Documentation Index
Fetch the complete documentation index at: https://wiki.krkn.tech/llms.txt
Use this file to discover all available pages before exploring further.
bloodhound
The bloodhound command collects Active Directory data in BloodHound-compatible format. It integrates with both BloodHound Community Edition (CE) and BloodHound Legacy, producing the JSON files that BloodHound uses to build its attack path graph.
Usage
r4t bloodhound <subcommand> [flags]
Subcommands
bloodhound collect
Collect BloodHound data from Active Directory.
# Collect all data from a specific DC (BloodHound CE by default)
r4t bloodhound collect dc01.corp.example.com
# Use BloodHound Legacy format
r4t bloodhound collect --legacy dc01.corp.example.com
# Collect only specific data types
r4t bloodhound collect -c "group,acl,trusts" dc01.corp.example.com
# Output to a specific directory
r4t bloodhound collect -o ./bh-output/ dc01.corp.example.com
# Zip the output
r4t bloodhound collect --zip -o ./bh-output/ dc01.corp.example.com
# Use more workers for faster collection
r4t bloodhound collect --workers 20 dc01.corp.example.com
# Exclude domain controllers from direct enumeration
r4t bloodhound collect --exclude-dcs dc01.corp.example.com
# Targeted collection from a specific computer file
r4t bloodhound collect --computerfile /tmp/computers.txt dc01.corp.example.com
Flags
| Flag | Short | Description |
|---|
--legacy | — | Use BloodHound Legacy format (instead of CE) |
--collection-method | -c | Comma-separated collection methods (see below) |
--workers | -w | Worker thread count (default: 10) |
--exclude-dcs | — | Skip domain controllers in computer enumeration |
--disable-pooling | — | Disable connection pooling |
--disable-autogc | — | Disable automatic Global Catalog server selection |
--computerfile | — | File containing computer names for targeted collection |
--cachefile | — | BloodHound cache file to load |
--output-dir | -o | Output directory (default: current directory) |
--output-file | — | Single output file (for simple text output only) |
--fileprefix | — | Prefix for output file names |
--zip | — | Zip all output files into a single archive |
--dns-timeout | — | DNS resolution timeout in seconds (default: 3) |
--dns-tcp | — | Use TCP instead of UDP for DNS queries |
Collection Methods
The --collection-method / -c flag controls what data is collected. Multiple methods can be specified as a comma-separated list.
| Method | Description |
|---|
default | Group membership, local admins, sessions, trusts, ACLs |
all | All methods (equivalent to running everything) |
group | Group membership |
localadmin | Local administrator group membership |
session | Active user sessions |
trusts | Domain trust relationships |
acl | Object ACLs (DACL entries) |
objectprops | Object properties (full attribute collection) |
dconly | Domain controller-only data (no computer enumeration) |
container | Container and OU relationships |
loggedon | Currently logged-on users (requires admin on target) |
experimental | Experimental methods |
dcom | DCOM-based access checks |
rdp | RDP access checks |
psremote | PowerShell remoting access checks |
Examples
# Fast collection (no session/logon enumeration)
r4t bloodhound collect -c "group,acl,objectprops,trusts,container" dc01.corp.example.com
# Full collection (slower)
r4t bloodhound collect -c all dc01.corp.example.com
# DC-only (fastest, no computer enumeration)
r4t bloodhound collect -c dconly dc01.corp.example.com
BloodHound CE vs Legacy
| Feature | BloodHound CE (default) | BloodHound Legacy |
|---|
| Format | JSON with _ prefix files | JSON with older schema |
| Compatibility | BloodHound CE / BHCE | BloodHound 4.x |
| Flag | (default) | --legacy |
--legacy if you are using BloodHound 4.x or older. Use the default (no flag) for BloodHound Community Edition.
Output Files
BloodHound collection produces several JSON files in the output directory:
| File | Contents |
|---|
*_computers.json | Computer accounts and properties |
*_users.json | User accounts and properties |
*_groups.json | Groups and membership |
*_domains.json | Domain objects and trusts |
*_gpos.json | Group Policy Objects |
*_containers.json | OUs and container objects |
*_ous.json | Organizational Units |
--zip is specified, all files are combined into a single .zip archive ready for direct import into BloodHound.
Authentication
bloodhound collect uses the same authentication flags as all other R4t commands. The collector requires:
- Read access to AD via LDAP (for user/group/object data)
- Read access to SYSVOL (for GPO data)
- SMB access to target computers (for session/local admin enumeration — optional)
# With stored credential
r4t bloodhound collect dc01.corp.example.com
# With inline credentials
r4t bloodhound collect -u jsmith -p 'P@ssword1' -d corp.example.com dc01.corp.example.com
# With hash
r4t bloodhound collect -u jsmith --hash <ntlm-hash> -d corp.example.com dc01.corp.example.com
Common Workflows
Quick Initial Collection
# Fast DC-only collection first
r4t bloodhound collect -c dconly -o ./bh/ dc01.corp.example.com
# Follow up with full collection
r4t bloodhound collect -c all -o ./bh/ --zip dc01.corp.example.com
Targeted Collection (Specific Computers)
# Build a computer list
r4t dbquery "SELECT dns_hostname FROM computers WHERE enabled = 1" > computers.txt
# Targeted session collection
r4t bloodhound collect -c "session,localadmin" --computerfile computers.txt dc01.corp.example.com
Importing Results
After collection, import the output into BloodHound:
- Start BloodHound CE / BHCE
- Navigate to Upload Data
- Select the
.zip file or individual JSON files
- Click Upload and wait for processing
- Run queries like “Shortest Path to Domain Admin”
