Information Gatheringbloodhoundactive-directoryingestorkerberosntlmimpacket

BloodHound CE Python Ingestor

Python-based ingestor for BloodHound Community Edition (CE) that collects Active Directory data. Built on Impacket and compatible only with BloodHound CE.

Description

bloodhound-ce-python is a Python tool designed to ingest data from Active Directory environments into BloodHound CE for analysis. It supports various collection methods to enumerate group memberships, local admins, sessions, trusts, and more, aiding in mapping attack paths in domain environments.

Use cases include red team engagements and security assessments where understanding AD relationships is crucial. The tool leverages Impacket for authentication and enumeration over SMB, LDAP, and other protocols, providing detailed data for BloodHound CE visualization.

It is specifically for BloodHound CE; legacy BloodHound versions require the separate bloodhound-python package. For issues, refer to the GitHub repository.

How It Works

The tool uses Impacket libraries to authenticate via Kerberos (default with fallback to NTLM) or other methods like hashes or tickets. It queries domain controllers for specified collection methods (e.g., Group, Session, Trusts) over LDAP, DNS, and RPC protocols. Data is gathered from DCs, optionally global catalogs, with configurable workers, pooling, and DNS options. Output is formatted for BloodHound CE import, excluding certain dynamic data like LoggedOn by default.

Installation

bash

sudo apt install bloodhound-ce-python

Flags

-h, --helpshow this help message and exit

-c, --collectionmethod COLLECTIONMETHODWhich information to collect. Supported: Group, LocalAdmin, Session, Trusts, Default (all previous), DCOnly (no computer connections), DCOM, RDP, PSRemote, LoggedOn, Container, ObjectProps, ACL, All (all except LoggedOn). You can specify more than one by separating them with a comma. (default: Default)

-d, --domain DOMAINDomain to target

-vVerbose output

-u, --username USERNAMEUsername. Format: username[@domain]; If the domain is unspecified, the current domain is used.

-p, --password PASSWORDPassword

-k, --kerberosUse kerberos ccache file

--hashes HASHESLM:NTLM hashes

-no-passdon't ask for password (useful for -k)

--aesKey hex keyAES key for authentication

--auth-method {auto,ntlm,kerberos}Specify authentication method

-ns, --nameserver NAMESERVERAlternative name server to use for queries

--dns-tcpUse TCP instead of UDP for DNS queries

--dns-timeout DNS_TIMEOUTDNS query timeout in seconds (default: 3)

-dc, --domain-controller HOSTOverride which DC to query (hostname)

-gc, --global-catalog HOSTGlobal catalog host

-w, --workers WORKERSNumber of workers

Examples

Display the help message and usage information

bloodhound-ce-python -h

Collect default data (Group, LocalAdmin, Session, Trusts) from specified domain using username and password

bloodhound-ce-python -u username -p password -c Default -d domain.com

Use Kerberos tickets to collect all data except LoggedOn from the domain

bloodhound-ce-python -k -c All -d domain.com

Collect Group and Session data using LM:NTLM hashes

bloodhound-ce-python --hashes lmhash:nthash -c Group,Session -d domain.com

Target specific DC and nameserver with username and password

bloodhound-ce-python -u user@domain.com -p pass -dc dc01.domain.com -ns 10.0.0.1

Use Kerberos without password prompt to collect DCOM and RDP data

bloodhound-ce-python -no-pass -k -c DCOM,RDP -d domain.com

Force NTLM auth and use specific global catalog

bloodhound-ce-python --auth-method ntlm -u user -p pass -gc gc.domain.com

Updated 2026-04-16kali.org ↗