Metadata-Version: 2.1
Name: bofhound
Version: 0.1.0
Summary: Parse output from common sources and transform it into BloodHound-ingestible data
Home-page: https://github.com/fortalice/bofhound
Author: Adam Brown
Requires-Python: >=3.9,<4.0
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.9
Requires-Dist: Flask (==2.0.2)
Requires-Dist: Jinja2 (==3.0.3)
Requires-Dist: MarkupSafe (==2.0.1)
Requires-Dist: Werkzeug (==2.0.2)
Requires-Dist: bloodhound (==1.2.1)
Requires-Dist: cffi (==1.15.0)
Requires-Dist: chardet (==4.0.0)
Requires-Dist: click (==8.0.3)
Requires-Dist: cryptography (==36.0.1)
Requires-Dist: dnspython (==2.2.0)
Requires-Dist: future (==0.18.2)
Requires-Dist: impacket (==0.9.24)
Requires-Dist: itsdangerous (==2.0.1)
Requires-Dist: ldap3 (==2.9.1)
Requires-Dist: ldapdomaindump (==0.9.3)
Requires-Dist: pyOpenSSL (==22.0.0)
Requires-Dist: pyasn1 (==0.4.8)
Requires-Dist: pycparser (==2.21)
Requires-Dist: pycryptodomex (==3.14.0)
Requires-Dist: rich (==12.2.0)
Requires-Dist: six (==1.16.0)
Requires-Dist: typer (>=0.4.0,<0.5.0)
Project-URL: Repository, https://github.com/fortalice/bofhound
Description-Content-Type: text/markdown

```
 _____________________________ __    __    ______    __    __   __   __   _______
|   _   /  /  __   / |   ____/|  |  |  |  /  __  \  |  |  |  | |  \ |  | |       \
|  |_)  | |  |  |  | |  |__   |  |__|  | |  |  |  | |  |  |  | |   \|  | |  .--.  |
|   _  <  |  |  |  | |   __|  |   __   | |  |  |  | |  |  |  | |  . `  | |  |  |  |
|  |_)  | |  `--'  | |  |     |  |  |  | |  `--'  | |  `--'  | |  |\   | |  '--'  |
|______/   \______/  |__|     |__|  |___\_\________\_\________\|__| \___\|_________\

                              by Fortalice ✪
```

# BOFHound

BOFHound is an offline BloodHound ingestor and LDAP result parser compatible with TrustedSec's [ldapsearch BOF](https://github.com/trustedsec/CS-Situational-Awareness-BOF) and the Python adaptation, [pyldapsearch](https://github.com/fortalice/pyldapsearch).

By parsing log files generated by the aforementioned tools, BOFHound allows operators to utilize BloodHound's beloved interface while maintaining full control over the LDAP queries being run and the spped at which they are executed. This leaves room for operator discretion to account for potential honeypot accounts, expensive LDAP query thresholds and other detection mechanisms designed with the traditional, automated BloodHound collectors in mind.

[Blog - Granularize Your AD Recon Game](https://www.fortalicesolutions.com/posts/bofhound-granularize-your-active-directory-reconnaissance-game)

# Installation
BOFHound can be installed with `pip3 install bofhound` or by cloning this repository and running `pip3 install .`.

# Usage
```
Usage: bofhound [OPTIONS]

  Generate BloodHound compatible JSON from logs written by ldapsearch BOF and
  pyldapsearch

Options:
  -i, --input TEXT      Directory or file containing logs of ldapsearch
                        results  [default: /opt/cobaltstrike/logs]
  -o, --output TEXT     Location to export bloodhound files  [default: .]
  -a, --all-properties  Write all properties to BloodHound files (instead of
                        only common properties)
  --debug               Enable debug output
  -z, --zip             Compress the JSON output files into a zip archive
  --help                Show this message and exit.
```

## Example Usage
### Parse ldapseach BOF results from Cobalt Strike logs (`/opt/cobaltstrike/logs` by default) to /data/
```
bofhound -o /data/
```

### Parse pyldapsearch logs and only include common BloodHound properties
```
bofhound -i ~/.pyldapsearch/logs/ --all-properties
```

# ldapsearch Query Examples

## Required Data
The following attributes are required for proper functionality:

```
samaccounttype
dn
objectsid
```

## Get All the Data (Maybe Run BloodHound Instead?)
```
ldapsearch (objectclass=*)
```

## Retrieve All Schema Info
```
ldapsearch (schemaIDGUID=*) name,schemaidguid -1 "" CN=Schema,CN=Configuration,DC=windomain,DC=local
```

## Retrieve Only the ms-Mcs-AdmPwd schemaIDGUID
```
ldapsearch (name=ms-mcs-admpwd) name,schemaidguid 1 "" CN=Schema,CN=Configuration,DC=windomain,DC=local
```

# Development
bofhound uses Poetry to manage dependencies. Install from source and setup for development with:

```shell
git clone https://github.com/fortalice/bofhound
cd bofhound
poetry install
poetry run bofhound --help
```

