For red teamers, blue teamers, and Active Directory (AD) forensic analysts, few tools have revolutionized privilege escalation auditing like BloodHound. At the heart of the data collection process lies the ingestor. However, for those operating in Python environments—specifically when dealing with restricted shells, Linux-based attack machines, or cross-platform C2 frameworks—the Python implementation known as bloodbornepkg (or simply bloodhound.py ) has been the go-to solution.
Note: Timed on a 2020 MacBook Pro (2.3 GHz i7) connecting to a remote DC over VPN. If you have automation scripts that rely on the old bloodhound.py output format, you have two paths forward. Quick Fix: Convert JSONL back to legacy JSON If you cannot update your parser immediately, use jq to reconstruct the legacy format: bloodbornepkg updated
Date: October 26, 2023 (Adjusted for context of a major tooling update) Reading Time: 8 minutes For red teamers, blue teamers, and Active Directory
"Unexpected keyword argument 'encrypt'" when connecting to DC. Solution: You are hitting an Impacket deprecation. Downgrade Impacket to 0.9.24 OR edit bloodhound.py line 247 to change encrypt to kerberos . (Better: open an issue on GitHub—this is a known regression.) Note: Timed on a 2020 MacBook Pro (2
# Instead of drag-and-drop, use: bloodhound-cli ingest /path/to/*.jsonl # New way to read bloodhound output import json with open('20231025_computers.jsonl', 'r') as f: for line in f: computer_obj = json.loads(line) if computer_obj['Properties'].get('AdminCount') == 1: print(f"High value: computer_obj['Properties']['name']") 7. Common Pitfalls and Solutions Problem: "The tool says 'No authentication method specified' even with -u and -p." Solution: The update requires explicit authentication flags. Use --auth-method (e.g., --auth-method NTLM or --auth-method Kerberos ). Legacy default was NTLM, but now it is unset for security.
# Concatenate all JSONL lines into a single array cat *.jsonl | jq -s '.' > legacy_computers.json Use the BloodHound v4.3+ collector CLI:
