-
Notifications
You must be signed in to change notification settings - Fork 0
Configuration
ADPathfinder reads its settings from config.ini in the working directory. Any value can be overridden by an environment variable. Environment values win over the config file, and values supplied via environment variables are never written back to disk.
- Environment variable (
ADPF_*). -
config.inivalue. - Built-in default (where one exists).
Run adpathfinder --setup-bloodhound-api to interactively populate the BloodHound CE section of config.ini. The Neo4j section is bootstrapped on first run.
| Variable | Purpose |
|---|---|
ADPF_NEO4J_URI |
Neo4j connection URI. Default neo4j://localhost:7687
|
ADPF_NEO4J_USERNAME |
Neo4j username |
ADPF_NEO4J_PASSWORD |
Neo4j password |
ADPF_BLOODHOUND_URL |
BloodHound CE base URL. Default http://localhost:8080
|
ADPF_BLOODHOUND_USERNAME |
BloodHound CE API username |
ADPF_BLOODHOUND_PASSWORD |
BloodHound CE API password |
ADPF_BLOODHOUND_ENABLED |
Toggle BloodHound CE API. Accepts 1/true/yes/on or 0/false/no/off
|
ADPF_HASHCAT_FILE_PATH |
Hashcat potfile used by the password audit |
Passwords supplied through environment variables are held in a wrapper that redacts them from logs and diagnostics output.
The Neo4j driver accepts the following schemes via ADPF_NEO4J_URI or [NEO4J] uri in config.ini:
| Scheme | When to use |
|---|---|
neo4j:// |
Unencrypted (default for local Neo4j) |
bolt:// |
Single-instance unencrypted |
neo4j+s://, bolt+s://
|
Encrypted, requires a CA-trusted certificate |
neo4j+ssc://, bolt+ssc://
|
Encrypted, accepts self-signed certificates |
Use the +ssc schemes when Neo4j is presenting a self-signed certificate; +s will reject it.
If config.ini is created by ADPathfinder, it is written with mode 0600 (owner read/write only) so that stored credentials are not world-readable. If config.ini already exists with looser permissions, ADPathfinder warns at startup but does not change them — fix permissions manually with chmod 600 config.ini.
Path output filters out a default set of structural and duplicate BloodHound edges to keep escalation paths readable. The list lives at [EXCLUSIONS] excluded_relationships in config.ini. See Excluded relationships for the full filter behaviour, parsing rules, and the bootstrap default list.
[NEO4J]
uri = neo4j://localhost:7687
username = neo4j
password = your-neo4j-password
[BLOODHOUND]
enabled = True
base_url = http://localhost:8080
username = admin
password = your-bloodhound-password
[HASHCAT]
file_path = /path/to/hashcat.potfile
[EXCLUSIONS]
excluded_relationships = Contains, LocalToComputer, Enroll, ...