Hacking Tools

ShadowHound : Leveraging PowerShell For Stealthy Active Directory Enumeration

ShadowHound is a set of PowerShell scripts for Active Directory enumeration without the need for introducing known-malicious binaries like SharpHound.

It leverages native PowerShell capabilities to minimize detection risks and offers two methods for data collection:

  • ShadowHound-ADM.ps1: Uses the Active Directory module (ADWS).
  • ShadowHound-DS.ps1: Utilizes direct LDAP queries via DirectorySearcher.

Blog Post

For more details and context, check out the blog post.

Scripts Overview

ShadowHound-ADM.ps1

  • Method: Active Directory module (Get-ADObject via ADWS).
  • Usage Scenario: When the AD module is available and ADWS is accessible.
  • Features:
    • Handles large domains with -SplitSearch, -Recurse, and -LetterSplitSearch options.
    • Enumerates certificates with the -Certificates flag.

ShadowHound-DS.ps1

  • Method: Direct LDAP queries using DirectorySearcher.
  • Usage Scenario: Environments where the AD module isn’t available or LDAP is preferred.
  • Features:
    • Enumerates certificates with the -Certificates flag.
    • Supports alternate credentials with the -Credential parameter.

Usage Examples

Basic Enumeration

ShadowHound-ADM.ps1

# Basic usage
ShadowHound-ADM -OutputFilePath "C:\Results\ldap_output.txt"

# Specify a domain controller and custom LDAP filter
ShadowHound-ADM -Server "dc.domain.local" -OutputFilePath "C:\Results\ldap_output.txt" -LdapFilter "(objectClass=user)"

# Use alternate credentials
$cred = Get-Credential
ShadowHound-ADM -OutputFilePath "C:\Results\ldap_output.txt" -Credential $cred -SearchBase "DC=domain,DC=local"

ShadowHound-DS.ps1

# Basic usage
ShadowHound-DS -OutputFile "C:\Results\ldap_output.txt"

# Specify a domain controller
ShadowHound-DS -Server "dc.domain.local" -OutputFile "C:\Results\ldap_output.txt"

# Use a custom LDAP filter
ShadowHound-DS -OutputFile "C:\Results\ldap_output.txt" -LdapFilter "(objectClass=computer)"

For more information click here.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

cp Command: Copy Files and Directories in Linux

The cp command, short for "copy," is the main Linux utility for duplicating files and directories. Whether…

1 week ago

Image OSINT

Introduction In digital investigations, images often hold more information than meets the eye. With the…

1 week ago

cat Command: Read and Combine File Contents in Linux

The cat command short for concatenate, It is a fast and versatile tool for viewing and merging…

1 week ago

Port In Networking

What is a Port? A port in networking acts like a gateway that directs data…

1 week ago

ls Command: List Directory Contents in Linux

The ls command is fundamental for anyone working with Linux. It’s used to display the files and…

1 week ago

pwd Command: Find Your Location in Linux

The pwd (Print Working Directory) command is essential for navigating the Linux filesystem. It instantly shows your…

2 weeks ago