Information Gatheringbloodhoundadingestorimpacketkerberosntlmldap

BloodHound.py

Python-based ingestor for BloodHound using Impacket for Active Directory enumeration. Collects domain data like groups, sessions, trusts, and ACLs for BloodHound analysis.

Description

BloodHound.py is a Python 3 ingestor for BloodHound, leveraging Impacket to gather Active Directory intelligence from target domains. It supports collection of various data types including groups, local admins, sessions, trusts, and more, enabling visualization of AD attack paths in BloodHound.

Use cases include red team assessments and penetration testing of Windows environments, where understanding privilege relationships, session data, and object properties is critical. It serves as a lightweight alternative to SharpHound with Python compatibility on Kali Linux.

Limitations include incomplete support for some BloodHound features like GPO local groups and differences in session resolution compared to SharpHound. Kerberos authentication is partially implemented but usable from the updatedkerberos branch.

How It Works

Uses Impacket for SMB, LDAP, and Kerberos/NTLM authentication to query domain controllers, global catalogs, and DNS. Collects AD objects via LDAP queries for groups, sessions, trusts, ACLs; resolves sessions through RPC/DCOM/RDP; supports multiple collection methods with worker pooling. Defaults to Kerberos auth with NTLM fallback, using provided credentials, hashes, or tickets.

Installation

bash

sudo apt install bloodhound.py

Flags

-h, --helpshow this help message and exit

-c, --collectionmethod COLLECTIONMETHODWhich information to collect. Supported: Group, LocalAdmin, Session, Trusts, Default (all previous), DCOnly (no computer connections), DCOM, RDP,PSRemote, LoggedOn, Container, ObjectProps, ACL, All (all except LoggedOn). You can specify more than one by separating them with a comma. (default: Default)

-d, --domain DOMAINTarget domain

-vVerbose output

-u, --username USERNAMEUsername. Format: username[@domain]; If the domain is unspecified, the current domain is used.

-p, --password PASSWORDPassword

-k, --kerberosUse kerberos ccache file

--hashes HASHESLM:NTLM hashes

-no-passdon't ask for password (useful for -k)

-ns, --nameserver NAMESERVERAlternative name server to use for queries

--dns-tcpUse TCP instead of UDP for DNS queries

--dns-timeout DNS_TIMEOUTDNS query timeout in seconds (default: 3)

-dc, --domain-controller HOSTOverride which DC to query (hostname)

-gc, --global-catalog HOSTGlobal catalog server

Examples

Display the full help message and usage information

bloodhound-python -h

Collect default data (Group, LocalAdmin, Session, Trusts) using username/password auth against specified domain

bloodhound-python -u username -p password -d domain.com -c Default

Collect all supported data types except LoggedOn using specified credentials

bloodhound-python -u username[@domain] -p password -c All

Use Kerberos tickets from ccache to collect Group and Session data

bloodhound-python -k -c Group,Session

Use LM:NTLM hashes for authentication to collect Trusts and ACL data

bloodhound-python --hashes lmhash:nthash -d domain.com -c Trusts,ACL

Target specific domain controller and nameserver for collection

bloodhound-python -u user -p pass -dc dc01.domain.com -ns 10.0.0.10

Collect DCOnly data using TCP DNS queries

bloodhound-python -u user -p pass -c DCOnly --dns-tcp

Updated 2026-04-16kali.org ↗