Skip to content

NetSPI/AD-PathFinder

Repository files navigation

ADPathFinder

build

ADPathFinder is an attack mapping tool for pentesters and red teamers. It analyses SharpHound data and unifies it with OpenGraph plugins to surface attack paths to high-value targets such as Domain Admins and Domain Controllers, starting from low-privileged users and computers. MSSQLHound and ConfigManBearPig are supported natively, extending coverage across AD, ADCS, SCCM, and MSSQL.

ADPathFinder CLI demo showing grouped risk findings and attack paths

Jump to: Quickstart · Coverage · How it works · Reports · Configuration · Contributors

Coverage

Area Examples
Core AD Escalation paths, delegation, admin rights, BadSuccessor, exposed high-value sessions
Passwords Weak passwords, blank passwords, reuse, username similarity, LM hash use, Kerberoast and AS-REP exposure paired with weak passwords
ADCS ESC-style certificate template and CA risks
MSSQL (MSSQLHound OpenGraph data) Logins, linked servers, impersonation, relay, and privilege escalation paths
SCCM (ConfigManBearPig OpenGraph data) Takeover and relay paths, PXE-enabled distribution points, and management point policy retrieval
Across domains Trusts, shared passwords, and escalation paths between domains

Requirements

  • Python 3.9 or later.
  • BloodHound CE and Neo4j available locally by default at neo4j://localhost:7687.
  • BloodHound CE API credentials for import and delete operations.
  • A BloodHound CE / SharpHound zip for AD audit coverage.
  • Optional OpenGraph plugin zips from MSSQLHound and ConfigManBearPig for MSSQL and SCCM coverage.
  • Optional NTDS hash dump and hashcat potfile for password audits.

Quickstart

Install from source
git clone https://github.com/NetSPI/AD-PathFinder.git
cd AD-PathFinder
python3 -m venv .venv
source .venv/bin/activate
pip install -e .
Configure BloodHound API access
adpathfinder --setup-bloodhound-api

This stores the BloodHound CE API settings used for import and delete operations.

Import SharpHound data
adpathfinder --import SharpHound.zip

Multiple SharpHound and OpenGraph plugin zip files can be imported in one command:

adpathfinder --import SharpHound.zip MSSQLHound.zip ConfigManBearPig.zip
Import data and run a full audit
adpathfinder -i SharpHound.zip MSSQLHound.zip ConfigManBearPig.zip --ad --pwd Contoso,ContosoIT --ntds ntds.txt -p hashcat.potfile

Use only the zip files you have. The --pwd value is not the AD domain; it is a comma separated list of company, brand, or organisation terms to flag in cracked passwords.

Run a domain audit
adpathfinder --ad
Run a password audit
adpathfinder --ad --pwd Contoso,ContosoIT --ntds ntds.txt -p hashcat.potfile

Use --unsafe-report only when reports should include cleartext passwords.

Write diagnostics
adpathfinder --ad --pwd Contoso,ContosoIT --ntds ntds.txt -p hashcat.potfile --diagnostics

How it works

Stage What happens
Ingest Merges SharpHound and supported OpenGraph zips into one graph. MSSQLHound and ConfigManBearPig data are supported directly
Map Finds the shortest paths from users and computers to high-value targets. You can configure the edge set to remove noisy edges like HasSession
Group Groups accounts that share a path, so repeated paths are reported as one finding instead of many near-duplicates
Pair Compares NTDS hashes and hashcat potfiles with graph data to show which paths are usable during the assessment
Layer Reports standalone findings such as SMB signing disabled or default privileged groups, and raises the severity when the same host or group also sits on a path to high-value targets
Render Writes HTML reports with SVG path graphs, mitigation notes, PowerShell validation steps, and remediated state tracking, plus text, JSON, and diagnostics outputs

ADPathFinder workflow diagram

AD HTML Report

ADPathFinder AD report walkthrough showing overview, mitigation, and confirmation steps

Password Audit HTML Report

ADPathFinder password audit report walkthrough showing cracked categories, policy compliance, password lengths, and roastable accounts

Configuration

ADPathFinder reads config.ini from the working directory. Values can also be set with ADPF_* environment variables.

Run this to configure BloodHound CE API access for imports and deletes:

adpathfinder --setup-bloodhound-api

See Configuration on the wiki for all options, Neo4j connection settings, file permissions, and example configs. See Excluded relationships for filtering attack path output.

Outputs

Reports are written to report_<domain>/, for example report_training.local/.

Output Purpose
<domain>_AD_report.html HTML report for clients with grouped findings, path graphs, mitigation notes, validation steps, and remediated state tracking
<domain>_domain_audit.txt / <domain>_domain_audit.json Text and JSON domain audit outputs for review, automation, and later analysis
<domain>_password_audit.html / <domain>_password_audit.txt / <domain>_password_audit.json Password audit outputs when NTDS hashes and a hashcat potfile are provided
<domain>_*_unsafe.* Optional unsafe reports generated only with --unsafe-report; these may include cleartext passwords
diagnostics.json Optional run statistics and debugging data generated with --diagnostics

Handle NTDS data, potfiles, and generated reports as sensitive assessment data. The --unsafe-report flag writes cleartext passwords into the output files; only use it when you specifically need cleartext in the report, and store the resulting _unsafe files accordingly.

See sample_reports/ for example domain audit and password audit output.

Contributors

Checks are small classes that register with a decorator, declare their data requirements, and return finding dictionaries. Platform checks declare their datasource, so normal AD audits skip MSSQL or SCCM checks when the matching OpenGraph data is not present.

See Adding new checks, Working with OpenGraph plugins, and the Framework Guide on the wiki.

Testing

pip install -e ".[test]" then pytest tests/ -m "not neo4j and not integration" runs the fast framework tests without Neo4j. See tests/README.md for the Neo4j fixture suite and the full local test workflow.

Acknowledgements

ADPathFinder builds on data collected by other projects; thanks to their authors and the SpecterOps team:

About

Attack path mapping for Active Directory, ADCS, SCCM, and MSSQL using BloodHound CE + OpenGraph data.

Topics

Resources

License

Stars

15 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors

Languages