[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-80875":3},{"id":4,"name":5,"fullName":6,"owner":5,"repo":5,"description":7,"homepage":8,"htmlUrl":8,"language":9,"languages":8,"totalLinesOfCode":8,"stars":10,"forks":11,"watchers":10,"openIssues":12,"contributorsCount":12,"subscribersCount":12,"size":12,"stars1d":12,"stars7d":12,"stars30d":12,"stars90d":12,"forks30d":12,"starsTrendScore":12,"compositeScore":13,"rankGlobal":8,"rankLanguage":8,"license":14,"archived":15,"fork":15,"defaultBranch":16,"hasWiki":15,"hasPages":15,"topics":17,"createdAt":8,"pushedAt":8,"updatedAt":18,"readmeContent":19,"aiSummary":20,"trendingCount":12,"starSnapshotCount":12,"syncStatus":21,"lastSyncTime":22,"discoverSource":23},80875,"IPAHound","IPAHound\u002FIPAHound","BloodHound Collector for FreeIPA. Attackers think in graphs... — true for Linux as well!",null,"Python",34,3,0,41.81,"BSD 2-Clause \"Simplified\" License",false,"master",[],"2026-06-12 04:01:30","\u003Cp align=\"center\">\n \u003Ch1 align=\"center\">IPAHound\u003C\u002Fh1>\n \u003Cp align=\"center\">\n \u003Cstrong>BloodHound Collector for FreeIPA\u003C\u002Fstrong>\u003Cbr>\n \u003Cem>\"Attackers think in graphs...\"\u003C\u002Fem> — true for Linux as well!\n \u003C\u002Fp>\n\u003C\u002Fp>\n\n\u003Cp align=\"center\">\n \u003Cimg src=\"assets\u002Flogo.png\" width=\"300\">\n\u003C\u002Fp>\n\n> **⚠️ Disclaimer:** All information contained in this repository is provided for educational and research purposes only. The author is not responsible for any illegal use of this tool.\n\n---\n\n## Table of Contents\n\n- [Overview](#overview)\n- [Companion GUI](#companion-gui)\n- [Quickstart](#quickstart)\n- [Requirements](#requirements)\n- [Types and Edges](#types-and-edges)\n- [How It Works](#how-it-works)\n- [Installation](#installation)\n- [Usage](#usage)\n- [Loading Data into Neo4j](#loading-data-into-neo4j)\n- [ToDo](#todo)\n- [Additional Resources](#additional-resources)\n- [Star History](#star-history)\n- [Contributing](#contributing)\n\n## Overview\n\nIPAHound is a specialized LDAP collector designed for FreeIPA domain controllers, enabling comprehensive domain analysis through graph-based visualization. It bridges the gap between FreeIPA's complex structure and BloodHound's powerful analysis capabilities.\n\nThe collector operates in two main phases:\n\n1. **Data Collection** - Gathering information from the FreeIPA LDAP server.\n2. **Data Processing** - Creating relationships (edges) and exporting to JSON format.\n\nOnce collected, data can be imported using either:\n\n- **APOC (Awesome Procedures On Cypher) plugin for Neo4j** (recommended - significantly faster)\n- **Classic BloodHound GUI** (legacy support)\n\n### Philosophy\n\n> From hackers for hackers\n\nIPAHound prioritizes user-friendly functionality by simplifying FreeIPA's numerous abstractions into an intuitive format. It transforms complex FreeIPA structures into easily analyzable graphs, making your security assessment work more efficient.\n\n## Companion GUI\n\nStock BloodHound does not know about FreeIPA node and edge labels and will not render them. To visualize and query the data IPAHound produces, use the companion fork:\n\n- **[IPAHound-GUI](https:\u002F\u002Fgithub.com\u002FIPAHound\u002FIPAHound-GUI)** - BloodHound fork with FreeIPA node\u002Fedge support.\n\n## Quickstart\n\nEnd-to-end, from zero to a queryable graph:\n\n1. Install IPAHound.\n\n ```console\n ~$ uv tool install git+https:\u002F\u002Fgithub.com\u002FIPAHound\u002FIPAHound.git\n ```\n\n2. Collect from your FreeIPA DC (Kerberos auth shown; see Usage for password auth).