By George Ntrallos, Security Testing & Assurance (STA) on 29 August 2025
Introduction
BloodHound and neo4j are popular open-source tools used by red teams, blue teams, and penetration testers to analyse Active Directory (AD) environments.
Blade is a command-line tool written in Go, designed to interact with BloodHound CE and Neo4j using the bloodhound-go-sdk and neo4j-go-driver Golang libraries. It provides a user-friendly command-line interface for querying, injecting, and managing data within the BloodHound CE Neo4j database.
How do I use blade?
Prerequisites
- Go 1.23.2 or higher
- Access to a Bloodhound CE instance
Installation
Download the latest version form: [email protected]:CyberCX-STA/blade.git
This can be done by running the following command:
git clone [email protected]:CyberCX-STA/blade.git cd blade
There are two options for building the executable—one targeting Linux and the other targeting Windows hosts.
- For Windows host
make build-windows
- For Linux Host
sudo make build-linux
Configurations
The configurations are automatically generated in the following directories:
- Windows:
~/blade/config.yaml
- Linux
~/.config/blade/config.yaml
Note: Before using Blade, you need to generate a Bloodhound CE API token. You can do this by running the following command:
blade generate -u <username> -p <password> --create --name <token_name>
Features
- Injecting bloodhound.zip to Bloodhound CE
- Queries:
- List domains
- List domain administrators
- List kerberostable users
- List as-rep roasting users
- List enabled principal(s) with ‘Unconstrained Delegation’
- List principals that can perform ESC1, ESC3, ESC4, ADSC6a, ADCS6b, ADCS9a, ADCS9b, ADCS10a, ADCS10b, ADCS13 attacks
- List enabled principal(s) with ‘Unconstrained Delegation’
- List entities with ‘Constrained Delegation’
- Find users /groups with direct access to GPOs
- Find users that belong to high value groups
- Find users that can change password
- Cross domain group memberships
- List of privileged users’ sessions that are not in the protected group
- Enumerate
- List members of a group
- Users:
- RDP rights
- Group memberships
- Sessions
- PowerShell remote rights
- List of principals a user can control
- Owned entities:
- Add own entity
- List own entities
- Get information about the owned entities:
- RDP rights
- Group memberships
- Sessions
- PowerShell remote rights
- List of principals a user can control
- Download sharphound and azurehound
- Inject custom queries from a file or URL
- Delete custom queries
- Clear Bloodhound CE database
- Run Neo4j queries
Summary
Blade is a command-line tool that interacts with BloodHound CE and Neo4j. It streamlines enumeration for penetration testers and blue teamers through a simple command-line interface.
References
- Github: bloodhound-go-sdk
https://github.com/SpecterOps/bloodhound-go-sdk - Github: neo4j-go-driver
https://github.com/neo4j/neo4j-go-driver
