Skip to content

daecayde/bloodhoundr

BranchesTags

Repository files navigation

🩸 Bloodhoundr

Python License Security Deception Docker

Attack Surface Mapper + Threat Intelligence + Active Defense

Bloodhoundr automates the entire reconnaissance pipeline and fights back with deception technology. One command maps your attack surface, identifies CVEs, maps to MITRE ATT&CK, and deploys honeypots that trap attackers.

📋 Table of Contents

✨ Features

Phase What It Does
🔍 Reconnaissance Subdomain enumeration, DNS records, ASN lookup, tech fingerprinting
🚪 Port Enumeration Nmap wrapper for service discovery (active mode)
🧠 CVE Intelligence NVD API v2 integration with CVSS scoring
🎯 MITRE ATT&CK Maps findings to TTPs with tactics and mitigations
🎭 Mirage Engine CVE-aware decoys that trap attackers with honeytokens
📊 Reporting PTES-structured reports in Markdown, JSON, and PDF

🎭 The Mirage Engine (Active Defense)

When an attacker hits your decoy, here's exactly what happens: Step 1: Attacker scans your IP and finds open port 9999 Step 2: Attacker sends exploit (e.g., curl http://IP:9999/cgi-bin/test) Step 3: Mirage Engine detects the attack pattern Step 4: Engine generates fake AWS credentials (honeytoken) Step 5: Engine responds with credentials file Step 6: Attacker thinks they stole real credentials Step 7: Incident logged to reports/mirage_incidents.jsonl Step 8: YOU get alerted (if email configured)

What you see in your terminal:

[!] MIRAGE ENGINE TRIGGERED
    Attacker: 192.168.1.100:54321
    Trap: CVE-2021-41773 (Apache Path Traversal)
    Token: synthetic
    Logged: reports/mirage_incidents.jsonl


**What the attacker gets (fake AWS credentials):**
[default]
aws_access_key_id = AKIA4B7J8K9L0M1N2P3Q
aws_secret_access_key = 8k9L0m1N2p3Q4r5S6t7U8v9W0x1Y2z3A4b5C6d7E8f9G0



🚀 Quick Start

# Clone & install
git clone https://github.com/daecayde/bloodhoundr
cd bloodhoundr
pip install -e .

# Basic scan
bloodhoundr scan --target example.com

# With deception decoys
bloodhoundr scan --target example.com --deceive

# Active port scan (requires nmap)
bloodhoundr scan --target example.com --active


📋 Commands

Command	                                      Description
bloodhoundr scan --target DOMAIN	      Full pipeline
bloodhoundr scan --target DOMAIN --deceive    With decoys
bloodhoundr scan --target DOMAIN --active     With port scan
bloodhoundr recon --target DOMAIN	      Recon only
bloodhoundr cve "Apache/2.4.49"	              Direct CVE lookup
bloodhoundr version	                      Show version

About

Automated attack surface mapper that chains recon, CVE lookup and MITRE ATT&CK mapping into one pipeline. Outputs PTES-structured VAPT reports. Docker ready.

Topics

security honeypot pentesting cve red-team reconnaissance

Resources

Readme

License

View license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages