⚠️ Authorised Lab Use Only: BloodHound and SharpHound collect sensitive Active Directory data. Run SharpHound exclusively in your own lab environment, on TryHackMe/HackTheBox, or during explicitly authorised penetration tests with written client consent. Collecting AD data without authorisation is illegal under computer fraud laws worldwide.
BloodHound tutorial Active Directory 2026 — this tool does something that used to take experienced penetration testers days of manual work and reduces it to minutes: it finds the exact attack path from any domain user account to Domain Admin. Not by brute force, not by guessing. By graph theory. BloodHound maps every relationship in an Active Directory environment — group memberships, session data, ACL permissions, delegation rights — and then runs the shortest path algorithm to show you the precise chain of exploitation steps between any two points. You are going to build that graph today.
🎯 What You’ll Master in Day 27
Understand how BloodHound uses graph theory to map AD attack paths
✅ BloodHound is genuinely transformative for AD pentesting once it clicks. This guide builds from the conceptual graph model through hands-on data collection and attack path analysis. If you completed Day 26 on Pass the Hash, today’s BloodHound session will make those techniques feel completely different.
📋 What You’ll Master — BloodHound Tutorial Active Directory 2026
In Day 26 you used Pass the Hash and Pass the Ticket to move laterally between machines — powerful techniques, but applied reactively. BloodHound changes the approach entirely: it shows you proactively which accounts, machines, and relationships form the optimal attack path before you execute a single technique. Combined with the 100-Day Ethical Hacking Course content on AD enumeration from Days 23–26, BloodHound becomes the analytical layer that makes everything else strategic.
What Is BloodHound and How Graph Theory Maps AD Attack Paths
BloodHound represents an Active Directory environment as a mathematical graph — nodes are AD objects (users, groups, computers, GPOs, domains) and edges are relationships between them (MemberOf, AdminTo, HasSession, GenericAll, etc.). Once the graph is built from real AD data, BloodHound applies Dijkstra’s shortest path algorithm to find the minimum number of relationship-hops needed to get from any source node to any target node.
The profound insight is that Domain Admin is almost never more than 3–5 relationships away from any standard user in a real enterprise environment. Not because of poor security necessarily — but because AD environments accumulate permission complexity over years. Group memberships from old projects, local admin rights granted for troubleshooting and never revoked, delegation configurations set up for legacy applications — they create paths that nobody documented and that manual review would never surface.
securityelites.com
BloodHound Attack Path — Shortest Path to Domain Admin
📸 BloodHound shortest path example — standard user jsmith reaches Domain Admin in 3 relationship hops via a session on a workstation where a service account with Domain Admin membership is logged in.
🧠 EXERCISE 1 — THINK LIKE A HACKER (10 MIN · NO TOOLS)
Manually Trace an AD Attack Path From a BloodHound Graph
⏱️ Time: 10 minutes · No tools required
Study the following Active Directory relationships:
USER: jsmith
– MemberOf: IT_Helpdesk group
– HasSession on: DESKTOP-01 (jsmith is currently logged on)
GROUP: IT_Helpdesk
– AdminTo: all computers in OU=Workstations
GROUP: DB_Admins
– GenericAll rights over: Domain Admins group
Now answer these questions:
1. Trace the full attack path from jsmith to Domain Admin.
Write each step as: [Source] —[Relationship]→ [Target]
2. What technique from Day 26 do you use at the HasSession edge?
(Hint: svc_sqlbackup is logged on to a machine where you are admin)
3. At the GenericAll edge on Domain Admins group, what can
you do to escalate to Domain Admin?
4. If you remove jsmith’s MemberOf IT_Helpdesk, does this
break the attack path? What is the minimum change required
to fully eliminate it?
✅ What you just learned: The attack path is: jsmith →MemberOf→ IT_Helpdesk →AdminTo→ DESKTOP-01 →HasSession→ svc_sqlbackup →MemberOf→ DB_Admins →GenericAll→ Domain Admins. At HasSession you use Pass the Hash (or Mimikatz credential dump since you are local admin on DESKTOP-01). GenericAll on a group means you can add any user to that group — add yourself to Domain Admins directly. Removing MemberOf breaks the path, but the minimum real fix is removing DB_Admins’ GenericAll right over Domain Admins — or removing svc_sqlbackup from DB_Admins. This thinking process IS how you interpret BloodHound graphs in a real engagement.
📸 Draw your traced attack path and share in #day-27-bloodhound on Discord.
Installing BloodHound CE and Neo4j on Kali Linux 2026
BLOODHOUND CE — INSTALL ON KALI LINUX 2026
# Method 1: BloodHound CE via Docker (recommended — easiest setup)
sudo apt install docker.io docker-compose -y
sudo systemctl start docker
curl -L https://ghst.ly/getbhce | docker compose -f – up
# BloodHound CE starts at http://localhost:8080
# Default credentials shown in terminal output on first run
Running SharpHound — Collecting Active Directory Relationship Data
SharpHound is the data collection engine. It runs on a Windows machine with domain user credentials and queries LDAP, SMB, and RPC to enumerate AD relationships. The output is a ZIP file containing multiple JSON files covering users, groups, computers, GPOs, domains, and OUs.
