Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

SharpHound

Collect all data from current domain. 
.\SharpHound.exe -c All
Collect all data targeting a specific domain. 
.\SharpHound.exe -c All --Domain domain.local --DomainController 10.10.10.1
Collect with explicit credentials. 
.\SharpHound.exe -c All --LdapUsername user --LdapPassword 'P@ssw0rd' --Domain domain.local
DC-only collection (faster, less noise). 
.\SharpHound.exe -c DCOnly
Stealth collection (reduced network noise). 
.\SharpHound.exe -c All --Stealth
Custom output path and randomized filenames. 
.\SharpHound.exe -c All --OutputDirectory C:\Temp --RandomFilenames --NoSaveCache
Custom zip filename. 
.\SharpHound.exe -c All --ZipFileName loot.zip
Loop collection for 2 hours every 5 minutes. 
.\SharpHound.exe -c All --Loop --LoopDuration 02:00:00 --LoopInterval 00:05:00
Exclude domain controllers from host enumeration. 
.\SharpHound.exe -c All --ExcludeDomainControllers

BloodHound.py

Collect all data with password auth. 
bloodhound-python -u user -p 'P@ssw0rd' -d domain.local -c All -ns 10.10.10.1
Collect and zip output automatically. 
bloodhound-python -u user -p 'P@ssw0rd' -d domain.local -c All -ns 10.10.10.1 --zip
Pass-the-Hash (PTH) authentication. 
bloodhound-python -u user --hashes LMHASH:NTHASH -d domain.local -c All -ns 10.10.10.1
Kerberos authentication. 
bloodhound-python -u user -p 'P@ssw0rd' -d domain.local -c All -ns 10.10.10.1 -k
DC-only collection. 
bloodhound-python -u user -p 'P@ssw0rd' -d domain.local -c DCOnly -ns 10.10.10.1
Target a specific domain controller. 
bloodhound-python -u user -p 'P@ssw0rd' -d domain.local -c All -ns 10.10.10.1 -dc dc01.domain.local
Force NTLM authentication. 
bloodhound-python -u user -p 'P@ssw0rd' -d domain.local -c All -ns 10.10.10.1 --auth-method ntlm

References