{"id":31552098,"url":"https://github.com/mordavid/networkhound","last_synced_at":"2025-10-10T17:01:28.106Z","repository":{"id":317967291,"uuid":"1069537367","full_name":"MorDavid/NetworkHound","owner":"MorDavid","description":"Advanced Active Directory network topology analyzer with SMB validation, multiple authentication methods (password/NTLM/Kerberos), and comprehensive network discovery. Export results as BloodHound‑compatible OpenGraph JSON.","archived":false,"fork":false,"pushed_at":"2025-10-04T06:09:23.000Z","size":531,"stargazers_count":11,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-10-04T08:23:22.350Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MorDavid.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"mordavid","patreon":"mordavid","open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"lfx_crowdfunding":null,"polar":null,"buy_me_a_coffee":"mordavid","thanks_dev":null,"custom":null}},"created_at":"2025-10-04T05:55:25.000Z","updated_at":"2025-10-04T08:22:54.000Z","dependencies_parsed_at":"2025-10-04T08:23:29.664Z","dependency_job_id":"6b2203ba-14bc-4526-b7d1-84df03495841","html_url":"https://github.com/MorDavid/NetworkHound","commit_stats":null,"previous_names":["mordavid/networkhound"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/MorDavid/NetworkHound","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MorDavid%2FNetworkHound","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MorDavid%2FNetworkHound/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MorDavid%2FNetworkHound/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MorDavid%2FNetworkHound/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MorDavid","download_url":"https://codeload.github.com/MorDavid/NetworkHound/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MorDavid%2FNetworkHound/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278734446,"owners_count":26036411,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-07T02:00:06.786Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-10-04T19:23:44.083Z","updated_at":"2025-10-09T16:01:30.488Z","avatar_url":"https://github.com/MorDavid.png","language":"Python","funding_links":["https://github.com/sponsors/mordavid","https://patreon.com/mordavid","https://buymeacoffee.com/mordavid"],"categories":[],"sub_categories":[],"readme":"# 🐾 NetworkHound - Active Directory Network Topology Analyzer\n\n\u003cdiv align=\"center\"\u003e\n\n\u003cimg src=\"logo.png\" alt=\"NetworkHound Logo\" width=\"260\"/\u003e\n\n![Version](https://img.shields.io/badge/NetworkHound-v1.2.1-green?style=for-the-badge)\n![Python](https://img.shields.io/badge/Python-3.8%2B-blue?style=for-the-badge\u0026logo=python\u0026logoColor=white)\n![Impacket](https://img.shields.io/badge/Powered_by-Impacket-red?style=for-the-badge)\n\nAdvanced Active Directory network topology analyzer with SMB validation, multiple authentication methods (password/NTLM/Kerberos), and comprehensive network discovery. Export results as BloodHound‑compatible OpenGraph JSON.\n\n\u003c/div\u003e\n\n---\n\n## 🎯 Overview\n\nNetworkHound connects to Active Directory Domain Controllers, discovers computer objects, resolves hostnames to IP addresses using multiple DNS methods, performs comprehensive network scanning (port scanning, HTTP/HTTPS validation), and discovers shadow-IT devices. It then builds a detailed network topology graph in OpenGraph JSON format compatible with BloodHound.\n\n### What it gathers\n- **Active Directory Objects**: Computer objects with SIDs and hostnames\n- **Network Infrastructure**: Sites, Subnets, IP addresses, and network relationships\n- **Port Scanning**: Open ports on all discovered devices with service identification\n- **Web Services**: HTTP/HTTPS validation with SSL certificate analysis and website discovery\n- **SMB Services**: SMB connectivity validation, share enumeration, and server information\n- **Shadow-IT Discovery**: Non-domain devices found through subnet scanning\n- **Network Topology**: Complete network relationships and device locations\n\n---\n\n## 🧩 Installation\n\nRequirements: Python 3.8+\n\nInstall dependencies:\n\n```bash\npip3 install -r requirements.txt\n```\n\n**Note**: NetworkHound uses `impacket` for all Active Directory authentication (password, NTLM hash, Kerberos tickets).