SHARPHOUND COLLECTION — ALL KEY FLAGS
# Standard collection — all data types (run as domain user)
SharpHound.exe -c All
# Collect with specific domain target
SharpHound.exe -c All -d CORP.LOCAL
# Stealth collection — avoids direct computer enumeration
SharpHound.exe -c DCOnly
# Loop collection — runs every 15 minutes for session data
# Collection from Kali using domain credentials (no Windows needed)
pip install bloodhound
bloodhound-python -u jsmith -p Password123 -d corp.local -c All –zip
# bloodhound-python = Python port of SharpHound — runs from Kali
# Output: YYYYMMDDHHMMSS_BloodHound.zip
# Upload this ZIP into BloodHound UI via “Upload Data” button
💡 bloodhound-python for Kali: In lab environments where you have valid domain credentials from a previous compromise, bloodhound-python lets you collect AD data directly from Kali without executing anything on a Windows machine. This is the stealthier option for authorised engagements where you want to minimise Windows-side execution.
BloodHound Queries — Finding Shortest Path to Domain Admin
BloodHound’s pre-built queries are the fastest way to identify the highest-value attack paths in an ingested dataset. These queries run against the Neo4j graph database using Cypher query language. You do not need to write Cypher yourself — the built-in queries cover the most important attack path patterns out of the box.
BLOODHOUND BUILT-IN QUERIES — MOST VALUABLE
# In BloodHound UI: Hamburger menu → Queries → Pre-Built
Step 1: Go to tryhackme.com and search for “Post-Exploitation Basics”
or “Attacking Active Directory” (both include BloodHound tasks)
Step 2: Deploy the machine and connect via TryHackMe VPN or AttackBox
Step 3: The room provides domain user credentials — use them to run
bloodhound-python from your Kali AttackBox:
bloodhound-python -u [USER] -p [PASS] -d [DOMAIN] -c All –zip
Step 4: Transfer the ZIP to your BloodHound installation
Step 5: Upload the ZIP via BloodHound’s Upload Data button
Step 6: Once ingested, run the query:
“Find Shortest Paths to Domain Admins”
Step 7: For each attack path found, document:
— Number of hops
— Relationship types (edges) in the path
— Starting node (source user/computer)
— Technique to traverse each edge
Step 8: Mark the starting account as Owned (right-click > Mark as Owned)
Run: “Shortest Path from Owned Principals”
Does it show a different/shorter path?
✅ What you just learned: The process of running SharpHound/bloodhound-python, ingesting data, and querying for attack paths is the complete BloodHound workflow used in real engagements. The “Mark as Owned” feature is particularly powerful — once you compromise any account during a pentest, marking it as Owned in BloodHound immediately shows you all paths from that account to Domain Admin, focusing your next steps precisely. This is the operational intelligence layer that makes AD pentesting structured and efficient.
📸 Screenshot your BloodHound graph showing the Shortest Path to Domain Admin and share in #day-27-bloodhound on Discord.
Reading BloodHound Graphs — Every Edge Type Explained
Every edge in a BloodHound graph represents a relationship that has a corresponding exploitation technique. Understanding what technique each edge maps to is the skill that transforms a BloodHound graph from a diagram into an execution plan.
Local admin on computer → dump credentials with Mimikatz/secretsdump
HasSession
User logged onto computer → if you have admin, steal their credentials from LSASS
MemberOf
Group membership → inherit all group rights (can chain to AdminTo, GenericAll)
GenericAll
Full control over object → reset password, add to groups, modify ACLs
DCSync
Can replicate DC → dump all domain password hashes with secretsdump
WriteDacl
Can modify ACL → grant yourself GenericAll, then full control
ForceChangePwd
Can reset user password → authenticate as that user without their original password
📸 BloodHound edge type to exploitation technique mapping — each relationship type has a direct corresponding attack technique. Reading the graph means reading the attack plan.
⚡ EXERCISE 3 — KALI TERMINAL (20 MIN)
Install BloodHound CE via Docker and Verify the Database Connection
⏱️ Time: 20 minutes · Kali Linux with Docker installed
# BloodHound CE is ready to receive SharpHound data
✅ What you just learned: BloodHound CE’s Docker deployment is significantly easier than the legacy Neo4j + Electron setup. The entire stack — Neo4j graph database, PostgreSQL, and BloodHound web interface — spins up in one command. With bloodhound-python installed, you are ready to collect AD data from any domain environment where you have valid credentials and ingest it directly into your local BloodHound instance for analysis. Your AD pentesting toolkit is now complete for the practical lateral movement work in Day 28.
📸 Screenshot the BloodHound CE web interface loaded at localhost:8080 and share in #day-27-bloodhound on Discord. Tag #bloodhound2026
Turning BloodHound Attack Paths Into Pentest Report Findings
A BloodHound attack path graph is one of the most impactful visuals you can include in a penetration test report. Client stakeholders who have never touched a command line immediately understand a graph showing “your standard helpdesk user can reach Domain Admin in four steps.” The challenge is contextualising the graph with enough technical detail that the remediation team can act on it.
