Skip to content

Configuration

danti1988 edited this page May 13, 2026 · 4 revisions

Configuration

ADPathfinder reads its settings from config.ini in the working directory. Any value can be overridden by an environment variable. Environment values win over the config file, and values supplied via environment variables are never written back to disk.

Precedence

  1. Environment variable (ADPF_*).
  2. config.ini value.
  3. Built-in default (where one exists).

Run adpathfinder --setup-bloodhound-api to interactively populate the BloodHound CE section of config.ini. The Neo4j section is bootstrapped on first run.

Environment variables

Variable Purpose
ADPF_NEO4J_URI Neo4j connection URI. Default neo4j://localhost:7687
ADPF_NEO4J_USERNAME Neo4j username
ADPF_NEO4J_PASSWORD Neo4j password
ADPF_BLOODHOUND_URL BloodHound CE base URL. Default http://localhost:8080
ADPF_BLOODHOUND_USERNAME BloodHound CE API username
ADPF_BLOODHOUND_PASSWORD BloodHound CE API password
ADPF_BLOODHOUND_ENABLED Toggle BloodHound CE API. Accepts 1/true/yes/on or 0/false/no/off
ADPF_HASHCAT_FILE_PATH Hashcat potfile used by the password audit

Passwords supplied through environment variables are held in a wrapper that redacts them from logs and diagnostics output.

Neo4j connection schemes

The Neo4j driver accepts the following schemes via ADPF_NEO4J_URI or [NEO4J] uri in config.ini:

Scheme When to use
neo4j:// Unencrypted (default for local Neo4j)
bolt:// Single-instance unencrypted
neo4j+s://, bolt+s:// Encrypted, requires a CA-trusted certificate
neo4j+ssc://, bolt+ssc:// Encrypted, accepts self-signed certificates

Use the +ssc schemes when Neo4j is presenting a self-signed certificate; +s will reject it.

File permissions

If config.ini is created by ADPathfinder, it is written with mode 0600 (owner read/write only) so that stored credentials are not world-readable. If config.ini already exists with looser permissions, ADPathfinder warns at startup but does not change them — fix permissions manually with chmod 600 config.ini.

Excluded relationships

Path output filters out a default set of structural and duplicate BloodHound edges to keep escalation paths readable. The list lives at [EXCLUSIONS] excluded_relationships in config.ini. See Excluded relationships for the full filter behaviour, parsing rules, and the bootstrap default list.

Example config.ini

[NEO4J]
uri = neo4j://localhost:7687
username = neo4j
password = your-neo4j-password

[BLOODHOUND]
enabled = True
base_url = http://localhost:8080
username = admin
password = your-bloodhound-password

[HASHCAT]
file_path = /path/to/hashcat.potfile

[EXCLUSIONS]
excluded_relationships = Contains, LocalToComputer, Enroll, ...

Clone this wiki locally