bloodhound

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 9, 2026 License: MIT Imports: 37 Imported by: 0

Documentation

Overview

Package bloodhound provides BloodHound data processing and collection capabilities. It handles conversion of LDAP data to BloodHound format and remote data collection from Active Directory environments.

Index

Constants

View Source 
const CURRENT_BH_VER = 5

CURRENT_BH_VER is the BloodHound JSON schema version this tool generates.

View Source 
const TotalConversionSteps = 11

PerformConversion transforms LDAP data to BloodHound JSON format with progress tracking.

View Source 
const TotalRemoteSteps = 4

Variables

This section is empty.

Functions

This section is empty.

Types

type BH 

type BH struct {
	FilesMap                     BHFilesMap
	Timestamp                    string
	LdapFolder                   string
	OutputFolder                 string
	ActiveFolder                 string
	Log                          chan<- core.LogMessage
	RuntimeOptions               *config.RuntimeOptions
	Resolver                     *net.Resolver
	RemoteWorkers                int
	DNSWorkers                   int
	RemoteTimeout                time.Duration
	RemoteWriteBuff              int
	RemoteComputerCollection     map[string]*RemoteCollectionResult
	RemoteEnterpriseCACollection map[string]*EnterpriseCARemoteCollectionResult
	ConversionUpdates            chan<- core.ConversionUpdate
	RemoteCollectionUpdates      chan<- core.RemoteCollectionUpdate
	// contains filtered or unexported fields
}

BH orchestrates BloodHound data conversion and remote collection operations. It maintains state for ingestion paths, output locations, and runtime configuration.

func (*BH) GetCurrentWriter 

func (bh *BH) GetCurrentWriter(kind string) (*BHFormatWriter, error)

GetCurrentWriter creates a new BloodHound format writer for the specified object kind NOTE: Not thread-safe

func (*BH) GetPaths 

func (bh *BH) GetPaths(fileKey string) ([]string, error)

GetPaths retrieves the file paths for a given logical file key within the LDAP data folder.

func (*BH) Init 

func (bh *BH) Init(ldapFolder string, activeFolder string, outputFolder string, customResolver *net.Resolver, remoteWorkers int, dnsWorkers int, remoteTimeout time.Duration, runtimeOptions *config.RuntimeOptions, log chan<- core.LogMessage)

Init initializes the BloodHound processor with necessary parameters

func (*BH) IsAborted 

func (bh *BH) IsAborted() bool

IsAborted reports whether an abort was requested.

func (*BH) LoadSchemaInfo 

func (bh *BH) LoadSchemaInfo(step int)

LoadSchemaInfo loads schema information from the schema file

func (*BH) PerformConversion 

func (bh *BH) PerformConversion()

func (*BH) PerformRemoteCollection 

func (bh *BH) PerformRemoteCollection(auth *config.CredentialMgr)

PerformRemoteCollection gathers data from computers and CAs using RPC and HTTP.

func (*BH) ProcessConfiguration 

func (bh *BH) ProcessConfiguration(step int)

ProcessConfiguration processes configuration entries for PKI objects

func (*BH) ProcessDomain 

func (bh *BH) ProcessDomain(step int)

ProcessDomain reads domain entries and creates a domain JSON file

func (*BH) ProcessObjects 

func (bh *BH) ProcessObjects(fileNames []string, kind string, step int) int

func (*BH) RequestAbort 

func (bh *BH) RequestAbort() bool

RequestAbort sets the abort flag if it has not been set already.

func (*BH) ResetAbortFlag 

func (bh *BH) ResetAbortFlag()

ResetAbortFlag clears any pending abort request.

type BHFilesMap 

type BHFilesMap struct {
	Files map[string]string
}

BHFilesMap maps logical file keys to their physical filenames for LDAP ingestion data.

func NewBHFilesMap 

func NewBHFilesMap() BHFilesMap

NewBHFilesMap creates a new file map with standard LDAP data file names.

func (*BHFilesMap) GetPaths 

func (bp *BHFilesMap) GetPaths(ldapFolder string, fileKey string) ([]string, error)

type BHFormatWriter 

type BHFormatWriter struct {
	// contains filtered or unexported fields
}

BHFormatWriter writes BloodHound JSON objects with streaming and buffering.

func NewBHFormatWriter 

func NewBHFormatWriter(filename, typeName string, version int, bufferSize int) (*BHFormatWriter, error)

NewBHFormatWriter creates a buffered writer for BloodHound JSON output.

func (*BHFormatWriter) Add 

func (w *BHFormatWriter) Add(obj any) error

func (*BHFormatWriter) Close 

func (w *BHFormatWriter) Close() error

type CAEnrollmentProcessor 

type CAEnrollmentProcessor struct {
	// contains filtered or unexported fields
}

CAEnrollmentProcessor scans CA web enrollment endpoints for NTLM authentication vulnerabilities and channel binding weaknesses.

func NewCAEnrollmentProcessor 

func NewCAEnrollmentProcessor(caDnsHostname, caName string, auth *config.CredentialMgr, log chan<- string) *CAEnrollmentProcessor

NewCAEnrollmentProcessor creates an enrollment scanner for the given CA.

func (*CAEnrollmentProcessor) ScanCAEnrollmentEndpoints 

func (p *CAEnrollmentProcessor) ScanCAEnrollmentEndpoints(ctx context.Context) ([]builder.CAEnrollmentEndpointAPIResult, error)

ScanCAEnrollmentEndpoints probes both web enrollment and web service endpoints for NTLM vulnerabilities (ESC8) and channel binding issues.

type CertAbuseProcessor 

type CertAbuseProcessor struct {
	// contains filtered or unexported fields
}

CertAbuseProcessor collects and processes certificate authority security data, including enrollment permissions and related abuse vectors.

