-
-
Notifications
You must be signed in to change notification settings - Fork 4
Configuration
FlashIngestor is configured through a combination of command-line arguments and a YAML configuration file (config.yaml). This page describes all available configuration options organized by category.
Note
If config.yaml is not present in the current directory or the path specified via --config, FlashIngestor will use built-in defaults (hardcoded in config/fallback.go).
| Flag | Type | Default | Description |
|---|---|---|---|
--dc |
string | (auto-discovered) | Domain controller to use for LDAP queries. If not specified, FlashIngestor will attempt to discover it via SRV/A DNS lookups. |
--dns |
string | (system default) | Custom DNS resolver IP address. Required when system DNS doesn't know about the AD domain. |
--dns-tcp |
bool | false |
Use DNS over TCP instead of UDP. Useful when proxying traffic over SOCKS when UDP is not supported. |
--outdir |
string | ./output |
Directory to store results (intermediate msgpack files and final JSON). |
--log |
string | (none) | Path to log file. If specified, logs will be written to both the file and the TUI. |
--config |
string | config.yaml |
Path to YAML configuration file. |
-w, --remote-workers
|
int | 50 |
Number of concurrent workers for remote collection. Increase for better throughput in large environments. |
--computer-timeout |
duration | 10s |
Timeout per computer for remote collection (all methods combined). |
--method-timeout |
duration | 4s |
Timeout per individual remote collection method. |
-v, --verbose
|
count | 0 |
Increase verbosity level. Use -v for verbose, -vv for debug (maximum). |
--pprof |
bool | false |
Enable pprof profiling server on http://localhost:6060 for performance analysis. |
--version |
bool | false |
Show version information and exit. |
FlashIngestor uses the following hardcoded timeouts for various network operations (defined in config/config.go):
| Operation | Timeout | Description |
|---|---|---|
| LDAP Connection | 30s |
Timeout for establishing LDAP connections |
| Port Check | 2s |
Generic timeout for port availability checks |
| NetBIOS | 2s |
Timeout for NetBIOS operations |
| HTTP | 3s |
Timeout for HTTP requests (CA enrollment endpoint checks) |
| DCE/RPC EPM | 2s |
Timeout for DCE/RPC endpoint mapper |
| Kerberos | 2s |
Timeout for Kerberos operations |
| SMB | 2s |
Timeout for SMB operations |
| DNS Dial | 5s |
Timeout for connecting to DNS server |
| DNS Lookup | 10s |
Timeout for DNS resolution |
These flags control the LDAP connection behavior during the ingestion step.
| Flag | Type | Default | Description |
|---|---|---|---|
--scheme |
string | ldaps |
LDAP scheme: ldap (port 389) or ldaps (port 636). |
--timeout |
duration | 30s |
LDAP connection timeout. Increase if working with a slow DC or network environment. |
--verify |
bool | false |
Verify LDAP TLS certificate (for LDAPS). Generally not needed for auditing purposes. |
--start-tls |
bool | false |
Negotiate StartTLS on plain LDAP connection (port 389) before authenticating. |
Tip
If connecting via LDAPS (636) fails, FlashIngestor will automatically fall back to plain LDAP (389) when ingestion.ldaps_to_ldap_fallback is enabled in config.yaml (default: true).
These flags control authentication for the LDAP ingestion step. At minimum, you must provide --user and one authentication method.
| Flag | Type | Description |
|---|---|---|
-u, --user
|
string |
Required. Username with domain in one of these formats: • UPN: user@domain.com• NetBIOS: DOMAIN\user or DOMAIN/user• Simple: user (domain inferred)• Anonymous: @domain.com (with empty password) |
-p, --password
|
string | Password for authentication. Use with -k for Kerberos or without for NTLM. |
-H, --nt-hash
|
string | NT hash for pass-the-hash authentication (NTLM or Kerberos). |
--aes-key |
string | AES128 or AES256 key for pass-the-key (Kerberos only). Requires -k. |
--ccache |
string | Path to Kerberos credential cache (TGT) file. Requires -k. Alternative: set KRB5CCNAME environment variable. |
--pfx |
string | Path to PFX/PKCS#12 certificate file for certificate-based authentication. |
--pfx-password |
string | Password for PFX file (if encrypted). |
--cert |
string | Path to PEM certificate file for certificate-based authentication. |
--key |
string | Path to PEM private key file for certificate-based authentication. |
-k, --kerberos
|
bool | Force Kerberos authentication instead of NTLM. |
Warning
When using Kerberos or certificates for ingestion, only DCs of the same domain as the user will be enumerated. Cross-domain ingestion requires NTLM (password/hash).