\n\n---\n\n## 🛠️ Usage\n\n### Step 1: Upload the model to BloodHound\n\nThe `model.json` file defines icons/styles for all custom kinds. Upload it to BloodHound via API using `update_custom_nodes_to_bloodhound.py`.\n\nAuthenticate and upload:\n\n```bash\npython update_custom_nodes_to_bloodhound.py -s https://bloodhound.example.com -u admin@domain.com -p \"Password!\" -m model.json\n```\n\n### Step 2: Usage\n\nBasic scan with AD authentication:\n```bash\npython NetworkHound.py --dc 192.168.0.11 -d company.local -u admin -p password\n```\n\nFull network analysis with port scanning, HTTP and SMB validation:\n```bash\npython NetworkHound.py --dc 192.168.0.11 -d company.local -u admin -p password --shadow-it --port-scan --valid-http --ssl --valid-smb --scan-threads 50 -Pn\n```\n\nUsing NTLM hash authentication:\n```bash\npython NetworkHound.py --dc 192.168.0.11 -d company.local -u admin --hashes aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76 \n```\n\nUsing Kerberos ticket authentication:\n```bash\npython NetworkHound.py --dc dc.company.local -d company.local -u admin --kerberos\n```\n\nDNS over TCP (for proxy/firewall bypass):\n```bash\npython NetworkHound.py --dc dc.company.local -d company.local -u admin -p password --dns 8.8.8.8 --dns-tcp --verbose\n```\n\nVia proxychains with DNS over TCP:\n```bash\nproxychains python NetworkHound.py --dc dc.company.local -d company.local -u admin -p password --dns-tcp --port-scan\n```\n\n\u003e **⚠️ Proxychains Note**: When using proxychains, always use `--dns-tcp` flag. This prevents multicast IP issues (224.*) that occur with UDP DNS through SOCKS proxies. See `BUGFIX_PROXYCHAINS_DNS.md` for details.\n\n### CLI Arguments\n\n**Required Arguments:**\n- `--dc`: Domain Controller hostname or IP address\n- `-d/--domain`: Domain name (e.g., company.local)\n- `-u/--user`: Username for authentication\n\n**Authentication (choose one):**\n- `-p/--password`: Password authentication\n- `--hashes`: NTLM hash authentication (LM:NT or just NT)\n- `-k/--kerberos`: Kerberos ticket file (requires KRB5CCNAME pointing to a ccache file)\n\n**Network Scanning:**\n- `--port-scan`: Enable TCP port scanning\n- `--ports`: Comma-separated ports to scan (default: common ports)\n- `--scan-timeout`: Port scan timeout in seconds (default: 3)\n- `--scan-threads`: Number of concurrent threads (default: 10)\n- `-Pn`: Only port scan hosts that respond to ping\n\n**Service Validation:**\n- `--valid-smb`: Test SMB connectivity and enumerate shares on SMB ports\n- `--valid-http`: Test HTTP/HTTPS connectivity on open ports\n- `--ssl`: Extract detailed SSL certificate information (slower)\n\n**Additional Options:**\n- `--dns`: DNS server for queries (defaults to DC if not specified)\n- `--dns-tcp`: Use TCP for DNS queries instead of UDP (useful for proxy/firewall bypass)\n- `-o/--output`: Output JSON file (default: network_opengraph.json)\n- `--shadow-it`: Scan subnet ranges for shadow-IT devices\n- `-v/--verbose`: Enable verbose output with detailed resolution methods\n\n---\n\n## 🔍 Features\n\n### 🌐 Multi-Method DNS Resolution\n- **Socket Resolution**: Standard Python socket hostname resolution\n- **nslookup**: Command-line DNS queries with specific DNS server (supports TCP with --dns-tcp)\n- **dnspython**: Advanced DNS library with comprehensive record support (TCP/UDP)\n- **getaddrinfo**: System-level address resolution\n- **Hostname Fallback**: Short hostname resolution for AD environments\n- **DNS over TCP**: Optional TCP mode for firewall bypass and proxy compatibility (--dns-tcp flag)\n\n### 🔌 Advanced Port Scanning\n- **Threaded Scanning**: Concurrent port scanning with configurable thread pools\n- **Service Detection**: Automatic service identification for common ports\n- **Ping Filtering**: Optional - skip ping before port scanning (-Pn flag)\n- **Multiple IPs**: Support for computers with multiple IP addresses\n\n### 🌐 HTTP/HTTPS Validation\n- **Dual Protocol**: Test both HTTP and HTTPS on discovered ports\n- **SSL Analysis**: Detailed SSL certificate information extraction\n- **Website Discovery**: Automatic website title and content