_____________________________ __ __ ______ __ __ __ __ _______
| _ / / __ / | ____/| | | | / __ \ | | | | | \ | | | \
| |_) | | | | | | |__ | |__| | | | | | | | | | | \| | | .--. |
| _ < | | | | | __| | __ | | | | | | | | | | . ` | | | | |
| |_) | | `--' | | | | | | | | `--' | | `--' | | |\ | | '--' |
|______/ \______/ |__| |__| |___\_\________\_\________\|__| \___\|_________\
by Fortalice ✪
BOFHound is an offline BloodHound ingestor and LDAP result parser compatible with TrustedSec's ldapsearch BOF and the Python adaptation, pyldapsearch.
By parsing log files generated by the aforementioned tools, BOFHound allows operators to utilize BloodHound's beloved interface while maintaining full control over the LDAP queries being run and the spped at which they are executed. This leaves room for operator discretion to account for potential honeypot accounts, expensive LDAP query thresholds and other detection mechanisms designed with the traditional, automated BloodHound collectors in mind.
Blog - Granularize Your AD Recon Game
BOFHound can be installed with pip3 install bofhound
or by cloning this repository and running pip3 install .
.
Usage: bofhound [OPTIONS]
Generate BloodHound compatible JSON from logs written by ldapsearch BOF and
pyldapsearch
Options:
-i, --input TEXT Directory or file containing logs of ldapsearch
results [default: /opt/cobaltstrike/logs]
-o, --output TEXT Location to export bloodhound files [default: .]
-a, --all-properties Write all properties to BloodHound files (instead of
only common properties)
--debug Enable debug output
-z, --zip Compress the JSON output files into a zip archive
--help Show this message and exit.
bofhound -o /data/
bofhound -i ~/.pyldapsearch/logs/ --all-properties
The following attributes are required for proper functionality:
samaccounttype
dn
objectsid
ldapsearch (objectclass=*)
ldapsearch (schemaIDGUID=*) name,schemaidguid -1 "" CN=Schema,CN=Configuration,DC=windomain,DC=local
ldapsearch (name=ms-mcs-admpwd) name,schemaidguid 1 "" CN=Schema,CN=Configuration,DC=windomain,DC=local
bofhound uses Poetry to manage dependencies. Install from source and setup for development with:
git clone https://github.com/fortalice/bofhound
cd bofhound
poetry install
poetry run bofhound --help