Awesome
ShadowHound
ShadowHound is a set of PowerShell scripts for Active Directory enumeration without the need for introducing known-malicious binaries like SharpHound. It leverages native PowerShell capabilities to minimize detection risks and offers two methods for data collection:
- ShadowHound-ADM.ps1: Uses the Active Directory module (ADWS).
- ShadowHound-DS.ps1: Utilizes direct LDAP queries via
DirectorySearcher.
Blog Post
For more details and context, check out the blog post.
Scripts Overview
ShadowHound-ADM.ps1
- Method: Active Directory module (
Get-ADObjectvia ADWS). - Usage Scenario: When the AD module is available and ADWS is accessible.
- Features:
- Handles large domains with
-SplitSearch,-Recurse, and-LetterSplitSearchoptions. - Enumerates certificates with the
-Certificatesflag.
- Handles large domains with
ShadowHound-DS.ps1
- Method: Direct LDAP queries using
DirectorySearcher. - Usage Scenario: Environments where the AD module isn't available or LDAP is preferred.
- Features:
- Enumerates certificates with the
-Certificatesflag. - Supports alternate credentials with the
-Credentialparameter.
- Enumerates certificates with the
Usage Examples
Basic Enumeration
ShadowHound-ADM.ps1
# Basic usage
ShadowHound-ADM -OutputFilePath "C:\Results\ldap_output.txt"
# Specify a domain controller and custom LDAP filter
ShadowHound-ADM -Server "dc.domain.local" -OutputFilePath "C:\Results\ldap_output.txt" -LdapFilter "(objectClass=user)"
# Use alternate credentials
$cred = Get-Credential
ShadowHound-ADM -OutputFilePath "C:\Results\ldap_output.txt" -Credential $cred -SearchBase "DC=domain,DC=local"
ShadowHound-DS.ps1
# Basic usage
ShadowHound-DS -OutputFile "C:\Results\ldap_output.txt"
# Specify a domain controller
ShadowHound-DS -Server "dc.domain.local" -OutputFile "C:\Results\ldap_output.txt"
# Use a custom LDAP filter
ShadowHound-DS -OutputFile "C:\Results\ldap_output.txt" -LdapFilter "(objectClass=computer)"
Enumerating Certificates
Both scripts support enumerating certificate-related objects for those juicy ADCS vectors:
# Using ShadowHound-ADM.ps1
ShadowHound-ADM -OutputFilePath "C:\Results\cert_output.txt" -Certificates
# Using ShadowHound-DS.ps1
ShadowHound-DS -OutputFile "C:\Results\cert_output.txt" -Certificates
Handling Large Domains (ShadowHound-ADM.ps1)
# Split search across top-level containers with letter splitting
ShadowHound-ADM -OutputFilePath "C:\Results\ldap_output.txt" -SplitSearch -LetterSplitSearch
-SplitSearch: Splits the search across top-level containers.-Recurse: Recurses into containers that fail to return results.-LetterSplitSearch: Further splits searches by the first letter of CN.
Converting Data for BloodHound
If the ldap_output.txt you got using ShadowHound is too large for Bofhound (Memory error), you may split the ShadowHound output using split_output.py:
# Split ldap_output.txt to 100 chunks which are named split_output_1.txt, split_output_2.txt and so on...
# In order to provide bofhound with a folder containing ldap output, the files *must* be prefixed with "pyldapsearch".
python3 split_output.py -i ldap_output.txt -o pyldapsearch_ldap -n 100
# Provide Shadowhound with a folder containing the splitted output
python3 bofhound.py -i ./folder -p All --parser ldapsearch
After collecting data, use BofHound to convert it into BloodHound-compatible JSON files:
python3 bofhound.py -i ldap_output.txt -p All --parser ldapsearch
For large JSON files (>100MB), consider splitting them with tools like ShredHound.
Author
- Yehuda Smirnov
- Twitter: @yudasm_
- BlueSky: @yudasm.bsky.social