extraction\n- **Certificate Validation**: Self-signed vs CA-issued certificate detection\n\n### 📁 SMB Validation\n- **SMB Connectivity**: Test SMB connections on ports 139 and 445\n- **Share Enumeration**: List available SMB shares when permissions allow\n- **Server Information**: Extract server name, domain, OS, and SMB version\n- **Authentication Support**: Anonymous, password, and NTLM hash authentication\n- **Access Analysis**: Determine guest access vs authentication requirements\n\n### 👻 Shadow-IT Discovery\n- **Subnet Scanning**: Discover non-domain devices in AD-configured subnets\n- **Live Detection**: Ping sweep to identify responsive devices\n- **Integration**: Include shadow-IT devices in unified port scanning\n\n### 📊 Network Topology\n- **OpenGraph Format**: BloodHound-compatible JSON structure\n- **Hierarchical Structure**: Domain → Sites → Subnets → Computers/Devices\n- **Relationships**: Complete network relationships and device locations\n- **Website Nodes**: Separate nodes for discovered web services\n\n---\n\n## 🕸️ Graph Schema: Nodes/Edges\n\n### Nodes\n\n- **Domain** - Active Directory domain with SID\n- **Site** - AD Sites and Services sites\n- **Subnet** - Network subnets with CIDR notation and host counts\n- **Computer** - AD computer objects with IPs, open ports, SMB services, and system info\n- **Device** - Shadow-IT devices discovered through network scanning\n- **Website** - HTTP/HTTPS services with SSL certificate details\n- **FileShare** - SMB file shares with access information\n\n### Edges\n\n- **PartOfDomain** - `Site → Domain`\n- **PartOf** - `Subnet → Site`\n- **LocatedIn** - `Computer/Device → Subnet`\n- **ExposeInterface** - `Computer/Device → Website/FileShare`\n\n### Node Properties\n\n**Computer/Device Nodes:**\n- `ip_addresses[]`: All resolved IP addresses\n- `open_ports[]`: Discovered open ports\n- `is_shadow_it`: Boolean flag for shadow-IT devices\n\n**Website Nodes:**\n- `url`: Full website URL\n- `protocol`: HTTP or HTTPS\n- `status_code`: HTTP response code\n- `has_ssl`: SSL/TLS enabled\n- `is_self_signed`: Certificate validation status\n- `ssl_*`: Detailed SSL certificate properties (when -s flag used)\n\n**Subnet Nodes:**\n- `subnet`: CIDR notation\n- `network_address`: Network address\n- `broadcast_address`: Broadcast address\n- `host_count`: Number of hosts in subnet\n\n---\n\n## 📈 Output Example\n\n```\nNetworkHound - Active Directory Network Topology Analyzer\nAuthor: Mor David (www.mordavid.com) | License: Non-Commercial\n\n2025-09-19 01:26:07 - INFO - Starting NetworkHound\n2025-09-19 01:26:07 - INFO - 🔗 STEP 1: Connecting to Domain Controller\n2025-09-19 01:26:07 - INFO - 💻 STEP 2: Querying Active Directory Computer Objects\n2025-09-19 01:26:07 - INFO - 🔍 STEP 3: Resolving Computer Hostnames to IP Addresses\n2025-09-19 01:26:07 - INFO - 👻 STEP 4: Scanning for Shadow-IT Devices\n2025-09-19 01:26:07 - INFO - 🔍 STEP 5: Network Port Scanning\n2025-09-19 01:26:07 - INFO - 🌐 STEP 6: HTTP/HTTPS Validation\n2025-09-19 01:26:07 - INFO - 📁 STEP 6.5: SMB Validation\n2025-09-19 01:26:07 - INFO - 📊 STEP 7: Creating Network Topology Graph\n2025-09-19 01:26:58 - INFO - ✅ ANALYSIS COMPLETED SUCCESSFULLY!\n```\n\n## 👨‍💻 About the Author\n\n**Mor David** - Offensive Security Specialist \u0026 AI Security Researcher\n\nI specialize in offensive security with a focus on integrating Artificial Intelligence and Large Language Models (LLM) into penetration testing workflows. My expertise combines traditional red team techniques with cutting‑edge AI technologies to develop next‑generation security tools.\n\n### 🔗 Connect with Me\n- **X (Twitter)**: [x.com/m0rd4vid](https://x.com/m0rd4vid)\n- **LinkedIn**: [linkedin.com/in/mor-david-cyber](https://linkedin.com/in/mor-david-cyber)\n- **Website**: [www.mordavid.com](https://www.mordavid.com)\n\n---\n\n\u003cdiv align=\"center\"\u003e\n\n**⭐ Found this useful? Star the repo!**\n\nMade with ❤️ by [Mor David](https://www.mordavid.com)\n\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmordavid%2Fnetworkhound","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmordavid%2Fnetworkhound","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmordavid%2Fnetworkhound/lists"}