# Plumhound {% embed url="" %} ### Plumhound Installation ``` ┌──(kali㉿kali)-[/opt] └─$ sudo git clone https://github.com/PlumHound/PlumHound [sudo] password for kali: Cloning into 'PlumHound'... remote: Enumerating objects: 3256, done. remote: Counting objects: 100% (118/118), done. remote: Compressing objects: 100% (55/55), done. remote: Total 3256 (delta 86), reused 77 (delta 63), pack-reused 3138 (from 1) Receiving objects: 100% (3256/3256), 6.11 MiB | 1010.00 KiB/s, done. Resolving deltas: 100% (1234/1234), done. ``` ``` ┌──(kali㉿kali)-[/opt/PlumHound] └─$ pip3 install -r requirements.txt Defaulting to user installation because normal site-packages is not writeable DEPRECATION: Loading egg at /usr/local/lib/python3.11/dist-packages/PyBluez-0.30-py3.11-linux-x86_64.egg is deprecated. pip 25.1 will enforce this behaviour change. A possible replacement is to use pip for package installation. Discussion can be found at https://github.com/pypa/pip/issues/12330 Requirement already satisfied: neo4j in /usr/lib/python3/dist-packages (from -r requirements.txt (line 1)) (5.2.dev0) Collecting py2neo (from -r requirements.txt (line 2)) Downloading py2neo-2021.2.4-py2.py3-none-any.whl.metadata (9.9 kB) Requirement already satisfied: tabulate in /usr/lib/python3/dist-packages (from -r requirements.txt (line 3)) (0.8.10) Requirement already satisfied: argcomplete in /usr/lib/python3/dist-packages (from -r requirements.txt (line 4)) (3.3.0) Collecting alive-progress (from -r requirements.txt (line 5)) Downloading alive_progress-3.2.0-py3-none-any.whl.metadata (70 kB) Requirement already satisfied: certifi in /usr/lib/python3/dist-packages (from py2neo->-r requirements.txt (line 2)) (2023.11.17) Collecting interchange~=2021.0.4 (from py2neo->-r requirements.txt (line 2)) Downloading interchange-2021.0.4-py2.py3-none-any.whl.metadata (1.9 kB) Collecting monotonic (from py2neo->-r requirements.txt (line 2)) Downloading monotonic-1.6-py2.py3-none-any.whl.metadata (1.5 kB) Requirement already satisfied: packaging in /usr/lib/python3/dist-packages (from py2neo->-r requirements.txt (line 2)) (24.0) Collecting pansi>=2020.7.3 (from py2neo->-r requirements.txt (line 2)) Downloading pansi-2024.11.0-py2.py3-none-any.whl.metadata (3.1 kB) ``` [**We need to have neo4j and bloodhound running and data already injested**](https://notes.cavementech.com/pentesting-quick-reference/active-directory/ad-enumeration/bloodhound) ### Running Plumhound ``` ┌──(kali㉿kali)-[/opt/PlumHound] └─$ sudo python3 PlumHound.py --easy -p neo4j1 PlumHound 1.6 For more information: https://github.com/plumhound -------------------------------------- Server: bolt://localhost:7687 User: neo4j Password: ***** Encryption: False Timeout: 300 -------------------------------------- Task: Easy Query Title: Domain Users Query Format: STDOUT Query Cypher: MATCH (n:User) RETURN n.name, n.displayname -------------------------------------- INFO Found 1 task(s) INFO -------------------------------------- on 1: n.name n.displayname -------------------------- --------------- ADMINISTRATOR@MARVEL.LOCAL TSTARK@MARVEL.LOCAL Tony Stark SQLSERVICE@MARVEL.LOCAL SQL Service PPARKER@MARVEL.LOCAL Parker KRBTGT@MARVEL.LOCAL GUEST@MARVEL.LOCAL FCASTLE@MARVEL.LOCAL Frank Castle NT AUTHORITY@MARVEL.LOCAL Executing Tasks |██████████████████████████████████████████████████| Tasks 1 / 1 in 0.1s (3473.04/s) Completed 1 of 1 tasks. ``` | Part | Meaning | | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `sudo` | Runs the command with **superuser privileges**. This is often required if the script needs access to system resources or certain protected files. | | `python3` | Uses the **Python 3 interpreter** to run the script. | | `PlumHound.py` | This is the **Python script** being executed — PlumHound is a tool used for analyzing BloodHound/Neo4j data (usually related to Active Directory recon). | | `--easy` | This is a **flag/option** that likely tells the script to run in a simplified or beginner-friendly mode. It might automate or simplify certain tasks (you'll need to check the script's help output or documentation for exact behavior). | | `-p neo4j1` | This sets the **`-p` option** to `neo4j1`. In the context of PlumHound, this is likely specifying a **profile** or **Neo4j database connection name** or **password** for connecting to the BloodHound database backend. | ``` ┌──(kali㉿kali)-[/opt/PlumHound] └─$ sudo python3 PlumHound.py -x tasks/default.tasks -p neo4j1 PlumHound 1.6 For more information: https://github.com/plumhound -------------------------------------- Server: bolt://localhost:7687 User: neo4j Password: ***** Encryption: False Timeout: 300 -------------------------------------- Tasks: Task File TaskFile: tasks/default.tasks Found 119 task(s) -------------------------------------- on 119: Completed Reports Archive: reports//Reports.zip Executing Tasks |██████████████████████████████████████████████████| Tasks 119 / 119 in 5.3s (22.71/s) Completed 119 of 119 tasks. ``` ✅ Use the `default.tasks` file to determine what analysis to run The reports are save in reports folder
You can now index.html file and explore it. ``` firefox index.html ```