\n\n ```console\n ~$ kinit admin\n ~$ ipahound -k -s dc01.ipa.local -a out.json\n ```\n\n3. In Neo4j (one-time, before the very first import) - create constraints. See \"Loading Data into Neo4j\" below for the full constraint list.\n4. Import the JSON via APOC (cypher-shell or Neo4j Browser).\n\n ```\n CALL apoc.import.json(\"\u002Fabsolute\u002Fpath\u002Fto\u002Fout.json\");\n ```\n\n5. Open IPAHound-GUI, point it at your Neo4j, and start hunting.\n\n## Requirements\n\n- **Python** ≥ 3.10\n- **Neo4j** 4.x or 5.x with a matching **APOC** plugin version (the Neo4j minor version and APOC version **must** match).\n- **FreeIPA** - tested against 4.9–4.11. Earlier versions may work but are not actively tested.\n- Network access to LDAP\u002FLDAPS on the FreeIPA DC, and either a valid Kerberos ticket or LDAP credentials.\n\n## Types and Edges\n\n### Node Types\n\nIPAHound consolidates various FreeIPA objects into simplified node types:\n\n| IPAHound Type | FreeIPA Objects |\n|:--------------------------:|:-----------------------------------------------------------|\n| **IPADomain** | Root domain object |\n| **IPAUser** | Users, System Users |\n| **IPAGroup** | Groups, System Groups, Privileges, Net groups, Host groups |\n| **IPAComputer** | Computers |\n| **IPAService** | Services |\n| **IPAPermission** | Permissions |\n| **IPARole** | Roles |\n| **IPACA** | Certificate Authorities |\n| **IPACertificateTemplate** | Certificate Templates |\n| **IPASELinux** | SELinux rules |\n\n### Edge Types\n\nRelationships between nodes represent various permissions and memberships:\n\n| Edge Type | Description |\n|:-----------------------:|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| **TrustedBy** | Trust relationships between FreeIPA domains and MS Active Directory |\n| **MemberOf** | Membership in IPAGroup, IPASELinux, IPACertificateTemplate, and others |\n| **AddMember** | Ability to manage group members (via _MemberManager_ attribute) |\n| **ForceChangePassword** | Permission to create new Kerberos keys (_ipaAllowedToPerform;write_keys_) |\n| **ReadKerberosKey** | Permission to read Kerberos keys\u002Fretrieve keytabs (_ipaAllowedToPerform;read_keys_) |\n| **Owns** | Full control over Computer or Group objects (_ManagedBy_ attribute). Enables RBCD configuration, Kerberos key creation, SSH key addition, and certificate management |\n| **CanSSH** | HBAC rule allowing SSH access |\n| **CanSUDO** | Combined HBAC and SUDO rules allowing sudo execution on hosts |\n| **Can{*}** | With `--save-all-hbac`, one edge per HBAC service (e.g., `Cancrond`, `CanFTP`). Edge name is derived from the service's `cn`. |\n| **AllowedToDelegate** | Constrained Delegation rights (S4U2Proxy) |\n| **Enroll** | Permission to issue certificates |\n| **AddRBCD** | Permission to configure Resource-Based Constrained Delegation (_ipaAllowedToPerform;write_delegation_) |\n| **DCSync** | DCSync rights (inferred from default permission values) |\n\n## How It Works\n\n### Step 1: Authentication\n\nFreeIPA LDAP servers support two authentication methods:\n\n- **Kerberos** - Automatically uses credentials from your Kerberos ticket.\n- **Simple Bind** - Requires a full DN (Distinguished Name).\n\nFor Simple Bind, the collector accepts a bare username and attempts to construct the full DN automatically. This prediction may fail in non-standard configurations; pass the full DN explicitly if it does.