bloodhound-python

Collect all data using default collection methods (includes groups, sessions, and trusts)

$ bloodhound-python --username [username] --password [password] --domain [domain]

$ bloodhound-python --collectionmethod [All] --kerberos --domain [domain]

$ bloodhound-python --collectionmethod [All] --username [username] --hashes [LM:NTLM] --domain [domain]

$ bloodhound-python --collectionmethod [All] --username [username] --password [password] --domain [domain] --nameserver [nameserver]

$ bloodhound-python --collectionmethod [All] --username [username] --password [password] --domain [domain] --zip

bloodhound-python [options]

-c
    Specifies the collector method. Common options include: All, Group, LocalAdmin, Session, ObjectProps. All collector gathers all possible data.

-d
    Specifies the target Active Directory domain.

-u
    Specifies the username to authenticate to Active Directory.

-p
    Specifies the password for the given username. It's generally recommended to avoid passing the password directly on the command line.

--hashes
    Specifies the NT hash of the user password for authentication (NTLM hash). Used instead of the password for authentication.

-ns
    Specifies the IP address of the Domain Controller to query.

-gc
    Specifies the IP address of the Global Catalog to query.

--json
    Outputs the data in JSON format to standard output, rather than writing it to files.

-zippass
    Encrypt the json output into a zip archive

--dns-tcp
    Use TCP for DNS requests. Useful for large responses.

--computerfile
    Specifies a file containing a list of computers to target for data collection.

--disablegc
    Disables the use of the Global Catalog for data collection.

--stealth
    Attempts to make the enumeration process less noisy.

-o
    The directory in which to output the json files, by default the current directory.

--kerberos
    Use kerberos authentication.

--no-ssl
    Disable SSL connection (only for LDAPS queries).

bloodhound-python is a command-line tool designed to ingest data from various sources (primarily Active Directory environments) into a BloodHound database. BloodHound is a graphical attack path management tool that allows security professionals to identify and analyze complex attack paths within an Active Directory domain. bloodhound-python gathers information about users, groups, computers, trusts, and other Active Directory objects, and then transforms that data into a format that can be imported into BloodHound. This allows BloodHound to visualize relationships and identify potential vulnerabilities within the Active Directory infrastructure. It is written in Python and facilitates data collection from both Windows and Linux systems against Windows Active Directory. Proper usage allows for efficient enumeration and helps discover weaknesses.

Using incorrect credentials or targeting the wrong domain can lead to errors. Some options, like 'Session' and 'LocalAdmin', might require administrative privileges on the target machines. Consider potential legal and ethical implications before running bloodhound-python in a production environment.

The tool supports various authentication methods, including username/password, NTLM hashes, and Kerberos. Choosing the appropriate authentication method depends on the security policies and configuration of the target Active Directory environment.

Note: Always prioritize secure authentication methods and avoid storing passwords in plain text.

The different collector methods allow you to target specific types of data. For example, the 'Group' collector gathers information about Active Directory groups, while the 'Session' collector attempts to enumerate active user sessions on target machines. The 'All' collector gathers everything it can.

Selecting the right collector methods depends on your specific goals and the information you are trying to gather.

The --stealth option attempts to reduce the visibility of the enumeration process. However, it is not a guarantee of complete stealth, and network monitoring or intrusion detection systems may still be able to detect the activity. Use with caution.

bloodhound-python evolved as a Python-based alternative to the original C# SharpHound data collector for BloodHound. It aimed to provide a cross-platform solution, particularly for Linux environments, where SharpHound might be less convenient to use. Over time, it has gained popularity in the penetration testing and red teaming community for its ease of use and flexible data collection capabilities.

ldapsearch(1), smbclient(1)