|
| 1 | +# SharpHound - C# Rewrite of the BloodHound Ingestor |
| 2 | + |
| 3 | +## Get SharpHound |
| 4 | + |
| 5 | +The latest build of SharpHound will always be in the BloodHound repository [here](https://github.com/BloodHoundAD/BloodHound/tree/master/Ingestors) |
| 6 | + |
| 7 | +## Compile Instructions |
| 8 | + |
| 9 | +SharpHound is written using C# 9.0 features. To easily compile this project, use Visual Studio 2019. |
| 10 | + |
| 11 | +If you would like to compile on previous versions of Visual Studio, you can install the [Microsoft.Net.Compilers](https://www.nuget.org/packages/Microsoft.Net.Compilers/) nuget package. |
| 12 | + |
| 13 | +Building the project will generate an executable as well as a PowerShell script that encapsulates the executable. All dependencies are rolled into the binary. |
| 14 | + |
| 15 | +## Requirements |
| 16 | + |
| 17 | +SharpHound is designed targetting .Net 4.5. Sharphound must be run from the context of a domain user, either directly through a logon or through another method such as RUNAS. |
| 18 | + |
| 19 | +## More Information |
| 20 | + |
| 21 | +## Usage |
| 22 | + |
| 23 | +### Enumeration Options |
| 24 | + |
| 25 | +- **CollectionMethod** - The collection method to use. This parameter accepts a comma separated list of values. Has the following potential values (Default: Default): |
| 26 | + - **Default** - Performs group membership collection, domain trust collection, local group collection, session collection, ACL collection, object property collection, and SPN target collection |
| 27 | + - **Group** - Performs group membership collection |
| 28 | + - **LocalAdmin** - Performs local admin collection |
| 29 | + - **RDP** - Performs Remote Desktop Users collection |
| 30 | + - **DCOM** - Performs Distributed COM Users collection |
| 31 | + - **PSRemote** - Performs Remote Management Users collection |
| 32 | + - **GPOLocalGroup** - Performs local admin collection using Group Policy Objects |
| 33 | + - **Session** - Performs session collection |
| 34 | + - **ComputerOnly** - Performs local admin, RDP, DCOM and session collection |
| 35 | + - **LoggedOn** - Performs privileged session collection (requires admin rights on target systems) |
| 36 | + - **Trusts** - Performs domain trust enumeration |
| 37 | + - **ACL** - Performs collection of ACLs |
| 38 | + - **Container** - Performs collection of Containers |
| 39 | + - **DcOnly** - Performs collection using LDAP only. Includes Group, Trusts, ACL, ObjectProps, Container, and GPOLocalGroup. |
| 40 | + - **All** - Performs all Collection Methods except GPOLocalGroup |
| 41 | +- **Domain** - Search a particular domain. Uses your current domain if null (Default: null) |
| 42 | +- **Stealth** - Performs stealth collection methods. All stealth options are single threaded. |
| 43 | +- **ExcludeDomainControllers** - Excludes domain controllers from enumeration (avoids Microsoft ATA flags :) ) |
| 44 | +- **ComputerFile** - Specify a file to load computer names/IPs from |
| 45 | +- **LdapFilter** - LDAP Filter to apppend to search |
| 46 | +- **OverrideUserName** - Overrides user name for session enumeration (advanced) |
| 47 | +- **RealDNSName** - Overrides DNS name for API calls |
| 48 | +- **CollectAllProperties** - Collect all string LDAP properties instead of a subset |
| 49 | +- **WindowsOnly** - Limit computer collection to systems with an operating system that matches \*Windows\* |
| 50 | + |
| 51 | +### Loop Options |
| 52 | + |
| 53 | +- **Loop** - Loop computer collections |
| 54 | +- **LoopDuration** - How long to loop for |
| 55 | +- **LoopInterval** - Duration to wait between loops |
| 56 | + |
| 57 | +### Connection Options |
| 58 | + |
| 59 | +- **DomainController** - Specify which Domain Controller to connect to (Default: null) |
| 60 | +- **LdapPort** - Specify what port LDAP lives on (Default: 0) |
| 61 | +- **SecureLdap** - Connect to AD using Secure LDAP instead of regular LDAP. Will connect to port 636 by default. |
| 62 | +- **LdapUsername** - Username to connect to LDAP with. Requires the LDAPPassword parameter as well (Default: null) |
| 63 | +- **LdapPassword** - Password for the user to connect to LDAP with. Requires the LDAPUser parameter as well (Default: null) |
| 64 | +- **DisableKerberosSigning** - Disables LDAP encryption. Not recommended. |
| 65 | + |
| 66 | +### Performance Options |
| 67 | + |
| 68 | +- **PortScanTimeout** - Specifies the timeout for ping requests in milliseconds (Default: 2000) |
| 69 | +- **SkipPortScan** - Instructs Sharphound to skip ping requests to see if systems are up |
| 70 | +- **Throttle** - Adds a delay after each request to a computer. Value is in milliseconds (Default: 0) |
| 71 | +- **Jitter** - Adds a percentage jitter to throttle. (Default: 0) |
| 72 | + |
| 73 | +### Output Options |
| 74 | + |
| 75 | +- **OutputDirectory** - Folder in which to store JSON files (Default: .) |
| 76 | +- **OutputPrefix** - Prefix to add to your JSON files (Default: "") |
| 77 | +- **NoZip** - Don't compress JSON files to the zip file. Leaves JSON files on disk. (Default: false) |
| 78 | +- **EncryptZip** - Add a randomly generated password to the zip file. |
| 79 | +- **ZipFileName** - Specify the name of the zip file |
| 80 | +- **RandomizeFilenames** - Randomize output file names |
| 81 | +- **PrettyJson** - Outputs JSON with indentation on multiple lines to improve readability. Tradeoff is increased file size. |
| 82 | +- **DumpComputerStatus** - Dumps error codes from connecting to computers |
| 83 | + |
| 84 | +### Cache Options |
| 85 | + |
| 86 | +- **CacheFileName** - Filename for the Sharphound cache. (Default: <B64 Machine Sid>.bin) |
| 87 | +- **NoSaveCache** - Don't save the cache file to disk. Without this flag, <B64 Machine Sid>.bin will be dropped to disk |
| 88 | +- **InvalidateCache** - Invalidate the cache file and build a new cache |
| 89 | + |
| 90 | +### Misc Options |
| 91 | + |
| 92 | +- **StatusInterval** - Interval to display progress during enumeration in milliseconds (Default: 30000) |
0 commit comments