func NewCertAbuseProcessor 

func NewCertAbuseProcessor(domain string, msrpcObj *msrpc.WinregRPC, auth *config.CredentialMgr) *CertAbuseProcessor

NewCertAbuseProcessor creates a processor for the specified domain.

func (*CertAbuseProcessor) GetCASecurity 

func (cap *CertAbuseProcessor) GetCASecurity(caName string) builder.RegistryAPIResult

GetCASecurity retrieves CA security registry value from the remote machine

func (*CertAbuseProcessor) GetEnrollmentAgentRights 

func (cap *CertAbuseProcessor) GetEnrollmentAgentRights(caName string) builder.RegistryAPIResult

GetEnrollmentAgentRights retrieves EnrollmentAgentRights registry value from the remote machine

func (*CertAbuseProcessor) IsRoleSeparationEnabled 

func (cap *CertAbuseProcessor) IsRoleSeparationEnabled(caName string) builder.BoolRegistryAPIResult

RoleSeparationEnabled checks if role separation is enabled on the CA

func (*CertAbuseProcessor) IsUserSpecifiesSanEnabled 

func (cap *CertAbuseProcessor) IsUserSpecifiesSanEnabled(caName string) builder.BoolRegistryAPIResult

IsUserSpecifiesSanEnabled checks if a requesting user can specify any SAN they want

func (*CertAbuseProcessor) ProcessEAPermissions 

func (cap *CertAbuseProcessor) ProcessEAPermissions(
	ctx context.Context,
	caName string,
	computerName string,
	computerObjectId string,
	objectDomain string,
) builder.EnrollmentAgentRegistryAPIResult

ProcessEAPermissions retrieves enrollment agent restrictions from a CA

func (*CertAbuseProcessor) ProcessRegistryEnrollmentPermissions 

func (cap *CertAbuseProcessor) ProcessRegistryEnrollmentPermissions(
	ctx context.Context,
	caName string,
	computerName string,
	computerObjectId string,
	objectDomain string,
) builder.AceRegistryAPIResult

ProcessRegistryEnrollmentPermissions retrieves CA security from the registry, including ownership and management rights ACEs.

type CollectionTarget 

type CollectionTarget struct {
	SID         string
	DNSHostName string
	SamName     string
	IPAddress   string
	IsDC        bool
	Domain      string
}

CollectionTarget identifies a computer for remote data collection.

type ConversionUpdate 

type ConversionUpdate = core.ConversionUpdate

type EnterpriseCACollectionTarget 

type EnterpriseCACollectionTarget struct {
	GUID        string
	DNSHostName string
	CAName      string
	Domain      string
	IPAddress   string
}

EnterpriseCACollectionTarget identifies a CA for remote data collection.

type EnterpriseCARemoteCollectionResult 

type EnterpriseCARemoteCollectionResult struct {
	CARegistryData          builder.CARegistryData                  `json:"CARegistryData"`
	HttpEnrollmentEndpoints []builder.CAEnrollmentEndpointAPIResult `json:"HttpEnrollmentEndpoints"`
	HostingComputer         string                                  `json:"HostingComputer"`
}

EnterpriseCARemoteCollectionResult holds data collected remotely from a CA.

type RemoteCollectionResult 

type RemoteCollectionResult struct {
	LocalGroups        []builder.LocalGroupAPIResult       `json:"LocalGroups"`
	Sessions           builder.SessionAPIResult            `json:"Sessions"`
	PrivilegedSessions builder.SessionAPIResult            `json:"PrivilegedSessions"`
	RegistrySessions   builder.SessionAPIResult            `json:"RegistrySessions"`
	DCRegistryData     builder.DCRegistryData              `json:"DCRegistryData"`
	NTLMRegistryData   builder.NTLMRegistryData            `json:"NTLMRegistryData"`
	UserRights         []builder.UserRightsAPIResult       `json:"UserRights"`
	IsWebClientRunning builder.IsWebClientRunningAPIResult `json:"IsWebClientRunning"`
	LdapServices       builder.LdapServicesResult          `json:"LdapServices"`
}

RemoteCollectionResult holds all data collected remotely from a computer.

func (*RemoteCollectionResult) StoreInComputer 

func (rcr *RemoteCollectionResult) StoreInComputer(computer *builder.Computer)

type RemoteCollectionUpdate 

type RemoteCollectionUpdate = core.RemoteCollectionUpdate

type RemoteCollector 

type RemoteCollector struct {
	RuntimeOptions *config.RuntimeOptions
	// contains filtered or unexported fields
}

RemoteCollector executes remote data collection from AD computers and CAs.

func NewRemoteCollector 

func NewRemoteCollector(authenticator *config.CredentialMgr, runtimeOptions *config.RuntimeOptions) *RemoteCollector

NewRemoteCollector creates a collector with the given credentials and options.

func (*RemoteCollector) CollectRemoteComputer 

func (rc *RemoteCollector) CollectRemoteComputer(ctx context.Context, target CollectionTarget) RemoteCollectionResult

func (*RemoteCollector) CollectRemoteEnterpriseCA 

func (rc *RemoteCollector) CollectRemoteEnterpriseCA(ctx context.Context, target EnterpriseCACollectionTarget) EnterpriseCARemoteCollectionResult

func (*RemoteCollector) ProcessLocalGroupMembers 

func (rc *RemoteCollector) ProcessLocalGroupMembers(ctx context.Context, localMembers []string, machineSid string, machineHost string, isDC bool, domain string) ([]builder.TypedPrincipal, []builder.NamedPrincipal)

Helpers

Source Files

View all Source files

Directories

Path Synopsis
Package builder constructs BloodHound-compatible objects from LDAP entries.
 Package builder constructs BloodHound-compatible objects from LDAP entries.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.