BloodBash: A Lightweight Python Alternative to BloodHound for Active Directory Analysis
Active Directory (AD) reconnaissance is a critical step in red team engagements, penetration testing, and security assessments. Traditionally, tools like BloodHound — paired with its data collector SharpHound — have been the go-to solution for mapping attack paths in AD environments. However, setting up BloodHound often requires installing Neo4j, running a GUI, and handling complex dependencies.
Enter BloodBash, a standalone Python tool that analyzes SharpHound JSON files directly — no database, no GUI required. In this article, we’ll explore what BloodBash is, how it works, its key features, and why it’s a valuable addition to any security professional’s toolkit.
What Is BloodBash?
BloodBash is an open-source Python script developed to parse and analyze JSON output generated by SharpHound (version 6 and later). SharpHound collects detailed AD data, including users, groups, computers, organizational units (OUs), Group Policy Objects (GPOs), domains, certificate templates, Enterprise CAs, Root CAs, and NTAuth stores.
Unlike full BloodHound, which ingests this data into a Neo4j graph database for visualization, BloodBash uses the networkx library to build a directed graph in memory and applies common security queries directly in the terminal.
This makes BloodBash ideal for:
- Quick, offline analysis during time-sensitive engagements
- Environments where installing Neo4j or running a GUI is impractical
- Red teamers who prefer lightweight, scriptable tools
The project is licensed under the MIT License, making it free to use, modify, and distribute.
Key Features of BloodBash
BloodBash focuses on simplicity and portability while delivering BloodHound-style insights. Core capabilities include:
- Direct SharpHound JSON Parsing — Supports v6+ format, handling a wide range of AD object types and relationships (including ACLs/permissions).
- Graph-Based Analysis — Builds a directed graph with networkx to model AD objects and edges (e.g., GenericAll, Owns, WriteDacl).
- Common Attack Queries — Implements several popular analyses:
- Shortest attack paths to high-value targets
- Dangerous permissions on sensitive objects
- Unconstrained delegation detection
- Kerberoastable accounts (SPN-enabled users with weak or no passwords)
- AS-REP roastable accounts (users with DONT_REQ_PREAUTH set)
- High-value target identification (e.g., Domain Admins, KRBTGT, Enterprise CAs)
- Verbose summaries (object counts, user lists, etc.)
- Minimal Dependencies — Primarily relies on networkx, with Python 3.8+ required.
- Terminal-Friendly Output — Clear, structured results with progress indicators during loading and graph building.
Future contributions could expand support for advanced checks like Resource-Based Constrained Delegation (RBCD), GPO abuse, full ADCS ESC1–ESC8 scenarios, and export options.
How to Install BloodBash
Getting started is straightforward:
- Clone the repository:text
git clonehttps://github.com/DotNetRussell/BloodBash.git cd BloodBash - (Recommended) Create and activate a virtual environment
python3 -m venv venv source venv/bin/activate # Linux/macOS # or on Windows: venv\Scripts\activate - Install dependencies
pip install -r requirements.txt
That’s it — no heavy setup required.
How to Use BloodBash
Run the tool by pointing it at a folder containing SharpHound JSON files.
Basic full analysis (runs all queries by default):
python3 BloodBash /path/to/sharphound/json/folderTargeted queries:
# Dangerous permissions and high-value targets only (great for ADCS checks)
python3 BloodBash sharpout --dangerous-permissions --high-value
# Kerberoasting and AS-REP roasting focus
python3 BloodBash . --kerberoastable --as-rep-roastable
# Verbose everything with shortest paths
python3 BloodBash sharpout --all --shortest-paths --verboseAvailable flags include:
- –shortest-paths
- –dangerous-permissions
- –unconstrained-delegation
- –kerberoastable
- –as-rep-roastable
- –high-value
- –verbose
- –all
Omit flags to run the default full set.
Sample Output
BloodBash provides clean, actionable results:
This output highlights immediate attack vectors without needing to visualize the full graph.
When misconfigurations are detected, abuse suggestions are output along with the detection
When to Use BloodBash vs. Full BloodHound
| Feature | BloodBash | Full BloodHound (with Neo4j) |
|---|---|---|
| Setup complexity | Very low (Python only) | Higher (Neo4j + GUI) |
| Dependencies | Minimal | Multiple |
| Visualization | Text-based | Graphical paths |
| Offline / portable | Excellent | Good (but bulkier) |
| Speed on small datasets | Fast | Slower startup |
| Advanced queries | Growing (contributions welcome) | Extensive & visual |
BloodBash shines when you need fast insights from SharpHound data without overhead.
Conclusion
BloodBash offers a clever, no-frills way to perform BloodHound-style Active Directory analysis using only Python and raw SharpHound JSON files. It’s particularly useful for red teamers, penetration testers, and students preparing for certifications like OSCP or CRTP who want a lightweight tool for terminal-based recon.
If you’re working in constrained environments or just prefer staying in the command line, BloodBash is worth adding to your toolkit. Check out the repository, experiment with your SharpHound collections, and consider contributing new queries or improvements.
Happy hunting!
References
- BloodBash GitHub Repository: https://github.com/DotNetRussell/BloodBash
- SharpHound (official BloodHound data collector): https://github.com/SpecterOps/SharpHound
- BloodHound Documentation (for context on SharpHound JSON format and queries): https://bloodhound.specterops.io/
- networkx Python library: https://networkx.org/