# bloodhound-ce.py
Syntax for grabbing a Python-based [BloodHound collection](https://github.com/dirkjanm/BloodHound.py).

## Run a Bloodhound CE collection
```
bloodhound-ce.py --zip -c All -d domain.com -u lowpriv -p 'LowPrivPass$' -dc dc1.domain.com
```

## Run with hashes instead of account username/password
```
bloodhound-ce.py --zip -c All -d domain.com -u lowpriv --hashes :xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -dc dc1.domain.com
```

## Run the modified version from SpecterOps

On a recent pentest I compromised a user who could join machines to the domain, and I learned on [BloodHound Slack](https://bloodhoundhq.slack.com/archives/C03N78QCRKJ/p1759288173252759) that my compromised user might have more underlying powers (as discussed [here](https://specterops.io/blog/2025/10/01/writeaccountrestrictions-war-what-is-it-good-for/)).  To explore this I had to install a [modified BloodHound.py](https://github.com/garrettfoster13/BloodHound.py/tree/bloodhound-ce) as follows:

```
# Grab only the bloodhound-ce branch into a new folder
git clone --branch bloodhound-ce --single-branch https://github.com/garrettfoster13/BloodHound.py.git BloodHoundCE

# Change to the tool directory
cd BloodHoundCE

# Create + activate a fresh venv alongside this checkout
python3 -m venv venv
source venv/bin/activate

# Upgrade pip/setuptools to avoid build issues
pip install -U pip setuptools wheel

# Install the package (editable mode so your venv points directly at this checkout)
pip install -e .

# Sanity check
git rev-parse --abbrev-ref HEAD   # should print: bloodhound-ce
./bloodhound.py --help
```

Run the collection:
```
/bloodhound.py --zip -c All -d domain -u lowpriv -p 'xxxxx' -dc dc1.domain.com -ns 1.2.3.4
```

* `-ns 1.2.3.4` - the IP address of a DNS server.

## Warning
I found on a recent pentest that `bloodhound-ce.py` doesn't appear to capture session data!  Not 100% as I'd have to try this on another assessment, but big deal if true!