# Plumhound {% embed url="" %} ### Plumhound Installation ``` ┌──(kali㉿kali)-[/opt] └─$ sudo git clone https://github.com/PlumHound/PlumHound [sudo] password for kali: Cloning into 'PlumHound'... remote: Enumerating objects: 3256, done. remote: Counting objects: 100% (118/118), done. remote: Compressing objects: 100% (55/55), done. remote: Total 3256 (delta 86), reused 77 (delta 63), pack-reused 3138 (from 1) Receiving objects: 100% (3256/3256), 6.11 MiB | 1010.00 KiB/s, done. Resolving deltas: 100% (1234/1234), done. ``` ``` ┌──(kali㉿kali)-[/opt/PlumHound] └─$ pip3 install -r requirements.txt Defaulting to user installation because normal site-packages is not writeable DEPRECATION: Loading egg at /usr/local/lib/python3.11/dist-packages/PyBluez-0.30-py3.11-linux-x86_64.egg is deprecated. pip 25.1 will enforce this behaviour change. A possible replacement is to use pip for package installation. Discussion can be found at https://github.com/pypa/pip/issues/12330 Requirement already satisfied: neo4j in /usr/lib/python3/dist-packages (from -r requirements.txt (line 1)) (5.2.dev0) Collecting py2neo (from -r requirements.txt (line 2)) Downloading py2neo-2021.2.4-py2.py3-none-any.whl.metadata (9.9 kB) Requirement already satisfied: tabulate in /usr/lib/python3/dist-packages (from -r requirements.txt (line 3)) (0.8.10) Requirement already satisfied: argcomplete in /usr/lib/python3/dist-packages (from -r requirements.txt (line 4)) (3.3.0) Collecting alive-progress (from -r requirements.txt (line 5)) Downloading alive_progress-3.2.0-py3-none-any.whl.metadata (70 kB) Requirement already satisfied: certifi in /usr/lib/python3/dist-packages (from py2neo->-r requirements.txt (line 2)) (2023.11.17) Collecting interchange~=2021.0.4 (from py2neo->-r requirements.txt (line 2)) Downloading interchange-2021.0.4-py2.py3-none-any.whl.metadata (1.9 kB) Collecting monotonic (from py2neo->-r requirements.txt (line 2)) Downloading monotonic-1.6-py2.py3-none-any.whl.metadata (1.5 kB) Requirement already satisfied: packaging in /usr/lib/python3/dist-packages (from py2neo->-r requirements.txt (line 2)) (24.0) Collecting pansi>=2020.7.3 (from py2neo->-r requirements.txt (line 2)) Downloading pansi-2024.11.0-py2.py3-none-any.whl.metadata (3.1 kB) ``` [**We need to have neo4j and bloodhound running and data already injested**](https://notes.cavementech.com/pentesting-quick-reference/active-directory/ad-enumeration/bloodhound) ### Running Plumhound ``` ┌──(kali㉿kali)-[/opt/PlumHound] └─$ sudo python3 PlumHound.py --easy -p neo4j1 PlumHound 1.6 For more information: https://github.com/plumhound -------------------------------------- Server: bolt://localhost:7687 User: neo4j Password: ***** Encryption: False Timeout: 300 -------------------------------------- Task: Easy Query Title: Domain Users Query Format: STDOUT Query Cypher: MATCH (n:User) RETURN n.name, n.displayname -------------------------------------- INFO Found 1 task(s) INFO -------------------------------------- on 1: n.name n.displayname -------------------------- --------------- ADMINISTRATOR@MARVEL.LOCAL TSTARK@MARVEL.LOCAL Tony Stark SQLSERVICE@MARVEL.LOCAL SQL Service PPARKER@MARVEL.LOCAL Parker KRBTGT@MARVEL.LOCAL GUEST@MARVEL.LOCAL FCASTLE@MARVEL.LOCAL Frank Castle NT AUTHORITY@MARVEL.LOCAL Executing Tasks |██████████████████████████████████████████████████| Tasks 1 / 1 in 0.1s (3473.04/s) Completed 1 of 1 tasks. ``` | Part | Meaning | | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `sudo` | Runs the command with **superuser privileges**. This is often required if the script needs access to system resources or certain protected files. | | `python3` | Uses the **Python 3 interpreter** to run the script. | | `PlumHound.py` | This is the **Python script** being executed — PlumHound is a tool used for analyzing BloodHound/Neo4j data (usually related to Active Directory recon). | | `--easy` | This is a **flag/option** that likely tells the script to run in a simplified or beginner-friendly mode. It might automate or simplify certain tasks (you'll need to check the script's help output or documentation for exact behavior). | | `-p neo4j1` | This sets the **`-p` option** to `neo4j1`. In the context of PlumHound, this is likely specifying a **profile** or **Neo4j database connection name** or **password** for connecting to the BloodHound database backend. | ``` ┌──(kali㉿kali)-[/opt/PlumHound] └─$ sudo python3 PlumHound.py -x tasks/default.tasks -p neo4j1 PlumHound 1.6 For more information: https://github.com/plumhound -------------------------------------- Server: bolt://localhost:7687 User: neo4j Password: ***** Encryption: False Timeout: 300 -------------------------------------- Tasks: Task File TaskFile: tasks/default.tasks Found 119 task(s) -------------------------------------- on 119: Completed Reports Archive: reports//Reports.zip Executing Tasks |██████████████████████████████████████████████████| Tasks 119 / 119 in 5.3s (22.71/s) Completed 119 of 119 tasks. ``` ✅ Use the `default.tasks` file to determine what analysis to run The reports are save in reports folder
You can now index.html file and explore it. ``` firefox index.html ```
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.cavementech.com/pentesting-quick-reference/active-directory/ad-enumeration/plumhound.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.