\n\nDN examples:\n\n- **User:** `uid=admin,cn=users,cn=accounts,dc=ipa,dc=local`\n- **Service:** `krbprincipalname=dogtag\u002Fpc01.ipa.local@IPA.LOCAL,cn=services,cn=accounts,dc=ipa,dc=local`\n\n### Step 2: Data Collection\n\nThe collector retrieves all accessible data based on the `LDAP_PATHS` structure. FreeIPA may restrict visibility of certain entries and attributes based on your permissions. Consider running the collector with different user accounts for comprehensive coverage.\n\nAfter the run, IPAHound prints warnings such as `No \"krbTicketFlags\" in computer accounts, try again with more privileges.` - these are **expected** on an under-privileged bind and indicate which graph features will be missing, not a bug.\n\nRaw data can be saved using the `--output-raw` flag for:\n\n- Offline processing\n- Debugging purposes\n- Audit trails\n\n### Step 3: Data Processing\n\nDuring this phase, IPAHound:\n\n- Analyzes raw data to create relationship edges\n- Filters out disabled accounts and inactive rules\n- Optimizes the graph structure for analysis\n\n### Step 4: Export\n\nIPAHound supports two export formats. They are **mutually exclusive** - pick one per run:\n\n1. **APOC Format** (`-a` option) - Optimized for Neo4j APOC plugin import (recommended)\n2. **Classic Format** (`-o` option) - Compatible with the classic BloodHound JSON loader\n\n## Installation\n\nInstall [uv](https:\u002F\u002Fdocs.astral.sh\u002Fuv\u002F):\n\n```console\n~$ curl -LsSf https:\u002F\u002Fastral.sh\u002Fuv\u002Finstall.sh | sh\n```\n\nInstall `ipahound` as a CLI tool:\n\n```console\n~$ uv tool install git+https:\u002F\u002Fgithub.com\u002FIPAHound\u002FIPAHound\n~$ ipahound -h\n```\n\nInstall `ipahound` for development:\n\n```console\n~$ git clone https:\u002F\u002Fgithub.com\u002FIPAHound\u002FIPAHound\n~$ cd IPAHound\n~$ uv sync\n~$ uv run ipahound -h\n```\n\nThe repo also ships a `poetry.lock` if you prefer [Poetry](https:\u002F\u002Fpython-poetry.org\u002F):\n\n```console\n~$ pip install poetry\n~$ poetry install\n~$ poetry run ipahound -h\n```\n\n## Usage\n\n### Command-Line Options\n\n```\n _____ _____ _____ _____ _\n| | _ | _ | | |___ _ _ ___ _| |\n|- -| __| | | . | | | | . |\n|_____|__| |__|__|__|__|___|___|_|_|___|\n by Mikhail Sukhov (@Im10n), @ptswarm\n\nusage: ipahound [-h] [-d] [-s SERVER] [-b BASE_DN] [-u USER] [-p PASSWORD] [-k]\n [--save-all-hbac] [-a FILE] [-o FILE] [--output-raw FILE] [--input-raw FILE]\n\nIPA BloodHound Collector\n\noptions:\n -h, --help Show this help message and exit\n -d, --debug Enable debug output\n\nLDAP connection parameters:\n -s SERVER, --ldap-server SERVER\n IP address or DNS name of LDAP server\n -b BASE_DN, --ldap-base-dn BASE_DN\n Base DN for LDAP dump (optional, defaults to auto-detection)\n\nAuthentication options:\n -u USER, --ldap-user USER\n Username for LDAP (can use DN format: uid=admin,cn=users,cn=accounts,dc=ipa,dc=local)\n -p PASSWORD, --ldap-password PASSWORD\n Password for LDAP authentication\n -k, --kerberos Use Kerberos authentication instead of username\u002Fpassword\n\nOutput format options:\n --save-all-hbac Draw all HBAC services in the graph (default: only sudo and SSH)\n -a FILE, --apoc-output FILE\n Output JSON for APOC neo4j plugin (recommended)\n -o FILE, --output FILE\n Output JSON for BloodHound loader\n\nAdvanced options (debugging):\n --output-raw FILE Output RAW JSON before processing (useful for debugging)\n --input-raw FILE Process existing RAW JSON instead of performing LDAP dump\n```\n\n### Examples\n\nDump domain with password authentication (APOC format):\n\n```console\n~$ ipahound -u uid=admin,cn=users,cn=accounts,dc=ipa,dc=local -p P@ssw0rd -s