you do, it is possible to collect data for a domain from a system that is not joined to that domain. To do so, carefully follow these steps:
- Configure your system DNS server to be the IP address of a domain controller in the target domain.
- Spawn a CMD shell as a user in that domain using `runas` its `/netonly` flag. You will be prompted to enter a password. Enter the password and hit enter.
C:\> runas /netonly /user:CONTOSO\Jeff.Dimmock cmd.exe
- A new CMD window will appear. If you type `whoami`, you will not see the name of the user you’re impersonating. This is because of the `/netonly` flag: the instance of CMD will only authenticate as that user when you authenticate to other systems over the network, but you are still the same user you were before when authenticating locally.
- Verify you’ve got valid domain authentiation by using the `net` binary. If you can see the SYSVOL and NETLOGON folders, you’re good.
C:\> net view \\contoso\
- Run SharpHound CE, using the `-d` flag to specify the AD domain you want to collect information from. You can also use any other flags you wish.
C:\> SharpHound.exe -d contoso.local
Building SharpHound CE from Source
SharpHound CE is written using C# 9.0 features. To easily compile this project, use Visual Studio 2019.
If you want to compile on previous versions of Visual Studio, you can install the Microsoft.Net.Compilers nuget package.
Building the project will generate an executable and a PowerShell script that encapsulates the executable. All dependencies are rolled into the binary.