-
-
Notifications
You must be signed in to change notification settings - Fork 4
Home
Macmod edited this page Feb 15, 2026
·
6 revisions
FlashIngestor is a Terminal User Interface (TUI) for Active Directory collection compatible with BloodHound Community Edition.
| Page | Description |
|---|---|
| Interface | Complete guide on how to use the TUI |
| Configuration | All command-line arguments and config.yaml options |
| Authentication | Supported auth methods and limitations |
| Object-Model | Attributes filled for each AD object type |
| ACL-Parsing | How ACLs are parsed and resolved |
| SharpHound-x-FlashIngestor | Comparison with SharpHound |
FlashIngestor separates collection into independent steps:
graph TD
A[1. Ingest Ctrl+L] -->|LDAP queries| B[output/ldap/*.msgpack]
B --> C[2. Remote Ctrl+R]
C -->|RPC/HTTP| D[output/remote/*.msgpack]
B --> E[3. Convert Ctrl+S]
D --> E
E -->|Merge & Build| F[output/bloodhound/*.json]
F -->|Optional| G[output/bloodhound/*.zip]
- Queries LDAP for all AD objects (users, computers, groups, OUs, GPOs, PKI objects, etc.)
- Stores raw attributes in msgpack format under
output/ldap/ - Customizable via
config.yaml(filters, attributes, trust recursion, forest search)
- Performs active RPC/HTTP collection on computers and CAs
- Collects: sessions, local groups, registry settings, GPO files, CA configs, etc.
- Results stored in msgpack format under
output/remote/ - Enable/disable specific methods in
config.yaml
- Merges LDAP and remote data into BloodHound-compatible JSON
- No network activity, can be run repeatedly with different settings
- Outputs to
output/bloodhound/with optional ZIP compression
Tests latency to all domain controllers and recommends the fastest for ingestion.
go build ./cmd/dcprobe
./dcprobe --dns <dns_server> -d <domain> -r <rounds>Converts intermediate msgpack files to JSON for inspection without loading into BloodHound.
go build ./cmd/ingest2json
./ingest2json <msgpack_file> -o <output.json>Large Environments:
- Experiment with
--remote-workersfor parallel remote collection - Keep availability checks enabled to filter unreachable/incompatible computers
Network Optimization:
- Consider increasing timeouts for slow networks
- Specify
--dcto avoid SRV lookups - Use
--dnsto point to DC directly
Disk Space:
- Enable
compress_output: trueandcleanup_after_compression: truein config.yaml - Delete msgpack files after importing to BloodHound if re-conversion isn't needed
- BloodHound Documentation
- SharpHound - Official C# collector
- BloodHound.py - Python-based collector by dirkjanm
- rusthound-ce - Rust-based collector by g0h4n