For each attack path in your report, include: the exported BloodHound graph image, a numbered step-by-step breakdown of each node and edge in the path, the specific technique used to traverse each edge (with tool names), the account you started with and what level of initial access it represents, and a remediation recommendation specific to each node in the path (not generic “fix permissions”).
🧠 QUICK CHECK — Day 27
BloodHound shows a GenericAll edge from your compromised user account to a Domain Admin account. What action does this edge allow you to perform?
📋 Commands Used Today — Day 27 Reference Card
sudo docker compose up -dStart BloodHound CE via Docker in background
sudo neo4j startStart Neo4j for BloodHound Legacy installation
MATCH p=shortestPath((u:User)-[*1..]->(g:Group)) RETURN pCustom Cypher query — shortest path between any two node types
🏆 Mark Day 27 as Complete
You now have the most powerful Active Directory attack path visualisation tool in your arsenal. BloodHound turns weeks of manual AD analysis into minutes — and makes your pentest reports more impactful than any other tool in this course.
❓ Frequently Asked Questions
What is BloodHound and what does it do?
BloodHound is a free open-source Active Directory attack path visualisation tool. It uses graph theory to map relationships between users, groups, computers, and permissions in an AD environment, then automatically identifies the shortest attack path to Domain Admin. It helps both attackers (finding efficient privilege escalation paths) and defenders (identifying dangerous permission chains before they are exploited).
What is SharpHound and how is it different from BloodHound?
SharpHound is the data collector — it runs on Windows with domain user credentials and outputs JSON files. BloodHound is the analysis and visualisation interface. You need both: SharpHound to gather data, BloodHound to analyse it. bloodhound-python is an alternative collector that runs directly from Kali Linux.
What is the difference between BloodHound CE and BloodHound Legacy?
BloodHound CE is the current actively maintained version with a modern web-based interface running via Docker. BloodHound Legacy is the Electron desktop app no longer actively developed but still widely used. For new installations in 2026, CE is recommended. Legacy still works in lab environments.
What AD relationships does BloodHound map?
BloodHound maps 40+ relationship types. Most important: AdminTo (local admin on computer), HasSession (user logged on), MemberOf (group membership), GenericAll (full control), WriteDacl (can modify ACL), DCSync (can replicate passwords), ForceChangePassword (can reset password), and Kerberoastable (SPN set for offline cracking).
Do I need Domain Admin credentials to run BloodHound?
No — standard domain user credentials collect most relationship data including group memberships, ACLs, and AD object relationships. Some collection methods require local admin on target machines for session data, but the core attack path analysis including Shortest Path to Domain Admin works with any domain user account.
What comes after BloodHound in this course?
Day 28 covers Lateral Movement Techniques — the practical execution of the paths BloodHound identifies. While BloodHound shows the theoretical shortest path, Day 28 covers exactly how to traverse each edge using Pass the Hash, Pass the Ticket, remote execution, and Kerberos delegation abuse in a real lab environment.
← Previous
Day 26: Pass the Hash & Pass the Ticket
Next →
Day 28: Lateral Movement Techniques
📚 Further Reading
Pass the Hash & Pass the Ticket 2026— Day 26 covers the lateral movement techniques that traverse the AdminTo and HasSession edges BloodHound identifies — the practical execution of today’s attack paths.
Kerberos Attacks 2026— Day 25 covers Kerberoasting and AS-REP Roasting — directly applicable to BloodHound’s Kerberoastable and AS-REP Roastable user queries.
100-Day Ethical Hacking Course— The full course hub with all Active Directory attack days indexed sequentially from enumeration through domain compromise and post-exploitation.
BloodHound GitHub Repository— The official BloodHound repository with CE installation docs, SharpHound releases, custom query library, and the complete edge type reference documentation.
MITRE ATT&CK — Domain Policy Modification— The MITRE framework coverage of the AD privilege escalation and domain persistence techniques that BloodHound attack paths map to in the adversary TTP taxonomy.
ME
Mr Elite
Owner, SecurityElites.com
The engagement where BloodHound genuinely stunned me was a large financial institution with a 40-person security team, a dedicated AD operations group, and annual third-party audits. I ran bloodhound-python with a standard domain user account, ingested the data, and clicked Shortest Path to Domain Admin. The path that came back had five hops. I almost dismissed it as a false positive. I verified each edge manually — each one was real. The path went through a service account that nobody in their IT department knew was a member of an old delegation group that had been created six years earlier for a system that had since been decommissioned. The group was never removed. One forgotten cleanup task, six years later, five-hop path to Domain Admin. The CISO asked me to present the graph to the board. That graph was the most impactful single image I have ever produced in a security engagement.
Founder of Securityelites and creator of the SE-ARTCP credential. Working penetration tester focused on AI red team, prompt injection research, and LLM security education.
