Skip to content

Configuration

danti1988 edited this page May 15, 2026 · 4 revisions

Configuration

ADPathfinder reads config.ini from the working directory. Any supported value can be overridden with an ADPF_* environment variable. Environment variables win for the current run and are not written back to disk.

Precedence

  1. Environment variable.
  2. config.ini.
  3. Built-in default.

Set up BloodHound CE API access interactively:

./adpathfinder.py --setup-bloodhound-api

The Neo4j section is bootstrapped on first run when stored credentials are missing.

Environment Variables

Variable Purpose
ADPF_NEO4J_URI Neo4j connection URI. Default: neo4j://localhost:7687
ADPF_NEO4J_USERNAME Neo4j username
ADPF_NEO4J_PASSWORD Neo4j password
ADPF_BLOODHOUND_URL BloodHound CE base URL. Default: http://localhost:8080
ADPF_BLOODHOUND_USERNAME BloodHound CE API username
ADPF_BLOODHOUND_PASSWORD BloodHound CE API password
ADPF_BLOODHOUND_ENABLED BloodHound CE API toggle. Accepts 1/true/yes/on or 0/false/no/off
ADPF_HASHCAT_FILE_PATH Hashcat potfile used by the password audit

Passwords loaded from environment variables or config.ini are wrapped so their normal string and repr output is redacted in logs and diagnostics.

Neo4j Connection Schemes

The Neo4j driver accepts these schemes through ADPF_NEO4J_URI or [NEO4J] uri:

Scheme Use
neo4j:// Unencrypted local Neo4j, and the default setting
bolt:// Single-instance unencrypted Neo4j
neo4j+s://, bolt+s:// Encrypted connection with a CA-trusted certificate
neo4j+ssc://, bolt+ssc:// Encrypted connection accepting a self-signed certificate

Use a +ssc scheme when Neo4j presents a self-signed certificate. The +s schemes expect a certificate trusted by the client.

File Permissions

When ADPathfinder creates config.ini, it writes the file with mode 0600 so only the owner can read or write it. If the file already exists with looser permissions, ADPathfinder warns but does not change them. Fix that manually:

chmod 600 config.ini

Excluded Relationships

Path output excludes a default set of structural and duplicate BloodHound relationships to keep attack paths readable. The setting lives at [EXCLUSIONS] excluded_relationships. See Excluded relationships for the parsing rules and the exact behaviour of empty or missing values.

Example config.ini

[NEO4J]
uri = neo4j://localhost:7687
username = neo4j
password = your-neo4j-password

[BLOODHOUND]
enabled = True
url = http://localhost:8080
username = admin
password = your-bloodhound-password

[HASHCAT]
file_path = /path/to/hashcat.potfile

[EXCLUSIONS]
excluded_relationships = Contains,
    LocalToComputer,
    Enroll

Clone this wiki locally