bloodhound-cli

bloodhound-cli is a Python command-line tool designed to query and manage data from a BloodHound legacy database running on Neo4j. It enables you to enumerate ACLs, computers, and users (including filtering by attributes like password not required or password never expires) in an Active Directory environment ingested by BloodHound.

Note that this tool only work for legacy version of bloodhound and not for the Community Edition (CE). If you're looking for SpecterOps' version of bloodhound-cli, which helps users install BloodHound Community Edition, you're in the wrong place. Please head over to: https://github.com/specterOps/bloodHound-cli. Thanks!

Key Features

1. Configuration Management

   • Save your Neo4j connection details (host, port, user, and password) to a local configuration file (~/.bloodhound_config) using the set subcommand.
   • The configuration file is stored with restricted permissions (chmod 600) to protect your sensitive credentials.

2. ACL Queries (acl subcommand)

   • Enumerate ACLs related to a single user by specifying -u/--user.
   • Enumerate cross-domain ACLs for a domain by specifying -d/--domain.
   • Optionally exclude multiple domains with -bd/--blacklist-domains.

3. Computer Queries (computer subcommand)

   • Enumerate computers within a specified domain (-d).
   • Optionally save results to a file (-o).
   • Filter by LAPS status (--laps True/False).

4. User Queries (user subcommand)

   • Enumerate users within a specified domain (-d).
   • Optionally save results to a file (-o).
   • Use mutually exclusive filters to target specific user attributes:
     • --admin-count: Show only privileged (admin) users.
     • --high-value: Show only high-value users.
     • --password-not-required: Show only users with passwordnotreqd enabled.
     • --password-never-expires: Show only users with pwdneverexpires enabled.

5. Secure Credential Storage

   • The set subcommand saves your Neo4j credentials in a local file (~/.bloodhound_config) which is excluded from source control and has strict file permissions.

Installation

It is recommended to install bloodhound-cli using pipx to ensure it runs in an isolated environment. You can install it from PyPI:

pipx install bloodhound-cli

Alternatively, you can use pip:

pip install bloodhound-cli

Usage

1. Set Neo4j Configuration
   Before using any other subcommand, run:

   bloodhound-cli set --host <neo4j_host> --port <neo4j_port> --db-user <neo4j_user> --db-password <neo4j_password>

   This will create/update a configuration file at ~/.bloodhound_config.

2. Enumerate ACLs

   • For a single user:

     bloodhound-cli acl --user myuser

   • For cross-domain:

     bloodhound-cli acl --domain mydomain.local

   • Exclude multiple domains:

     bloodhound-cli acl --domain mydomain.local -bd EXCLUDED1 EXCLUDED2

3. Enumerate Computers

   • All computers in a domain:

     bloodhound-cli computer --domain mydomain.local

   • Filter by LAPS and save results:

     bloodhound-cli computer --domain mydomain.local --laps True -o computers_with_laps.txt

4. Enumerate Users

   • List all users in a domain:

     bloodhound-cli user --domain mydomain.local

   • List privileged (admin) users:

     bloodhound-cli user --domain mydomain.local --admin-count

   • List high-value users:

     bloodhound-cli user --domain mydomain.local --high-value

   • List users with password not required:

     bloodhound-cli user --domain mydomain.local --password-not-required

   • List users with password never expires:

     bloodhound-cli user --domain mydomain.local --password-never-expires

   • Save user query results:

     bloodhound-cli user --domain mydomain.local --admin-count -o admin_users.txt

License

This project is licensed under the MIT License.