Skip to content

Convert an LDIF file to JSON files ingestible by BloodHound

License

Notifications You must be signed in to change notification settings

SySS-Research/ldif2bloodhound

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ldif2bloodhound

Convert an LDIF file to JSON files ingestible by BloodHound.

The LDIF file should be retrieved like this with ldapsearch:

$ for base in "" "CN=Schema,CN=Configuration," ; do \
    LDAPTLS_REQCERT=never ldapsearch \
    -H ldap://<DC> \
    -D <USERNAME>@corp.local \
    -w <PASSWORD> \
    -b "${base}DC=corp,DC=local" \
    -x \
    -o ldif-wrap=no \
    -E pr=1000/noprompt \
    -E '!1.2.840.113556.1.4.801=::MAMCAQc=' \
    -LLL \
    -ZZ \
    '(objectClass=*)' \
    ; done >> output_$(date +%s).ldif

In case StartTLS does not work, remove the -ZZ flag and replace ldap:// with ldaps://. Or leave it at ldap:// if you like to live dangerously.

The second -E argument is needed so that ACLs are also dumped.

Then, the conversion works as follows:

$ ldif2bloodhound output_*.ldif

For more options, run ldif2bloodhound --help.

The obvious limitation is that you won't get information about sessions or local group memberships, just like with ADExplorerSnapshot.py. Parsing LDIF data is more equivalent to running SharpHound with -c DCOnly (perhaps even less). BloodHound.py is a better choice to collect this data in most scenarios.

Installation

Install with this command:

$ pip install git+https://github.com/SySS-Research/ldif2bloodhound

Copyright and License

SySS GmbH, Adrian Vollmer. MIT Licensed.

Releases

No releases published

Packages

No packages published

Languages