class BloodHound(object):
def __init__(self, ad):
self.ad = ad
self.ldap = None
self.pdc = None
self.sessions = []
def connect(self):
if len(self.ad.dcs()) == 0:
logging.error(
'Could not find a domain controller. Consider specifying a domain and/or DNS server.'
)
sys.exit(1)
pdc = self.ad.dcs()[0]
logging.debug('Using LDAP server: %s', pdc)
logging.debug('Using base DN: %s', self.ad.baseDN)
if len(self.ad.kdcs()) > 0:
kdc = self.ad.kdcs()[0]
logging.debug('Using kerberos KDC: %s', kdc)
logging.debug('Using kerberos realm: %s', self.ad.realm())
# Create a domain controller object
self.pdc = ADDC(pdc, self.ad)
# Create an object resolver
self.ad.create_objectresolver(self.pdc)
# self.pdc.ldap_connect(self.ad.auth.username, self.ad.auth.password, kdc)
def run(self,
skip_groups=False,
skip_computers=False,
skip_trusts=False,
num_workers=10):
if not skip_groups:
self.pdc.fetch_all()
membership_enum = MembershipEnumerator(self.ad, self.pdc)
membership_enum.enumerate_memberships()
elif not skip_computers:
# We need to know which computers to query regardless
self.pdc.get_computers()
# We also need the domains to have a mapping from NETBIOS -> FQDN for local admins
self.pdc.get_domains()
self.pdc.get_forest_domains()
if not skip_trusts:
self.pdc.dump_trusts()
if not skip_computers:
computer_enum = ComputerEnumerator(self.ad)
computer_enum.enumerate_computers(self.ad.computers,
num_workers=num_workers)
logging.info('Done')
class BloodHound(object):
def __init__(self, ad):
self.ad = ad
self.ldap = None
self.dc = None
self.sessions = []
def connect(self):
if len(self.ad.dcs()) == 0:
logging.error('I have no information about the domain')
sys.exit(1)
dc = self.ad.dcs()[0]
logging.debug('Using LDAP server: %s' % dc)
logging.debug('Using base DN: %s' % self.ad.baseDN)
if len(self.ad.kdcs()) > 0:
kdc = self.ad.kdcs()[0]
logging.debug('Using kerberos KDC: %s' % kdc)
logging.debug('Using kerberos realm: %s' % self.ad.realm())
self.dc = ADDC(dc, self.ad)
# self.dc.ldap_connect(self.ad.auth.username, self.ad.auth.password, kdc)
def run(self,
skip_groups=False,
skip_computers=False,
skip_trusts=False,
num_workers=10):
if not skip_groups:
self.dc.fetch_all()
elif not skip_computers:
# We need to know which computers to query regardless
self.dc.get_computers()
# We also need the domains to have a mapping from NETBIOS -> FQDN for local admins
self.dc.get_domains()
if not skip_trusts:
self.dc.dump_trusts()
if not skip_computers:
self.ad.enumerate_computers(num_workers=num_workers)
logging.info('Done')