bloodhound

The bloodhound command collects Active Directory data in BloodHound-compatible format. It integrates with both BloodHound Community Edition (CE) and BloodHound Legacy, producing the JSON files that BloodHound uses to build its attack path graph.

Usage

r4t bloodhound <subcommand> [flags]

Subcommands

`bloodhound collect`

Collect BloodHound data from Active Directory.

# Collect all data from a specific DC (BloodHound CE by default)
r4t bloodhound collect dc01.corp.example.com

# Use BloodHound Legacy format
r4t bloodhound collect --legacy dc01.corp.example.com

# Collect only specific data types
r4t bloodhound collect -c "group,acl,trusts" dc01.corp.example.com

# Output to a specific directory
r4t bloodhound collect -o ./bh-output/ dc01.corp.example.com

# Zip the output
r4t bloodhound collect --zip -o ./bh-output/ dc01.corp.example.com

# Use more workers for faster collection
r4t bloodhound collect --workers 20 dc01.corp.example.com

# Exclude domain controllers from direct enumeration
r4t bloodhound collect --exclude-dcs dc01.corp.example.com

# Targeted collection from a specific computer file
r4t bloodhound collect --computerfile /tmp/computers.txt dc01.corp.example.com

Flags

Flag	Short	Description
`--legacy`	—	Use BloodHound Legacy format (instead of CE)
`--collection-method`	`-c`	Comma-separated collection methods (see below)
`--workers`	`-w`	Worker thread count (default: 10)
`--exclude-dcs`	—	Skip domain controllers in computer enumeration
`--disable-pooling`	—	Disable connection pooling
`--disable-autogc`	—	Disable automatic Global Catalog server selection
`--computerfile`	—	File containing computer names for targeted collection
`--cachefile`	—	BloodHound cache file to load
`--output-dir`	`-o`	Output directory (default: current directory)
`--output-file`	—	Single output file (for simple text output only)
`--fileprefix`	—	Prefix for output file names
`--zip`	—	Zip all output files into a single archive
`--dns-timeout`	—	DNS resolution timeout in seconds (default: 3)
`--dns-tcp`	—	Use TCP instead of UDP for DNS queries

Collection Methods

The --collection-method / -c flag controls what data is collected. Multiple methods can be specified as a comma-separated list.

Method	Description
`default`	Group membership, local admins, sessions, trusts, ACLs
`all`	All methods (equivalent to running everything)
`group`	Group membership
`localadmin`	Local administrator group membership
`session`	Active user sessions
`trusts`	Domain trust relationships
`acl`	Object ACLs (DACL entries)
`objectprops`	Object properties (full attribute collection)
`dconly`	Domain controller-only data (no computer enumeration)
`container`	Container and OU relationships
`loggedon`	Currently logged-on users (requires admin on target)
`experimental`	Experimental methods
`dcom`	DCOM-based access checks
`rdp`	RDP access checks
`psremote`	PowerShell remoting access checks

Examples

# Fast collection (no session/logon enumeration)
r4t bloodhound collect -c "group,acl,objectprops,trusts,container" dc01.corp.example.com

# Full collection (slower)
r4t bloodhound collect -c all dc01.corp.example.com

# DC-only (fastest, no computer enumeration)
r4t bloodhound collect -c dconly dc01.corp.example.com

BloodHound CE vs Legacy

Feature	BloodHound CE (default)	BloodHound Legacy
Format	JSON with `_` prefix files	JSON with older schema
Compatibility	BloodHound CE / BHCE	BloodHound 4.x
Flag	(default)	`--legacy`

Use --legacy if you are using BloodHound 4.x or older. Use the default (no flag) for BloodHound Community Edition.

Output Files

BloodHound collection produces several JSON files in the output directory:

File	Contents
`*_computers.json`	Computer accounts and properties
`*_users.json`	User accounts and properties
`*_groups.json`	Groups and membership
`*_domains.json`	Domain objects and trusts
`*_gpos.json`	Group Policy Objects
`*_containers.json`	OUs and container objects
`*_ous.json`	Organizational Units

When --zip is specified, all files are combined into a single .zip archive ready for direct import into BloodHound.

Authentication

bloodhound collect uses the same authentication flags as all other R4t commands. The collector requires:

Read access to AD via LDAP (for user/group/object data)
Read access to SYSVOL (for GPO data)
SMB access to target computers (for session/local admin enumeration — optional)

# With stored credential
r4t bloodhound collect dc01.corp.example.com

# With inline credentials
r4t bloodhound collect -u jsmith -p 'P@ssword1' -d corp.example.com dc01.corp.example.com

# With hash
r4t bloodhound collect -u jsmith --hash <ntlm-hash> -d corp.example.com dc01.corp.example.com

Common Workflows

Quick Initial Collection

# Fast DC-only collection first
r4t bloodhound collect -c dconly -o ./bh/ dc01.corp.example.com

# Follow up with full collection
r4t bloodhound collect -c all -o ./bh/ --zip dc01.corp.example.com

Targeted Collection (Specific Computers)

# Build a computer list
r4t dbquery "SELECT dns_hostname FROM computers WHERE enabled = 1" > computers.txt

# Targeted session collection
r4t bloodhound collect -c "session,localadmin" --computerfile computers.txt dc01.corp.example.com

Importing Results

After collection, import the output into BloodHound:

Start BloodHound CE / BHCE
Navigate to Upload Data
Select the .zip file or individual JSON files
Click Upload and wait for processing
Run queries like “Shortest Path to Domain Admin”

commands

​bloodhound

​Usage

​Subcommands

​bloodhound collect

​Flags

​Collection Methods

​Examples

​BloodHound CE vs Legacy

​Output Files

​Authentication

​Common Workflows

​Quick Initial Collection

​Targeted Collection (Specific Computers)

​Importing Results