These flags provide separate credentials for remote collection. If not specified, FlashIngestor will use the same credentials as ingestion.
| Flag | Type | Description |
|---|---|---|
--remote-user |
string | Username for remote collection (same format as --user). |
--remote-password |
string | Password for remote collection. |
--remote-nthash |
string | NT hash for remote collection. |
--remote-aeskey |
string | AES key for remote collection. Requires --remote-kerberos. |
--remote-ccache |
string | Path to credential cache for remote collection. Requires --remote-kerberos. |
--remote-pfx |
string | Path to PFX file for remote collection. |
--remote-pfx-password |
string | Password for PFX file. |
--remote-cert |
string | Path to PEM certificate for remote collection. |
--remote-key |
string | Path to PEM key for remote collection. |
--remote-kerberos |
bool | Force Kerberos for remote collection. |
Use Cases:
-
Local admin for remote collection:
--remote-user Administrator@.(effectiveness depends onFilterAdministratorToken/LocalAccountTokenFilterPolicyregistry settings) - Different privileges: Running remote collection with a privileged user, but ingestion with a low-privilege user.
Warning
When using Kerberos or certificates for remote collection, only computers in the same domain as the user will be authenticated. Cross-domain remote collection requires NTLM (password/hash).
The configuration file is divided into three main sections: ingestion, remote_collection, and conversion.
Controls behavior during the LDAP ingestion step (Ctrl+L in the TUI).
ingestion:
include_acls: true
recurse_trusts: false
recurse_feasible_only: true
search_forest: false
ldaps_to_ldap_fallback: true
prompt_msgpack_overwrite: true
append_forest_domains: true
queries:
- name: Configuration
filter: "(objectClass=*)"
page_size: 1000
attributes:
- "*"
- nTSecurityDescriptor
# ... more queries| Option | Type | Default | Description |
|---|---|---|---|
include_acls |
bool | true |
Include nTSecurityDescriptor attribute in queries to collect ACLs. Critical for BloodHound ACL abuse paths. Set to false only for evasion or testing. |
recurse_trusts |
bool | false |
Recursively ingest trusted domains using the same credentials. Only works with password or NT hash over NTLM. |
recurse_feasible_only |
bool | true |
When recurse_trusts is enabled, only ingest trusts that are:1. Inbound or bidirectional 2. Either involve the initial domain OR are transitive This prevents traversing outbound-only trusts and stops at nontransitive trust boundaries. |
search_forest |
bool | false |
Ingest all domains in the same forest by reading the Configuration partition. Can be used with recurse_trusts (domains found via either method are only ingested once). |
ldaps_to_ldap_fallback |
bool | true |
If LDAPS (636) connection fails, automatically retry with plain LDAP (389). |
prompt_msgpack_overwrite |
bool | true |
Prompt for confirmation before overwriting existing msgpack files during ingestion or remote collection. |
append_forest_domains |
bool | true |
Append newly discovered domain↔forest mappings to output/ldap/ForestDomains.json instead of overwriting. |
The queries section defines LDAP searches executed during ingestion. Each query has:
| Field | Type | Description |
|---|---|---|
name |
string | Query identifier (used for logging and output filenames). |
filter |
string | LDAP search filter. Must be valid LDAP syntax. |
page_size |
int | Number of results returned per paged query (LDAP paging). Typical values: 100-1000. Should not matter usually. |
attributes |
list | LDAP attributes to retrieve. Use "*" for all standard attributes, explicitly list operational attributes like nTSecurityDescriptor. |
Default Queries:
| Name | Filter | Purpose |
|---|---|---|
| Configuration | (objectClass=*) |
Collects PKI objects (CAs, cert templates, issuance policies) from Configuration partition |
