Introducing Blade: Streamlined command-line tool for Bloodhound and Neo4j

By George Ntrallos, Security Testing & Assurance (STA) on 29 August 2025

Introduction

BloodHound and neo4j are popular open-source tools used by red teams, blue teams, and penetration testers to analyse Active Directory (AD) environments.

Blade is a command-line tool written in Go, designed to interact with BloodHound CE and Neo4j using the bloodhound-go-sdk and neo4j-go-driver Golang libraries. It provides a user-friendly command-line interface for querying, injecting, and managing data within the BloodHound CE Neo4j database.

How do I use blade?

Prerequisites

• Go 1.23.2 or higher
• Access to a Bloodhound CE instance

Installation

Download the latest version form: [email protected]:CyberCX-STA/blade.git

This can be done by running the following command:

git clone [email protected]:CyberCX-STA/blade.git
cd blade

There are two options for building the executable—one targeting Linux and the other targeting Windows hosts.

• For Windows host

make build-windows

• For Linux Host

sudo make build-linux

Configurations

The configurations are automatically generated in the following directories:

• Windows:

~/blade/config.yaml

• Linux

~/.config/blade/config.yaml

Note: Before using Blade, you need to generate a Bloodhound CE API token. You can do this by running the following command:

blade generate -u <username> -p <password> --create --name <token_name>

Features

• Injecting bloodhound.zip to Bloodhound CE
• Queries:
  • List domains
  • List domain administrators
  • List kerberostable users
  • List as-rep roasting users
  • List enabled principal(s) with ‘Unconstrained Delegation’
  • List principals that can perform ESC1, ESC3, ESC4, ADSC6a, ADCS6b, ADCS9a, ADCS9b, ADCS10a, ADCS10b, ADCS13 attacks
  • List enabled principal(s) with ‘Unconstrained Delegation’
  • List entities with ‘Constrained Delegation’
  • Find users /groups with direct access to GPOs
  • Find users that belong to high value groups
  • Find users that can change password
  • Cross domain group memberships
  • List of privileged users’ sessions that are not in the protected group
• Enumerate
  • List members of a group
  • Users:
    • RDP rights
    • Group memberships
    • Sessions
    • PowerShell remote rights
    • List of principals a user can control
• Owned entities:
  • Add own entity
  • List own entities
  • Get information about the owned entities:
    
    • RDP rights
    • Group memberships
    • Sessions
    • PowerShell remote rights
    • List of principals a user can control
    • Download sharphound and azurehound
• Inject custom queries from a file or URL
• Delete custom queries
• Clear Bloodhound CE database
• Run Neo4j queries

Summary

Blade is a command-line tool that interacts with BloodHound CE and Neo4j. It streamlines enumeration for penetration testers and blue teamers through a simple command-line interface.

References

• Github: bloodhound-go-sdk
  https://github.com/SpecterOps/bloodhound-go-sdk
• Github: neo4j-go-driver
  https://github.com/neo4j/neo4j-go-driver