{"id":20812745,"url":"https://github.com/dadevel/bloodhoundcli","last_synced_at":"2025-07-30T14:07:19.545Z","repository":{"id":192901653,"uuid":"687697166","full_name":"dadevel/bloodhoundcli","owner":"dadevel","description":"Utilities for Pentesting with BloodHound","archived":false,"fork":false,"pushed_at":"2025-05-06T13:47:13.000Z","size":151,"stargazers_count":17,"open_issues_count":0,"forks_count":9,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-06T14:59:01.856Z","etag":null,"topics":["adsecurity","bloodhound","offsec"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dadevel.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-09-05T20:18:41.000Z","updated_at":"2025-05-06T13:46:11.000Z","dependencies_parsed_at":"2023-09-05T21:53:01.917Z","dependency_job_id":"3b6e096d-bc2a-4047-8374-a589485f8f30","html_url":"https://github.com/dadevel/bloodhoundcli","commit_stats":null,"previous_names":["dadevel/bloodhoundcli"],"tags_count":28,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadevel%2Fbloodhoundcli","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadevel%2Fbloodhoundcli/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadevel%2Fbloodhoundcli/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadevel%2Fbloodhoundcli/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dadevel","download_url":"https://codeload.github.com/dadevel/bloodhoundcli/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252865704,"owners_count":21816306,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["adsecurity","bloodhound","offsec"],"created_at":"2024-11-17T20:57:54.465Z","updated_at":"2025-07-30T14:07:19.526Z","avatar_url":"https://github.com/dadevel.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# BloodHoundCli\n\n![Screenshot](./assets/demo.png)\n\nCollection of various utilities to aid in Pentesting with [BloodHound](https://github.com/bloodhoundad/bloodhound).\n\n# Setup\n\n1. Install [Podman](https://github.com/containers/podman) and [docker-compose](https://github.com/docker/compose).\n2. [Configure rootless containers](https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md) for Podman.\n3. Enable the Podman socket for your user.\n\n    ~~~ bash\n    systemctl --user enable --now podman.socket\n    ~~~\n\n3. Install this Python package with [pipx](https://github.com/pypa/pipx).\n\n    ~~~ bash\n    pipx install git+https://github.com/dadevel/bloodhoundcli.git@main\n    ~~~\n\n## Custom Queries\n\nIf you don't want to use BloodHoundCli and are here just for the [custom queries](./bloodhoundcli/data/customqueries.json) run the command below.\nOtherwise the queries are automatically installed when you create your first BloodHoundCli project.\n\n~~~ bash\ncurl -Lo ~/.config/bloodhound/customqueries.json https://github.com/dadevel/bloodhoundcli/raw/main/bloodhoundcli/data/customqueries.json\n~~~\n\nThe queries are based on work by [@luemmelsec](https://github.com/LuemmelSec/Custom-BloodHound-Queries) and [@martinsohn](https://gist.github.com/martinsohn/3f6122c7486ca3ffcaa444772f1a35f2).\nThank you!\n\n## Project Management\n\nProjects are managed with [Podman](https://github.com/containers/podman) containers.\nOnly one project can be active at a time.\nEach project consists of [BloodHound Community Edition](https://github.com/specterops/bloodhound), Neo4j and Postgres.\n\n~~~ bash\nbloodhoundcli setup-project example1\nbloodhoundcli shutdown-project example1\nbloodhoundcli setup-project example2\nbloodhoundcli list-projects\nbloodhoundcli destroy-project example1\nbloodhoundcli destroy-project example2\n~~~\n\n## Authentication\n\n- BloodHound Legacy: \u003cbolt://localhost:7687/\u003e, username *neo4j*, empty password\n- Neo4j: \u003chttp://localhost:7474/\u003e, username *neo4j*, empty password\n- BloodHound Community Edition: \u003chttp://localhost:7575/\u003e, username *admin*, empty password\n\n## Data Collection\n\nIngest files from [AzureHound](https://github.com/SpecterOps/AzureHound) and modern [SharpHound](https://github.com/bloodhoundad/sharphound).\n\n~~~ bash\nbloodhoundcli import-bhce ./azurehound.json ./*_BloodHound.zip\n~~~\n\nFiles from [bloodhound.py](https://github.com/dirkjanm/bloodhound.py) and old SharpHound must be imported with BloodHound Legacy.\n\n## CLI Integration\n\nQuickly fetch data from Neo4j for use with other tools or import data from other tools into BloodHound.\n\n~~~ bash\nbloodhoundcli query 'MATCH (u:User {enabled: true}) RETURN u.samaccountname' \u003e ./users.txt\nbloodhoundcli query -s 'MATCH (u:User {name: toUpper($stdin)} SET u.owned=true RETURN u.name' \u003c\u003c EOF\njohn.doe@corp.local\njane.doe@corp.local\nEOF\nbloodhoundcli query -s -j 'MATCH (u:User {name: $stdin.name}) SET u.foo=$stdin.value RETURN u.name' \u003c\u003c EOF\n{\"name\": \"john.doe@corp.local\", \"value\": \"bar\"}\n{\"name\": \"jane.doe@corp.local\", \"value\": \"baz\"}\nEOF\n~~~\n\n## Enrichment\n\nExecute a set of post-processing queries to mark certain objects with additional attributes and add additional edges for certain situations.