ldif2bloodhound

Convert an LDIF file to JSON files ingestible by BloodHound.

The LDIF file should be retrieved like this with ldapsearch:

$ for base in "" "CN=Schema,CN=Configuration," ; do \
    LDAPTLS_REQCERT=never ldapsearch \
    -H ldap://<DC> \
    -D <USERNAME>@corp.local \
    -w <PASSWORD> \
    -b "${base}DC=corp,DC=local" \
    -x \
    -o ldif-wrap=no \
    -E pr=1000/noprompt \
    -E '!1.2.840.113556.1.4.801=::MAMCAQc=' \
    -LLL \
    -ZZ \
    '(objectClass=*)' \
    ; done >> output_$(date +%s).ldif

In case StartTLS does not work, remove the -ZZ flag and replace ldap:// with ldaps://. Or leave it at ldap:// if you like to live dangerously.

The second -E argument is needed so that ACLs are also dumped.

Then, the conversion works as follows:

$ ldif2bloodhound output_*.ldif

For more options, run ldif2bloodhound --help.

The obvious limitation is that you won't get information about sessions or local group memberships, just like with ADExplorerSnapshot.py. Parsing LDIF data is more equivalent to running SharpHound with -c DCOnly (perhaps even less). BloodHound.py is a better choice to collect this data in most scenarios.

This package is based on a fork of ADExplorerSnapshot.py.

Installation

Install with this command:

$ pip install git+https://github.com/SySS-Research/ldif2bloodhound

Copyright and License

SySS GmbH, Adrian Vollmer. MIT Licensed.