BloodHound, Downloads, Hacking Tools, Kali Linux, Linux, Max, Neo4J, PowerShell, Windows

Max – Maximizing BloodHound

Maximizing BloodHound.


New Release:

  • dpat – The BloodHound Domain Password Audit Tool (DPAT)

A simple suite of tools:

  • get-info – Pull lists of information from the Neo4j database
  • mark-owned – Mark a list of objects as Owned
  • mark-hvt – Mark a list of objects as High Value Targets
  • query – Run a raw Cypher query and return output
  • export – Export all outbound controlling privileges of a domain object to a CSV file
  • del-edge – Delete an edge from the database
  • add-spns – Create HasSPNConfigured relationships, new attack primitive
  • add-spw – Create SharesPasswordWith relationships
  • dpat – The BloodHound Domain Password Audit Tool (DPAT)
  • pet-max – Dogsay, happiness for stressful engagements

This was released with screenshots & use-cases on the following blogs: Max Release, Updates & Primitives & DPAT

A new potential attack primitive was added to this tool during my research, see the add-spns section for full details.



Ideally there shouldn’t be much to install, but I’ve included a requirements.txt file just in case. Tested on Kali Linux & Windows 10, all functionality should work for both linux and Windows operating systems.

pip3 install -r requirements.txt

Neo4j Creds

Neo4j credentials can be hardcoded at the beginning of the script OR they can be provided as CLI. If both areas are left blank, you will be prompted for the uname/password.

python3 -u neo4j -p neo4j {module} {args}
python3 {module} {args}
Neo4j Username: neo4j
Neo4j Password:

Quick Use

Getting help in general, and module specific

python3 -h
python3 {module} -h

Importing owned objects into BH

python3 mark-owned -f owned.txt
python3 mark-owned -f owned.txt --add-note "Owned by repeated local admin"

Get list of users

python3 get-info --users
python3 get-info --users --enabled

[email protected]
[email protected]

Get list of objects in a target group

python3 get-info --group-members "domain [email protected]"

Get a list of computers that a user has administrative rights to

python3 get-info --adminto [email protected]

Get a list of owned objects with the notes for each

python3 get-info --owned --get-note

Running a query – return a list of all users with a path to DA

python3 query -q "MATCH (n:User),(m:Group {name:'DOMAIN [email protected]'}) MATCH (n)-[*1..]->(m) RETURN DISTINCT("

Delete an edge from the database

python3 del-edge CanRDP

Add HasSPNConfigured relationship using the information stored within BloodHound, or with a GetUserSPNs impacket file

python3 add-spns -b
python3 add-spns -i getuserspns-raw-output.txt


python3 dpat -n ~/client/ntds.dit -p ~/.hashcat/hashcat.potfile -o ouputdir --html --sanitize

Pet max

python3 pet-max

Object Files & Specification

Objects in file, must contain FQDN within, capitalization does not matter. This also applies to whenever a CLI username/computer name is supplied.

[email protected] <- will be added / correct CLI input
[email protected] <- will be added / correct CLI input
computer01.domain.local <- will be added / correct CLI input
ComPutEr01.doMAIn.LOcaL <- will be added / correct CLI input
user02 <- will not be added / incorrect CLI input
computer02 <- will not be added / incorrect CLI input

Further work

I hope to include an analyze function to provide some sort functionality similar to PlumHound/Cypheroth. Lastly, thinking about creating a Powershell version for those running Neo4j on Windows, but I’m trash at Powershell so TBD.

Any other features and improvements welcome, find me @knavesec in the BloodHoundGang Slack channel and on Twitter


I’d like to especially thank those who have contributed their time to developing & improving this tool:

Source : KitPloit – PenTest Tools!

Previous ArticleNext Article
Send this to a friend