Hacking Tools

ShadowHound : Leveraging PowerShell For Stealthy Active Directory Enumeration

ShadowHound is a set of PowerShell scripts for Active Directory enumeration without the need for introducing known-malicious binaries like SharpHound.

It leverages native PowerShell capabilities to minimize detection risks and offers two methods for data collection:

  • ShadowHound-ADM.ps1: Uses the Active Directory module (ADWS).
  • ShadowHound-DS.ps1: Utilizes direct LDAP queries via DirectorySearcher.

Blog Post

For more details and context, check out the blog post.

Scripts Overview

ShadowHound-ADM.ps1

  • Method: Active Directory module (Get-ADObject via ADWS).
  • Usage Scenario: When the AD module is available and ADWS is accessible.
  • Features:
    • Handles large domains with -SplitSearch, -Recurse, and -LetterSplitSearch options.
    • Enumerates certificates with the -Certificates flag.

ShadowHound-DS.ps1

  • Method: Direct LDAP queries using DirectorySearcher.
  • Usage Scenario: Environments where the AD module isn’t available or LDAP is preferred.
  • Features:
    • Enumerates certificates with the -Certificates flag.
    • Supports alternate credentials with the -Credential parameter.

Usage Examples

Basic Enumeration

ShadowHound-ADM.ps1

# Basic usage
ShadowHound-ADM -OutputFilePath "C:\Results\ldap_output.txt"

# Specify a domain controller and custom LDAP filter
ShadowHound-ADM -Server "dc.domain.local" -OutputFilePath "C:\Results\ldap_output.txt" -LdapFilter "(objectClass=user)"

# Use alternate credentials
$cred = Get-Credential
ShadowHound-ADM -OutputFilePath "C:\Results\ldap_output.txt" -Credential $cred -SearchBase "DC=domain,DC=local"

ShadowHound-DS.ps1

# Basic usage
ShadowHound-DS -OutputFile "C:\Results\ldap_output.txt"

# Specify a domain controller
ShadowHound-DS -Server "dc.domain.local" -OutputFile "C:\Results\ldap_output.txt"

# Use a custom LDAP filter
ShadowHound-DS -OutputFile "C:\Results\ldap_output.txt" -LdapFilter "(objectClass=computer)"

For more information click here.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Website OSINT: Tools and Techniques for Reconnaissance

Introduction When it comes to cybersecurity and ethical hacking, one of the most effective ways…

27 minutes ago

Top OSINT Tools to Find Emails, Usernames and Passwords

Introduction In the world of cybersecurity, knowledge is power. One of the most powerful skillsets…

14 hours ago

Google Dorking in Cybersecurity: A Complete Guide

Introduction In the vast ocean of the internet, the most powerful tool you already have…

1 day ago

Pystinger : Bypass Firewall For Traffic Forwarding Using Webshell

Pystinger is a Python-based tool that enables SOCKS4 proxying and port mapping through webshells. It…

2 weeks ago

CVE-Search : A Tool To Perform Local Searches For Known Vulnerabilities

Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…

2 weeks ago

CVE-Search : A Tool To Perform Local Searches For Known Vulnerabilities

Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…

2 weeks ago