Install Bloodhound on Kali Linux (Working)
Posted on August 25, 2025 | by | in Bloodhound

BloodHound is a powerful utility widely used in penetration testing and red team operations to analyze and visualize Active Directory (AD) environments. It leverages graph theory to map out relationships within an AD domain, uncovering hidden or complex attack paths that an attacker could exploit to escalate privileges. By ingesting data collected through tools like SharpHound, BloodHound creates an interactive graph that security professionals can navigate to see how permissions, group memberships, and trusts connect in ways that may not be obvious through manual inspection. This makes it invaluable for understanding the true structure of a network and for identifying weak points that could allow lateral movement.

From a defensive standpoint, BloodHound also provides system administrators and security teams with insight into how attackers view their environments. The same graphs that reveal paths to domain dominance for red teamers can also help defenders spot misconfigurations, overly permissive rights, and unnecessary trust relationships. By proactively using BloodHound, organizations can clean up vulnerabilities before they’re exploited in the wild. Its strength lies in turning the overwhelming complexity of Active Directory into a visual, actionable map that empowers both offensive and defensive security operations.

Bloodhound install and config for Kali Linux in 2025

				
					sudo apt update && sudo apt upgrade -y

sudo apt install -y docker.io -y
sudo systemctl start docker
sudo systemctl enable docker --now
sudo usermod -aG docker $USER

sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
docker-compose --version

<!-- Not needed -->
sudo apt install docker-compose
docker compose version
docker compose up

sudo reboot now

cd ad/hacks/bloodhound
wget https://github.com/SpecterOps/bloodhound-cli/releases/latest/download/bloodhound-cli-linux-amd64.tar.gz
tar -xvzf bloodhound-cli-linux-amd64.tar.gz
./bloodhound-cli install

How to use Bloodhound Python

				
					<!-- Ingest data using bloodhound-python -->
<!-- Create bloodhound.py file -->

<!-- Make the following folder structure on root for this -->
mkdir ad
cd ad
mkdir hack
cd hack
mkdir bloodhound
cd bloodhound

<!-- Create new file inside bloodhound directory --> 

nano ad-bloodhound.sh

<!-- Contents of file -->

#!/bin/bash 

echo "Domain: "
read domain 

echo "Username: "
read username

echo "Password: "
read password

echo "IP of Domain: " 
read ip_address

bloodhound-python -d $domain -u $username -p $password -gc $domain -c all -ns $ip_address

<!-- End of file -->

chmod +x ad-bloodhound.sh
./ad-bloodhound.sh

<!-- Please note, if this doesn't work, it means that LDAP signing is enabled. To disalbe it, navigate to GPO > Default Domain Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Domain controller: LDAP server signing requirement Enforcement. -->

How to use Sharphound

				
					<!-- Transfer Sharphound to compromised Windows PC -->

<!-- Open Bloodhound and navigate to Doowload Collectors - Download Sharphound and extract its contents into the downloads folder -->

Bloodhound-Python Optional/Additional commands

				
					<!-- Collect all data using default collection methods (includes groups, sessions, and trusts): -->
bloodhound-python --username username --password password --domain domain 

<!-- Collect data using Kerberos authentication without requiring a plaintext password: -->
bloodhound-python --collectionmethod All --kerberos --domain domain

<!-- Authenticate using NTLM hashes instead of a password:  -->
bloodhound-python --collectionmethod All --username username --hashes LM:NTLM --domain domain

<!-- Specify a custom name server for DNS queries: -->
bloodhound-python --collectionmethod All --username username --password password --domain domain --nameserver nameserver

<!-- Save the output files as a compressed ZIP archive: -->
bloodhound-python --collectionmethod All --username username --password password --domain domain --zip

<!-- (Optional) Get the initial password (using the container name) -->
sudo docker logs bloodhoundce_bloodhound_1 2>&1 | grep "Initial Password Set To:"
sudo docker logs bloodhoundce-bloodhound-1 2>&1 | grep "Initial Password Set To:"

<!-- Download SharpHound and AzureHound to your Downloads directory -->
http://localhost:8080/ui/download-collectors

<!-- Unzip collectors -->
sudo unzip ~/Downloads/azurehound*.zip -d /opt/bloodhoundce/azurehound
sudo unzip ~/Downloads/sharphound*.zip -d /opt/bloodhoundce/sharphound

<!-- Collect data -->
sudo /opt/bloodhoundce/azurehound/azurehound-linux-amd64/azurehound -u 'First.Last@example.com' -p 'password123' list --tenant '<tenant_id>' -o output.json

<!-- Ingest data. Settings -> Administration -> Upload Files -->
http://localhost:8080/ui/administration/file-ingest

<!-- Add Domain Controller Name to Host File -->
sudo nano /etc/hosts

Leave a Reply

Your email address will not be published. Required fields are marked *