dc01.ipa.local -a out_for_apoc.json\n~$ ipahound -u admin -p P@ssw0rd -s dc01.ipa.local -a out_for_apoc.json\n```\n\nDump domain with Kerberos authentication (BloodHound classic format):\n\n```console\n~$ ipahound -k -s dc01.ipa.local -o out.json\n```\n\nProcess an existing raw dump (no LDAP traffic):\n\n```console\n~$ ipahound --input-raw raw_dump.json -a processed_output.json\n```\n\n## Loading Data into Neo4j\n\n### Prerequisites\n\n1. Install the APOC plugin from the [APOC releases page](https:\u002F\u002Fgithub.com\u002Fneo4j\u002Fapoc\u002Freleases). The Neo4j version **must** match the version of the APOC plugin.\n2. Enable file imports in Neo4j by adding the following to `\u002Fetc\u002Fneo4j\u002Fapoc.conf` (Linux) or `conf\u002Fapoc.conf` (Windows):\n ```\n apoc.import.file.enabled=true\n ```\n3. Create the necessary constraints in Neo4j (one-time, before the **first** import):\n ```cypher\n CREATE CONSTRAINT FOR (n:IPADomain) REQUIRE n.neo4jImportId IS UNIQUE;\n CREATE CONSTRAINT FOR (n:IPAUser) REQUIRE n.neo4jImportId IS UNIQUE;\n CREATE CONSTRAINT FOR (n:IPAGroup) REQUIRE n.neo4jImportId IS UNIQUE;\n CREATE CONSTRAINT FOR (n:IPAComputer) REQUIRE n.neo4jImportId IS UNIQUE;\n CREATE CONSTRAINT FOR (n:IPAService) REQUIRE n.neo4jImportId IS UNIQUE;\n CREATE CONSTRAINT FOR (n:IPAPermission) REQUIRE n.neo4jImportId IS UNIQUE;\n CREATE CONSTRAINT FOR (n:IPACertificateTemplate) REQUIRE n.neo4jImportId IS UNIQUE;\n CREATE CONSTRAINT FOR (n:IPACA) REQUIRE n.neo4jImportId IS UNIQUE;\n CREATE CONSTRAINT FOR (n:Base) REQUIRE n.neo4jImportId IS UNIQUE;\n CREATE CONSTRAINT FOR (n:IPARole) REQUIRE n.neo4jImportId IS UNIQUE;\n CREATE CONSTRAINT FOR (n:IPASELinux) REQUIRE n.neo4jImportId IS UNIQUE;\n ```\n\n### Import Process\n\nImport (or re-import) the collected data:\n\n```cypher\nCALL apoc.import.json(\"\u002Fpath\u002Fto\u002Ffile.json\");\n```\n\nTo wipe existing data before a fresh import (e.g., between engagements):\n\n```cypher\nMATCH (n) DETACH DELETE n;\n```\n\nThe constraints from step 3 above persist across `DETACH DELETE` and never need to be recreated.\n\n## ToDo\n\n- [ ] Add ACI parser\n\n## Additional Resources\n\nFor more detailed information about FreeIPA security analysis and attack techniques, please refer to our blog posts:\n1. https:\u002F\u002Fswarm.ptsecurity.com\u002Fthinking-in-graphs-with-ipahound\u002F\n2. https:\u002F\u002Fhabr.com\u002Fru\u002Fcompanies\u002Fpt\u002Farticles\u002F1028412\u002F\n\n- ...\n\n## Star History\n\n\u003Ca href=\"https:\u002F\u002Fstar-history.com\u002F#IPAHound\u002FIPAHound&Date\">\n \u003Cpicture>\n \u003Csource media=\"(prefers-color-scheme: dark)\" srcset=\"https:\u002F\u002Fapi.star-history.com\u002Fsvg?repos=IPAHound\u002FIPAHound&type=Date&theme=dark\">\n \u003Csource media=\"(prefers-color-scheme: light)\" srcset=\"https:\u002F\u002Fapi.star-history.com\u002Fsvg?repos=IPAHound\u002FIPAHound&type=Date\">\n \u003Cimg alt=\"Star History Chart\" src=\"https:\u002F\u002Fapi.star-history.com\u002Fsvg?repos=IPAHound\u002FIPAHound&type=Date\">\n \u003C\u002Fpicture>\n\u003C\u002Fa>\n\n## Contributing\n\nWe welcome contributions! Please feel free to submit issues, feature requests, and pull requests.\n\n---\n\n\u003Cp align=\"center\">\n \u003Cem>Happy Hunting! 🎯\u003C\u002Fem>\n\u003C\u002Fp>\n","IPAHound是一个为FreeIPA域控制器设计的LDAP收集器,旨在通过图形化的方式进行全面的域分析。其核心功能包括从FreeIPA LDAP服务器收集信息,并创建关系(边)后导出为JSON格式文件,支持使用APOC插件或经典BloodHound GUI将数据导入Neo4j进行可视化分析。该项目采用Python语言编写,适用于需要对基于Linux的FreeIPA环境进行安全评估和攻击路径探索的场景,特别适合网络安全研究人员及渗透测试人员使用。",2,"2026-06-11 04:02:39","CREATED_QUERY"]