Pentesting Quick Reference OSCP and Beyond
  • Basic Tools & Techniques
  • Linux Basics
  • Windows Basics
  • Shells
  • Uploading Shells/ Transferring Files
  • FootPrinting
  • Host Discovery
  • Scanning
  • Vulnerability assessment
  • Metasploit and Meterpreter
    • Payloads
  • Brute Forcing/ Password Cracking
    • Attacking LSASS Passwords
    • Credentials Hunting Windows
    • Credential Hunting in Linux
    • Passwd, Shadow & Opasswd
    • Pass the Hash (PtH)
    • Protected Files
    • Protected Archives
    • Password Policies
    • Password Managers
    • Breached Credentials
  • Linux Remote Management Protocols
  • Windows Remote Management Protocols
  • Port 20/21 - FTP Pentesting
  • Port 23 Telnet
  • Port 25 - SMTP
  • IMAP/ POP3
  • Port 53 DNS
  • Port 445 - SMB
  • Port 111 -RPC Bind
  • Port 135 - RPC
  • Port 137 NetBios
  • Port 161 SNMP
  • Port 1433 - MSSQL
  • Port 1521 Oracle TNS
  • Port 1833 - MQTT
  • Port 2049 - NFS
  • Port 3306 MySQL
  • Port 3389 - RDP
  • Port 5985 - Winrm
  • Port 632 (UDP) IPMI
  • Redis (6379)
  • Port 10000 Webmin
  • Privilege Escalation
    • Windows Priv esc
    • Linux Priv esc
  • Active Directory
    • AD Basics
      • AD Management Basics
    • Initial Enumeration of AD
      • Enumerating AD Users
    • Password Spraying
      • Enumerating & Retrieving Password Policies
      • Password Spraying - Making a Target User List
      • Internal Password Spraying - from Linux
      • Internal Password Spraying - from Windows
      • Enumerating Security Controls
    • LLMNR Poisoning
    • SMB/ NTLM Relay Attacks
    • IPv6 Attacks
      • IPV6 DNS takeover
      • WPAD
    • Passback Attacks
    • AD Shell
    • AD Enumeration
      • Credentialed Enumeration - from Linux
      • Credentialed Enumeration - from Windows
      • Living off the Land
      • BloodHound
      • Plumhound
      • Bloodhound CE
      • ldapdomaindump
      • PingCastle
    • Post Compromise
      • Pass Attacks
        • Pass the Hash
        • Pass the Ticket
          • Pass the Ticket (PtT) from Windows
          • Pass the Ticket (PtT) from Linux
    • AS-REP roasting
    • Kerberosting
      • Kerberos "Double Hop" Problem
    • Access Control List (ACL) Abuse Primer
      • ACL Enumeration
      • ACL Abuse Tactics
      • DCSync
        • DCSync Example Forest HTB
    • Privilege Escaltion
    • Bleeding Edge Vulnerabilities
    • Miscellaneous Misconfigurations
    • Attacking Active Directory & NTDS.dit 1
    • Domain Trusts
      • Attacking Domain Trusts - Child -> Parent Trusts - from Windows
      • Attacking Domain Trusts - Child -> Parent Trusts - from Linux
      • Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows
      • Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux
    • Hardening Active Directory
    • Additional AD Auditing Techniques
    • HTB AD Enumeration & Attacks - Skills Assessment Part I
  • Web Pentesting
    • Subdomains, directories and Vhost listing
    • Command Injection
    • XSS
    • SQL Injection
    • Authentication Bypass
  • Cryptography
  • More Resources
  • Forensics
  • IoT Security
  • API Security
  • Binary Exploitation
    • Assembly Cheatsheat for Hackers
    • Malware Analysis
      • Basic Static Malware Analysis
  • Boxes/ Machines
    • Try Hack Me
      • Vulnversity
      • Basic Pentesting
      • Kenobi
      • Steel Mountain
    • Vulnhub
      • Tiki
    • HTB
      • Beep
      • Active
      • Forest
      • Devel
    • Metasploitable 2
    • PWN.COLLEGE Talking Web
    • PWN COLLGE Web Hacking
  • Private Challenges
    • Pwn
    • Forensics
  • Misc tools
    • NetExec
  • SOC Analyst Resources
  • OSCP Tips and Misc
  • Mobile Hacking
  • Buffer Overflow
  • Wordpress
  • Web3 and Blockchain Security
  • WIFI Hacking
    • WPS Hacking
    • Misc Tools
Powered by GitBook
On this page
  • Plumhound Installation
  • Running Plumhound
  1. Active Directory
  2. AD Enumeration

Plumhound

bloddhound for purple and blue teams

PreviousBloodHoundNextBloodhound CE

Last updated 3 days ago

Plumhound Installation

┌──(kali㉿kali)-[/opt]
└─$ sudo git clone https://github.com/PlumHound/PlumHound
[sudo] password for kali: 
Cloning into 'PlumHound'...
remote: Enumerating objects: 3256, done.
remote: Counting objects: 100% (118/118), done.
remote: Compressing objects: 100% (55/55), done.
remote: Total 3256 (delta 86), reused 77 (delta 63), pack-reused 3138 (from 1)
Receiving objects: 100% (3256/3256), 6.11 MiB | 1010.00 KiB/s, done.
Resolving deltas: 100% (1234/1234), done.
                                                                                                                                                                                                                               
