Logo based on OG BloodHound logo with some python permutations
What started out as a GUI test and something to muck about with has sort of grown arms and legs. As it stands this is a cross platform GUI app for browsing LDAP and will direct YOLO into a Neo4J database, it comes with LDAP/LDAPS browsing capabilites, it'll run standalone and you can modify it how you like.
I wanted this to be similar to Sysinternals' ADExplorer with the GUI Experience in mind and tree view, also additional direct connect to a neo4j DB or export to CSV/BH data for ease of use.
- Python 3.8 or higher
- requirements.txt - install them all in a venv
git clone https://github.com/zephrfish/pyLDAPGui
cd pyLDAPGui
python3 -m venv venv
source venv/bin/activate
pip3 install -r requirements.txt- Start the application (or if you're on windows you can pyinstaller the exe and run the standalone exe):
python main.pyHere's some pretty screenshots of working on Mac and Windows:
Windows Tree filter:
Demo Video of Ingest to BloodHound 4.x:
<script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>Featuring Koven - Good Enough as a background track! pic.twitter.com/KPPunRg4Cx
— @zephrfish.yxz.red (@ZephrFish) September 12, 2025
this may or may not load
-
Connect to LDAP server:
- Click "Connect" in toolbar or File menu
- Enter connection details:
- Server: LDAP server hostname or IP
- Port: 389 (standard) or 636 (SSL)
- Username: Full DN or domain\username format
- Password: Authentication password
- Check "Use SSL/TLS" for secure connections
- Proxy Settings (Optional):
- Enable proxy for restricted environments
- **[Currently broken] **Support for SOCKS4, SOCKS5, and HTTP proxies
- Configure proxy host, port, and authentication
- Optionally save as profile for future use
-
Browse directory:
- Expand tree nodes to explore structure
- Click entries to view attributes in detail
- Use tabs to switch between attributes, raw data, and server info
- Filter tree entries using the search box (Ctrl+Shift+F)
-
Advanced search:
- Use Search > Search... (Ctrl+F) for LDAP filter queries
- Select from pre-built common filters
- Export search results directly to CSV or Bloodhound
-
Export data:
- CSV: File > Export to CSV for spreadsheet analysis
- Bloodhound Legacy: File > Export to Bloodhound for graph visualisation (4.3 format)
- Neo4j: File > Ingest to Neo4j for direct database import
- Use prominent export buttons in main interface
Ctrl+F- Open advanced search dialogCtrl+Shift+F- Focus tree filter inputCtrl+E- Export to CSVCtrl+B- Export to BloodhoundCtrl+N- Ingest to Neo4jCtrl+Q- Quit application
- Connect to LDAP servers with username/password authentication
- Support for SSL/TLS connections
- SOCKS Proxy Support: Connect through SOCKS4/SOCKS5/HTTP proxies
- Ideal for restricted environments or isolated networks
- Support for proxy authentication
- Profile-based proxy configuration
- Auto-discovery of base DN and server capabilities
- Save and manage connection profiles with encrypted password storage
- Quick connect using saved profiles
- Tree-based navigation of LDAP directory structure
- Lazy loading for efficient browsing of large directories
- Real-time tree filtering with keyboard shortcuts
- View all attributes of selected entries
- Raw data view in JSON format
- Server information display
- Prominent export buttons for quick access
- CSV Export: Complete attribute data with pipe-separated multi-values
- Bloodhound 4.3 Legacy Export:
- Compatible with Bloodhound 4.3 Legacy (not CE)
- Proper object type mapping for users, computers, groups, OUs, domains
- Security flags and attributes (UAC flags, SPNs, etc.)
- Automatic SID conversion from binary to string format
- Support for large-scale exports (50,000+ objects)
- Creates ZIP file with separate JSON files per object type
- Neo4j Direct Ingestion:
- Connect directly to BloodHound's Neo4j database
- Real-time progress tracking during ingestion
- Creates nodes and relationships without intermediate files
- Supports all object types and security relationships
- Optional: Requires neo4j-driver package
- BloodHound OpenGraph Export - TODO
- Throttling Mode (Enabled by Default): Randomises query order and timing to avoid detection
- Configurable delays between queries (0.5-2s default)
- Multiple timing presets: Fast, Normal, Stealthy
- Makes enumeration patterns unpredictable
- Encrypted password storage for saved profiles using Fernet encryption
- SSL/TLS support for secure connections
- Admin count tracking and delegation flags detection
- SOCKS proxy support (SOCKS4/5, HTTP) for restricted environments
- ADCS Certificate Template Analysis (NEW):
- Comprehensive vulnerability analysis for Active Directory Certificate Services
- Detection of ESC1-ESC8 vulnerabilities
- Risk scoring for certificate templates
- Permission analysis and attack path identification
- Export findings to JSON, CSV, or BloodHound format
- Detailed remediation recommendations
- Domain Trust Analysis: Browse and analyse trust relationships with export capabilities (currently a WIP)
- Connection Profiles:
ldap_profiles.json(encrypted passwords) - Encryption Key:
.ldap_key(hidden file used for encrypting passwords in ldap profiles, auto-generated)
The application supports connecting to LDAP servers through proxy servers, which is useful for:
- Accessing domain controllers in isolated networks
- Pentesting
- Connecting through jump hosts or bastion servers
Supported Proxy Types:
- SOCKS5: Full protocol support with authentication
- SOCKS4: Basic proxy support
- HTTP: HTTP CONNECT proxy support
Configuration:
- Check "Use Proxy" in the connection dialog
- Select proxy type (SOCKS5 recommended)
- Enter proxy host and port
- Optionally provide proxy authentication credentials
- Save as profile for reuse
pip install pyinstaller
pyinstaller --onefile --windowed --name pyLDAPGui main.pypip install pyinstaller
pyinstaller --onefile --name pyLDAPGui main.pyThe executable will be created in the dist/ directory.
- Verify LDAP server address and port
- Check firewall and network connectivity
- Ensure correct authentication credentials
- Try both SSL and non-SSL connections
- Verify LDAP server is accepting connections
- Bloodhound Import Fails: Ensure using Bloodhound 4.3 Legacy, not CE
- OpenGraph Format: Use for newer BloodHound versions that support OpenGraph schema
- Large Exports: May take time for domains with many objects
- Missing Data: Check LDAP permissions and search scope
- Use tree filtering for large directories
- Limit search results for better performance
- Close and reconnect if connection becomes slow
- Read-only access (no LDAP modification capabilities)
- Certificate validation bypass for SSL, you can use LDAPS but it will just blindly trust the TLS cert because YOLO
- Maximum 50,000 entries per Bloodhound export (configurable)