Skip to content

SharpHound x FlashIngestor

Jump to bottom
Macmod edited this page Feb 15, 2026 · 4 revisions

FlashIngestor is in no way a replacement for SharpHound, as that's the de-facto standard by SpecterOps, but aims to be an alternative implementation that can be used reliably in engagements, and work in a different, perhaps better way (in some aspects). The goal is to keep FlashIngestor updated with BloodHound improvements in the short term, but time is limited and long time support cannot be guaranteed. Below is a very simple comparison:

Collection Methods

SharpHound organizes methods into predefined groups:

  • LocalGroups: DCOM, RDP, LocalAdmin, PSRemote
  • Default: Group, Session, Trusts, ACL, ObjectProps, LocalGroups (LocalAdmin, RDP, DCOM, PSRemote), SPNTargets, Container, CertServices, LdapServices, SmbInfo, WebClientService
  • All: Default + LoggedOn, GPOLocalGroup, UserRights, CARegistry, DCRegistry, NTLMRegistry
  • DCOnly: ACL, Container, Group, ObjectProps, Trusts, GPOLocalGroup, CertServices
  • ComputerOnly: LocalGroups, Session, UserRights, CARegistry, DCRegistry, WebClientService, SmbInfo, NTLMRegistry

FlashIngestor uses a different approach:

  • LDAP-based collections (DCOnly with exception of GPOLocalGroup and CertServices) are performed in the Ingestion step by a predefined set of queries customizable via config.yaml.
  • All other methods are performed in the Remote Collection step and individually toggled in the methods section of config.yaml.

Supported methods:

SharpHound Method FlashIngestor Equivalent SharpHound Implementation FlashIngestor Implementation
LocalGroups localgroups Uses MS-SAMR (SamrConnect → EnumerateDomainsInSAMServer → OpenDomain → EnumerateAliasesInDomain → OpenAlias → GetMembersInAlias). For DCs, only enumerates Builtin domain. Uses MS-LSAT (LsaLookupSids) to resolve local object names. Equivalent.
GPOLocalGroup gpolocalgroup Uses SMB to read GPO files from SYSVOL. Parses Groups.xml and GptTmpl.inf to compute effective enforced group memberships. Equivalent.
Session sessions Uses MS-SRVS (NetSessionEnum) to enumerate active sessions. Equivalent.
LoggedOn loggedon Uses MS-WKST (NetWkstaUserEnum) to enumerate logged-on users. Equivalent.
LoggedOn + no --skipregistryloggedon regsessions Uses MS-RRP to read HKEY_USERS hive to identify logged-on users via loaded user profiles. Alternative session detection mechanism. Equivalent.
UserRights userrights Uses MS-LSAD (LsaEnumerateAccountsWithUserRight). Equivalent.
NTLMRegistry ntlmregistry MS-RRP to read HKLM\SYSTEM\CurrentControlSet\Control\Lsa for NTLM restrictions, audit settings, and authentication policies. Equivalent.
CARegistry caregistry Uses MS-RRP to read HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration. Collects enrollment endpoints and CA setting. Equivalent.
DCRegistry dcregistry MS-RRP reading DC-specific registry keys including LSA settings, certificate mappings, and DC configuration. Equivalent.
LdapServices ldapservices LDAP binds to check LDAP signing requirements and channel binding enforcement. Equivalent.
WebClientService webclient SMB to check WebClient service status via the DAV RPC SERVICE named pipe. Equivalent.
CertServices ⚠️ certservices HTTP probes against web enrollment endpoints to determine susceptibility to attacks. Only works with password authentication due to library limitations, and missing review.
SmbInfo ⚠️ smbinfo SMB negotiation to determine supported versions & MS-RRP to read SMB-related registry keys. SMB negotiation not implemented yet - just the MS-RRP part (requires privilege).

Note

About RDP/DCOM/PSRemote/LocalAdmin - Sharphound doesn't seem to mind about these individually, and only uses them to select whether GPOLocalGroup and LocalGroups will run, therefore these aren't implemented in FlashIngestor to avoid confusion. In FlashIngestor gpolocalgroup always collects information about GPO changes to all of the 4 groups, and localgroups always enumerates all local groups.

Three-Step Collection Process

FlashIngestor separates collection into three distinct phases:

  • Ingest (LDAP): Collects all LDAP data and stores as msgpack files
  • Remote (RPC/HTTP): Performs active remote collection on domain controllers, certificate authorities and regular computers
  • Convert (Offline): Merges LDAP + Remote data and generates BloodHound JSON

SharpHound executes all collection methods in a single step and directly outputs BloodHound JSON.

Trade-offs:

  • FlashIngestor requires more disk space for intermediate msgpack files
  • FlashIngestor allows re-running conversion without re-collecting
  • FlashIngestor enables selective re-collection (LDAP-only, Remote-only)
  • SharpHound is the official implementation and simpler operationally (one command, immediate output)

LDAP Query Customization

FlashIngestor provides full LDAP query customization via config.yaml, with customizable search filters and attribute lists, while SharpHound uses hardcoded LDAP queries.

RPC Implementation

FlashIngestor uses the oiweiwei/go-msrpc library for RPC calls, providing:

  • Pure Go implementation
  • Support for multiple RPC interfaces (LSAT, SRVS, WKST, SAMR, LSA, WINREG, etc)

SharpHound uses native Windows APIs and .NET RPC client libraries.

Cross-Domain Authentication

FlashIngestor cross-domain limitations:

  • Kerberos cross-domain authentication not yet implemented
  • Certificate-based authentication is limited to initial domain

SharpHound generally handles cross-domain authentication more seamlessly with Kerberos.

Performance Considerations

  • FlashIngestor

    • Pros: Separation allows LDAP-only collections to be very fast, intermediate files enable offline analysis
    • Cons: Conversion step adds time, higher disk usage, three-step process

  • SharpHound

    • Pros: Single-step collection, immediate BloodHound JSON output, lower disk usage
    • Cons: Must re-run redundant steps if output is corrupted or additional methods needed

I haven't had time to benchmark FlashIngestor properly, but it seems to work well on relatively large environments - if you have any good data on that let me know 🙂.

Output Format

  • FlashIngestor

    • Intermediate: msgpack binary format in output/ldap/ and output/remote/
    • Final: BloodHound JSON in output/bloodhound/, optionally compressed as ZIP
    • Optional: JSON conversion of msgpack via ingest2json utility

  • SharpHound

    • Direct: BloodHound JSON, optionally compressed as ZIP

Clone this wiki locally