┌──(kali㉿kali)-[/opt/PlumHound]
└─$ pip3 install -r requirements.txt
Defaulting to user installation because normal site-packages is not writeable
DEPRECATION: Loading egg at /usr/local/lib/python3.11/dist-packages/PyBluez-0.30-py3.11-linux-x86_64.egg is deprecated. pip 25.1 will enforce this behaviour change. A possible replacement is to use pip for package installation. Discussion can be found at https://github.com/pypa/pip/issues/12330                                                                                                                                                                                 
Requirement already satisfied: neo4j in /usr/lib/python3/dist-packages (from -r requirements.txt (line 1)) (5.2.dev0)                                                                                                                       
Collecting py2neo (from -r requirements.txt (line 2))
  Downloading py2neo-2021.2.4-py2.py3-none-any.whl.metadata (9.9 kB)
Requirement already satisfied: tabulate in /usr/lib/python3/dist-packages (from -r requirements.txt (line 3)) (0.8.10)
Requirement already satisfied: argcomplete in /usr/lib/python3/dist-packages (from -r requirements.txt (line 4)) (3.3.0)
Collecting alive-progress (from -r requirements.txt (line 5))
  Downloading alive_progress-3.2.0-py3-none-any.whl.metadata (70 kB)
Requirement already satisfied: certifi in /usr/lib/python3/dist-packages (from py2neo->-r requirements.txt (line 2)) (2023.11.17)
Collecting interchange~=2021.0.4 (from py2neo->-r requirements.txt (line 2))
  Downloading interchange-2021.0.4-py2.py3-none-any.whl.metadata (1.9 kB)
Collecting monotonic (from py2neo->-r requirements.txt (line 2))
  Downloading monotonic-1.6-py2.py3-none-any.whl.metadata (1.5 kB)
Requirement already satisfied: packaging in /usr/lib/python3/dist-packages (from py2neo->-r requirements.txt (line 2)) (24.0)
Collecting pansi>=2020.7.3 (from py2neo->-r requirements.txt (line 2))
  Downloading pansi-2024.11.0-py2.py3-none-any.whl.metadata (3.1 kB)

Running Plumhound

                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[/opt/PlumHound]
└─$ sudo python3 PlumHound.py --easy -p  neo4j1

        PlumHound 1.6
        For more information: https://github.com/plumhound
        --------------------------------------
        Server: bolt://localhost:7687
        User: neo4j
        Password: *****
        Encryption: False
        Timeout: 300
        --------------------------------------
        Task: Easy
        Query Title: Domain Users
        Query Format: STDOUT
        Query Cypher: MATCH (n:User) RETURN n.name, n.displayname
        --------------------------------------
INFO    Found 1 task(s)
INFO    --------------------------------------

on 1: n.name                      n.displayname
      --------------------------  ---------------
      [email protected]
      [email protected]         Tony Stark
      [email protected]     SQL Service
      [email protected]        Parker
      [email protected]
      [email protected]
      [email protected]        Frank Castle
      
      NT [email protected]

         Executing Tasks |██████████████████████████████████████████████████| Tasks 1 / 1  in 0.1s (3473.04/s) 

        Completed 1 of 1 tasks.
Part
Meaning

sudo

Runs the command with superuser privileges. This is often required if the script needs access to system resources or certain protected files.

python3

Uses the Python 3 interpreter to run the script.

PlumHound.py

This is the Python script being executed — PlumHound is a tool used for analyzing BloodHound/Neo4j data (usually related to Active Directory recon).

--easy

This is a flag/option that likely tells the script to run in a simplified or beginner-friendly mode. It might automate or simplify certain tasks (you'll need to check the script's help output or documentation for exact behavior).

-p neo4j1

This sets the -p option to neo4j1. In the context of PlumHound, this is likely specifying a profile or Neo4j database connection name or password for connecting to the BloodHound database backend.

┌──(kali㉿kali)-[/opt/PlumHound]
└─$ sudo python3 PlumHound.py -x tasks/default.tasks -p  neo4j1

        PlumHound 1.6
        For more information: https://github.com/plumhound
        --------------------------------------
        Server: bolt://localhost:7687
        User: neo4j
        Password: *****
        Encryption: False
        Timeout: 300
        --------------------------------------
        Tasks: Task File
        TaskFile: tasks/default.tasks
        Found 119 task(s)
        --------------------------------------


on 119:         Completed Reports Archive: reports//Reports.zip
         Executing Tasks |██████████████████████████████████████████████████| Tasks 119 / 119  in 5.3s (22.71/s) 

        Completed 119 of 119 tasks.

✅ Use the default.tasks file to determine what analysis to run

The reports are save in reports folder

You can now index.html file and explore it.

firefox index.html

We need to have neo4j and bloodhound running and data already injested
GitHub - PlumHound/PlumHound: Bloodhound for Blue and Purple TeamsGitHub
Logo