bloodhound-python

Collect all data using default collection methods (includes groups, sessions, and trusts)

$ bloodhound-python --username [username] --password [password] --domain [domain]

$ bloodhound-python --collectionmethod [All] --kerberos --domain [domain]

$ bloodhound-python --collectionmethod [All] --username [username] --hashes [LM:NTLM] --domain [domain]

$ bloodhound-python --collectionmethod [All] --username [username] --password [password] --domain [domain] --nameserver [nameserver]

$ bloodhound-python --collectionmethod [All] --username [username] --password [password] --domain [domain] --zip

bloodhound-python [OPTIONS]

-d <domain>, --domain <domain>
    Specifies the target Active Directory domain name (e.g., example.com).

-u <username>, --username <username>
    Provides the username for authentication (e.g., user@domain.com or DOMAIN\user).

-p <password>, --password <password>
    Specifies the password for the given username. If omitted, the user will be prompted for it.

--hashes <LM:NT>
    Provides NTLM hashes for authentication instead of a password (e.g., aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0).

--aesKey <key>
    Specifies the AES key for Kerberos authentication (Pass-the-Key).

--kerberos
    Enables Kerberos authentication. Requires a Kerberos ticket (TGT) in the ccache.

--dc <IP|hostname>
    Specifies a specific Domain Controller to connect to for data collection.

--dns-tcp
    Forces DNS queries to use TCP instead of UDP, which can be useful in some network environments.

--collect <method>
    Defines the type of data to collect. Common methods include All, Acls, GroupMembers, Sessions, Trusts, Certificates, RDP, DCOM, etc. Can be specified multiple times. Use --help for a full list of collection methods.

--zip
    Compresses the output JSON files into a single ZIP archive, suitable for direct import into BloodHound.

--outputfile <file>
    Specifies the base name for the output JSON or ZIP file.

--disable-ldaps-validation
    Disables LDAPS certificate validation. Use with caution, primarily for testing or in environments with self-signed certificates.

--debug
    Enables verbose debugging output for troubleshooting.

--version
    Shows the program's version number and exits.

--help
    Displays the help message and exits.

bloodhound-python is a robust, Python-based ingestor designed to collect comprehensive data from Microsoft Active Directory (AD) environments. It serves as a vital component of the BloodHound ecosystem, a powerful graphical analysis tool used to visualize and identify complex attack paths, privilege escalation opportunities, and misconfigurations within AD domains.

The script enumerates a wide array of Active Directory objects and their intricate relationships, including users, groups, computers, trusts, Group Policy Objects (GPOs), Access Control Lists (ACLs), and active user sessions. The collected data is meticulously formatted into industry-standard JSON files (often packaged as a ZIP archive of JSON files), which can then be seamlessly imported into the BloodHound GUI (backed by a Neo4j database).

By providing this granular data, bloodhound-python empowers security professionals, penetration testers, and red teamers to gain an unparalleled understanding of an organization's AD security posture. It supports diverse authentication methods, including username/password, NTLM hashes, and Kerberos (Pass-the-Ticket), and interacts with various AD services like LDAP, SMB, and DNS to ensure thorough data collection. It is widely adopted for its cross-platform compatibility and effectiveness in gathering critical information for advanced AD security assessments.

While highly effective, the use of bloodhound-python can generate network traffic and log entries that might be detected by security monitoring solutions. Collection on very large Active Directory environments can be time-consuming and resource-intensive, requiring sufficient network bandwidth and system resources. The accuracy and completeness of the collected data are directly dependent on the permissions of the Active Directory account used for execution. Users must ensure compliance with organizational policies and legal regulations when deploying and using this tool, as unauthorized data collection can have severe consequences.

The command generates JSON files, typically compressed into a single ZIP archive using the --zip option. These files are directly importable into the BloodHound GUI, which then populates its Neo4j graph database for analysis.

bloodhound-python supports a variety of authentication methods, including traditional username/password, NTLM hashes (Pass-the-Hash), and Kerberos tickets (Pass-the-Ticket or AES keys). This flexibility allows it to be used effectively in diverse penetration testing and security assessment scenarios.

bloodhound-python was originally developed by fox-it (now part of Deloitte) as a cross-platform Python-based ingestor for the BloodHound project. It emerged as a powerful alternative to the initial PowerShell-based data collection scripts, offering broader compatibility (especially for non-Windows operating systems) and often improved performance. Its development has closely tracked the evolution of the BloodHound analysis tool, continuously adding new collection methods and features to provide more comprehensive insights into Active Directory security. It is now maintained within the official BloodHound GitHub organization, solidifying its role as a primary data collection agent.

bloodhound(1), ldapsearch(1), smbclient(1), nmap(1), dig(1)