ADExplorerSnapshot.py – An AD Explorer Snapshot Parser. It Is Made As An Ingestor For BloodHound, And Also Supports Full-Object Dumping To NDJSON
ADExplorerSnapshot.py is an AD
Notes
This library is now supporting the BloodHound v4.1+ output format (JSON format v4). For the old v3 output format, you can use the code in the v3-format branch.
Making snapshots in AD Explorer is more network-intensive than the traditional BloodHound ingestors as it attempts to retrieve all objects it can from the LDAP.
ADExplorerSnapshot.py will create caches of information for quicker lookups while processing the data. Especially when processing larger snapshots (e.g. 4GB+) you will also need to have sufficient RAM available. In my tests, about half of the snapshot file size was required in RAM.
The library was tested with a number of data sets, please create an issue report if you run into problems.
The AD Explorer snapshot parser is implemented as its own module, which could also be used individually.
The format in which snapshots are stored by AD Explorer is proprietary and led to a fun reverse engineering journey. A 010 editor template is included in this repository, which I used for iteratively mapping out the contents of the snapshot into structs.
License and credits
This code is licensed under the MIT license and makes use of code that is also licensed under the MIT license.
ADExplorerSnapshot.py relies on the following projects:
- BloodHound.py (the Python BloodHound ingestor): for processing LDAP data.
- dissect.cstruct (C-style binary struct parser): for parsing the binary snapshot data.
Credits:
- Cedric Van Bockhaven (Deloitte) for implementation
- Marat Nigmatullin (Deloitte) for the idea
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.