\n\n~~~ bash\nbloodhoundcli enrich\n~~~\n\nThese attributes are:\n\n- `tier=0` for a standard set of tier 0 objects\n- `highvalue=true` for objects with potential path to tier 0\n- `active=true` for accounts with login in last 90 days\n- `sensitive=true` for members of *Protected Users*\n\n### Weighted Graph\n\nThe enrichment also assigns weights to edges in BloodHound (based on work by [@riccardoancarani](https://riccardoancarani.github.io/2019-11-08-not-all-paths-are-equal/) and [@jmbesnard](https://www.linkedin.com/pulse/graph-theory-assess-active-directory-smartest-vs-shortest-besnard-0qgle)).\n\nThis allows to search for the easiest instead of the shortest path to Domain Admin.\n\n~~~ cypher\nMATCH (a {owned: true}) MATCH (b {highvalue: true}) CALL apoc.algo.dijkstra(a, b, '\u003e', 'cost') YIELD path RETURN path;\n~~~\n\n## NTDS Import\n\nRun a DCSync from [impacket-secretsdump](https://github.com/fortra/impacket) with multiple wordlists and rulesets trough [Hashcat](https://github.com/hashcat/hashcat).\nLM hashes and pre-created computer accounts are automatically cracked unless `--no-lm-brute` respective `--no-pre2k` is specified.\n\n~~~ bash\nimpacket-secretsdump -just-dc -outputfile corp.local -k -no-pass dc01.corp.local\nbloodhoundcli generate-wordlist \u003e ./custom-words.txt  # made of usernames, descriptions, etc.\nbloodhoundcli hashcat-ntds -t ./clem9669-wordlists/dictionnaire_de ./clem9669-hashcat-rules/clem9669_medium.rule -t ./custom-words.txt ./unicorn-hashcat-rules/unicorn\\ rules/SuperUnicorn.rule -t ./weakpass-3.txt ./unicorn-hashcat-rules/unicorn\\ rules/Unicorn250.rule -p ./hashcat.potfile ./*.ntds\n~~~\n\nImport the DCSync output and Hashcat potfile into BloodHound (inspired by [@knavesec](https://github.com/knavesec/max) and [@syss-research](https://github.com/syss-research/hashcathelper)).\nThis adds `Credential` objects with `nthash`, `lmhash` and `password` properties and `HasCredential` as well as `AssignedTo` edges between users and credentials.\n\n~~~ bash\nbloodhoundcli import-ntds -p ./hashcat.potfile ./*.ntds\n~~~\n\n\u003e **Note:**\n\u003e BloodHoundCli assumes that the name of the NTDS file minus the `.ntds` suffix is the FQDN of the domain.\n\u003e This means a DCSync from `dc01.subdomain.corp.local` must be named `subdomain.corp.local.ntds`.\n\n## ADIDNS Import\n\nImport [adidnsdump](https://github.com/dirkjanm/adidnsdump) into BloodHound to add an `ipaddress` attribute to computers.\nFor hosts that appear in ADIDNS but don't exist in BloodHound, standalone computer objects are created.\n\n~~~ bash\nbloodhoundcli import-adidns corp.local ./records.csv\n~~~\n\n## NetExec Integration\n\nImport nodes for standalone computers and local users by leveraging the SQLite database of [NetExec](https://github.com/pennyw0rth/netexec).\nThis includes `nthash` properties from SAM dumps and `AdminTo` as well as `HasCredential` and `AssignedTo` edges e.g. to identify local admin password reuse.\n\n~~~ bash\nbloodhoundcli import-netexec ~/.nxc/workspaces/default/smb.db\n~~~\n\n## Manual Session Collection\n\nAdd historical session data as well as inferred RDP and local admin edges (original idea from [@rantasec](https://medium.com/@rantasec/bloodhound-for-blue-teams-windows-event-id-4624-a259c76ee09e)).\nFirst export recent logons from Windows Event Logs with [Get-RecentLogons.ps1](./Get-RecentLogons.ps1), then transfer the JSON output to your computer and finally import it into Neo4j.\n\n~~~ bash\nbloodhoundcli import-winevents ./logons.json\n~~~\n\n## ServiceDetector Integration\n\nImport SMB Signing, WebClient and EFS info from [ServiceDetector](https://github.com/dadevel/servicedetector).\n\n~~~ bash\nbloodhoundcli query 'MATCH (c:Computer {active: true}) RETURN c.name' \u003e ./computers.txt\nservicedetector -c coercion -d corp.local -u jdoe -p 'passw0rd' $(\u003c ./computers.txt) | tee -a ./servicedetector.json\njq -r 'select(.category==\"coercion\" and .product==\"WebClient\" and .state==\"running\")|.host' ./servicedetector.json | bloodhoundcli query -s 'MATCH (c:Computer {name: $stdin}) SET c.webclient=true RETURN c.name'\njq -r 'select(.category==\"coercion\" and .product==\"EFS\" and .state==\"running\")|.host' ./servicedetector.json | bloodhoundcli query -s 'MATCH (c:Computer {name: $stdin}) SET c.efs=true RETURN c.name'\njq -r 'select(.category==\"smb\" and .signing==false)|.host' ./servicedetector.json | bloodhoundcli query -s 'MATCH (c:Computer {name: $stdin}) SET c.smbsigning=false RETURN c.name'\n~~~\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdadevel%2Fbloodhoundcli","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdadevel%2Fbloodhoundcli","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdadevel%2Fbloodhoundcli/lists"}