| Schema | `( | (name=ms-mcwd)(name=ms-lap))` |
| Domains | (objectClass=domain) |
Domain partition roots |
| Trusts | (objectClass=trustedDomain) |
Trust relationships |
| Containers | (&(!(objectClass=groupPolicyContainer))(objectClass=container)) |
Container objects (excluding GPOs) |
| OrganizationalUnits | (objectClass=organizationalUnit) |
OUs |
| Users | `( | (&(objectCategory=person)(objectClass=user))(objectClass=msDS-ManagedServiceAccount)(objectClass=msDS-GroupManagedServiceAccount))` |
| Computers | (&(sAMAccountType=805306369)(!(objectClass=msDS-GroupManagedServiceAccount))(!(objectClass=msDS-ManagedServiceAccount))) |
Computer objects (excluding MSA/gMSAs) |
| Groups | (objectClass=group) |
Security and distribution groups |
| GroupPolicies | (objectCategory=groupPolicyContainer) |
GPO objects |
Warning
Customizing Queries: You can modify filters and attributes, but be cautious:
- Removing required attributes may break BloodHound conversion
- Changing filter semantics may cause incomplete collection
- The default queries are tuned for BloodHound compatibility
Refer to Object-Model to see which attributes are needed for each object type.
Controls behavior during the remote collection step (Ctrl+R in the TUI).
remote_collection:
methods:
- userrights
- dcregistry
- sessions
- regsessions
- loggedon
- ntlmregistry
- caregistry
- certservices
- webclient
- localgroups
- ldapservices
- smbinfo
- gpolocalgroup
availability_checks:
- windows_os
- password_age
# - smb_port_scanEach method corresponds to a specific type of remote data collection. Toggle methods based on your objectives and environment constraints. For detailed information about each method, see SharpHound-x-FlashIngestor.
Availability checks filter which computers undergo remote collection, reducing wasted time and noise.
| Check | Description | When to Use |
|---|---|---|
windows_os |
Only collect from computers with operatingSystem attribute containing "Windows" |
Environments with mixed OS (exclude Linux/macOS) |
password_age |
Only collect from computers with pwdLastSet or lastLogonTimestamp within last 60 days |
Exclude stale/decommissioned computers |
smb_port_scan |
Only collect from computers with TCP port 445 open | Reduce failed connection attempts (adds latency per computer) |
Default: windows_os and password_age enabled, smb_port_scan disabled (adds overhead).
Note
If no checks are specified, remote collection runs on all computers found during ingestion (subject to enabled methods). This could be a big bottleneck depending on the size of the environment, as most environments have many computer objects that don't actually represent active computers.
Controls behavior during the conversion step (Ctrl+S in the TUI), which merges LDAP and remote data into BloodHound JSON.
conversion:
merge_remote: true
writer_bufsize: 33554432
compress_output: true
cleanup_after_compression: true| Option | Type | Default | Description |
|---|---|---|---|
merge_remote |
bool | true |
Merge remote collection results from output/remote/ into ingested LDAP data. Set to false to convert LDAP-only data. |
writer_bufsize |
int |
33554432 (32 MB) |
Size of the memory buffer (in bytes) for writing BloodHound JSON files. May improve write performance. |
compress_output |
bool | true |
Compress BloodHound JSON files into a ZIP archive after conversion. |
cleanup_after_compression |
bool | true |
Delete individual JSON files after successful ZIP compression. Saves disk space after conversion ends. |
Tip
Disk Space Management:
- Enable
compress_output+cleanup_after_compression(default) to minimize disk usage - Keep msgpack files (
output/ldap/,output/remote/) if you need to re-run conversion with different settings - After importing to BloodHound, you can safely delete msgpack files if not needed for analysis