What is BloodHound-python?
BloodHound-python is a Python-based ingestor for BloodHound. It’s designed to run on Linux systems, perfect for red teamers or pentesters working from Kali or similar.
Unlike SharpHound (which is written in C# and runs on Windows), BloodHound-python can be used remotely without needing to drop binaries on the target — great for stealth.
GitHub: https://github.com/fox-it/BloodHound-python
Requirements
- Access to a Windows domain (via valid credentials)
- Installed on your attacker machine (Kali, Parrot, etc.)
- Python 3.6+
- Install via pip:
pip install bloodhound
To clone and run it manually (recommended):
git clone https://github.com/fox-it/BloodHound-python
cd BloodHound-python
pip install -r requirements.txt
Basic Usage Syntax
python3 bloodhound-python.py -u USERNAME -p PASSWORD -d DOMAIN -dc HOST/IP -c all
-u: Username-p: Password-d: Domain name-dc: Domain Controller (hostname or IP)-c: Collection method (see below)
Collection Options
Use the -c flag with one or more of these options (comma-separated):
| Collection Method | Description |
|---|---|
group_membership | Enum group memberships |
local_admins | Get local admins on computers |
session | Find logged-on users (sessions) |
trusts | Enumerate domain trusts |
acl | Gather ACLs |
objectprops | Object properties (OU, SPNs, etc.) |
dcom | Find DCOM permissions |
psremote | Remote PowerShell rights |
loggedon | Who’s logged in (via registry) |
all | Run all modules |
Example: Full Collection
python3 bloodhound-python.py -u osiris -p '6969' -d offsec.local -dc 192.168.1.100 -c all
Kerberos Authentication (No Password)
If you have a valid TGT (e.g., with Rubeus or Impacket’s getTGT.py), you can authenticate without a password:
export KRB5CCNAME=/tmp/krb5cc_0
python3 bloodhound-python.py -u osiris -d offsec.local -dc 192.168.1.100 -c all --kerberos
Output
It dumps .json files into the current directory, just like SharpHound. You can now import these into BloodHound GUI or Neo4j, either locally or via your Windows GUI setup.
Tips for Using with SOCKS Proxy
When pivoting (e.g., through a compromised host):
proxychains4 python3 bloodhound-python.py -u USER -p PASS -d DOMAIN -dc 10.10.10.1 -c all
Make sure your /etc/proxychains.conf is set to use your SOCKS proxy (like 127.0.0.1:1080 from Metasploit’s SOCKS4a server).
Troubleshooting
- If
local_adminsfails, try adding--disable-authtests - If
sessionfails due to registry, tryloggedoninstead - If
psremoteordcomdon’t return results, ensure WinRM is enabled or DCOM is allowed
Why Use It?
- Works from Linux with no binaries dropped on target
- Perfect for stealthy AD enumeration in Red Team engagements
- Easy to automate and script into your workflows