LinuxCommandLibrary

bloodhound-python

Ingest BloodHound data into Neo4j database

TLDR

Collect all data using default collection methods (includes groups, sessions, and trusts)

$ bloodhound-python --username [username] --password [password] --domain [domain]
copy

Collect data using Kerberos authentication without requiring a plaintext password
$ bloodhound-python --collectionmethod [All] --kerberos --domain [domain]
copy

Authenticate using NTLM hashes instead of a password
$ bloodhound-python --collectionmethod [All] --username [username] --hashes [LM:NTLM] --domain [domain]
copy

Specify a custom name server for DNS queries
$ bloodhound-python --collectionmethod [All] --username [username] --password [password] --domain [domain] --nameserver [nameserver]
copy

Save the output files as a compressed ZIP archive
$ bloodhound-python --collectionmethod [All] --username [username] --password [password] --domain [domain] --zip
copy

SYNOPSIS

bloodhound-python [-h] [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-ns NAMESERVER] [-c COLLECTIONMETHOD] [-v] [-zip] [-debug]

PARAMETERS

-h, --help
    Show help message and exit

-d DOMAIN, --domain DOMAIN
    Domain to query (default: auto-detect)

-u USERNAME, --username USERNAME
    Username (DOMAIN\user or user@domain)

-p PASSWORD, --password PASSWORD
    Password for authentication

-ns NAMESERVER, --nameserver NAMESERVER
    IP or hostname of DNS server

-c COLLECTIONMETHOD, --collectionmethod COLLECTIONMETHOD
    Method: Default, All, Group, LoggedOn (default: Default)

-v, --verbose
    Verbose output

--zip
    Compress output to ZIP file

--dns-tcp
    Use TCP for DNS queries

-ntlm
    Force NTLM authentication

-k, --kerberos
    Use Kerberos authentication

--hash PASSWORD, -H PASSWORD
    NTLM hash (LMHASH:NTHASH)

--aesKey AESKEY
    AES key for Kerberos

-debug
    Enable debug logging

DESCRIPTION

BloodHound.py is a Python implementation of the BloodHound ingestor designed for Linux and macOS environments. It collects data from Active Directory domains via LDAP queries, SMB enumeration, and other protocols, generating JSON files compatible with the BloodHound GUI for visualizing attack paths.

The tool leverages the Impacket library for network interactions, supporting authentication methods like NTLM, Kerberos, and pass-the-hash. Users specify domain credentials, collection methods (e.g., Default, All, Group), and output formats. It performs trusted path discovery, session enumeration, local admin identification, and more, aiding red teamers and defenders in mapping AD attack surfaces.

Key features include DNS resolution for domain controllers, support for LDAPS, and ZIP compression of outputs. It's lightweight, scriptable, and integrates seamlessly with BloodHound's Neo4j backend for graph analysis.

CAVEATS

Requires Impacket library and Python 3.6+; may trigger AD security alerts; not for unauthorized use on production networks.
Needs network access to domain controllers; Kerberos requires valid tickets.

INSTALLATION

git clone https://github.com/dirkjanm/BloodHound.py.git
cd BloodHound.py
pip3 install -r requirements.txt

EXAMPLE USAGE

bloodhound-python -u '[email protected]' -p 'Passw0rd!' -d 'domain.com' -c All -v
Outputs: users.json, computers.json, etc.

HISTORY

Developed by Dirk-jan (@dirkjanm) starting 2019 as BloodHound.py to provide Linux-native ingestor. Evolved from original BloodHound (C#/Windows), now actively maintained with Impacket integration for cross-platform AD enumeration.

SEE ALSO

impacket-GetADUsers(1), ldapsearch(1), smbclient(1)

Copied to clipboard