In [None]:
# GET /api/v2/meta/entities – List all meta-entity types (users, groups, computers, etc.).
# GET /api/v2/meta/entities/{id} – Fetch detailed information for a specific meta-entity.
# GET /api/v2/meta/{object_id} - Get Meta entity info
# !op run 'op://n3ugxlrd6cz7b5g6gjdvgz775i/reach-db-prod'
# !printenv

In [None]:
# These are not PII, they are test secrets that only work for a test BloodHound CE instance
# Secure secrets in encrypted vault
from ansible_vault import Vault
import os
# pass1 = os.environ.get("")

vault = Vault(open(os.path.expanduser("~/.vault_pass")).read().strip())
data = vault.load(
    open(
        os.path.expanduser("/Users/eric.louhi/Github/reach-data-experiments/vault.yml")
    )
    .read()
    .strip()
)
REACH_DB_USER = data["REACH_DB_PROD_USER"]
REACH_DB_PASS = data["REACH_DB_PROD_PASS"]
BH_API_KEY = str(data["BH_API_KEY"])
BH_API_ID = str(data["BH_API_ID"])

In [None]:
import py2neo
import json
from neo4j.time import DateTime, Date, Time  # Import Neo4j's DateTime types


# This was needed as the json.dump() function could not serialize the DateTime object
class Neo4jEncoder(json.JSONEncoder):
    def default(self, obj):
        if isinstance(obj, (DateTime, Date, Time)):  # Handle Neo4j DateTime objects
            return str(obj)  # Convert to string representation
        elif hasattr(obj, "isoformat"):  # Fallback for other datetime-like objects
            return obj.isoformat()
        return super(Neo4jEncoder, self).default(obj)


graph = py2neo.Graph(
    "bolt://localhost:7687", auth=("neo4j", "bloodhoundcommunityedition")
)

# Get total node count
node_count = graph.evaluate("MATCH (n) RETURN COUNT(n) AS count")
batch_size = 200
results = []
base_query = ""

# Neo4j Cypher COLLECT Fucntion - https://neo4j.com/docs/cypher-manual/current/functions/aggregating/
# Neo4j Pagination Documentation- https://neo4j.com/docs/cypher-manual/current/clauses/skip/
# BloodHound Repository contains schema information - https://github.com/SpecterOps/BloodHound
# BloodHound Collection - https://bloodhound.specterops.io/docs/data-collection/
# BloodHound Node and Relationships - https://bloodhound.specterops.io/docs/reference/data-model
# Active Directory Properties in BloodHound - https://bloodhound.specterops.io/docs/reference/ad-objects
# Azure Only Objects in BloodHound - https://bloodhound.specterops.io/docs/reference/azure-objects

# Iterate through batches
for skip in range(0, node_count, batch_size):
    base_query = """
MATCH (n)
WITH n SKIP {skip} LIMIT {limit}
OPTIONAL MATCH (n)-[r]->(m)
WITH n, COLLECT({
  relationship: TYPE(r),
  direction: "outbound",
  properties: PROPERTIES(r),
  target: {
    id: ID(m),
    labels: LABELS(m),
    name: CASE WHEN m.name IS NOT NULL THEN m.name ELSE m.objectid END,
    objectid: m.objectid
  }
}) AS outRelations
OPTIONAL MATCH (n)<-[r]-(m)
WITH n, outRelations, COLLECT({
  relationship: TYPE(r),
  direction: "inbound",
  properties: PROPERTIES(r),
  source: {
    id: ID(m),
    labels: LABELS(m),
    name: CASE WHEN m.name IS NOT NULL THEN m.name ELSE m.objectid END,
    objectid: m.objectid
  }
}) AS inRelations
RETURN COLLECT({
  id: ID(n),
  labels: LABELS(n),
  nodeType: HEAD(LABELS(n)),

  // Properties that *can* exist across all types
  objectid: n.objectid,
  name: CASE WHEN n.name IS NOT NULL THEN n.name ELSE n.objectid END,
  distinguishedname: n.distinguishedname,
  description: n.description,
  whencreated: toString(n.whencreated),
  whenchanged: toString(n.whenchanged),

  // User specific properties
  displayname: n.displayname,
  email: n.email,
  title: n.title,
  homedirectory: n.homedirectory,
  samaccountname: n.samaccountname,
  samaccounttype: n.samaccounttype,
  serviceprincipalnames: n.serviceprincipalnames,
  sidrequired: n.sidrequired,
  domainsid: n.domainsid,
  domain: n.domain,
  admincount: n.admincount,
  hasspn: n.hasspn,
  enabled: n.enabled,
  pwdlastset: toString(n.pwdlastset),
  lastlogon: toString(n.lastlogon),
  lastlogontimestamp: toString(n.lastlogontimestamp),
  pwdneverexpires: n.pwdneverexpires,
  dontreqpreauth: n.dontreqpreauth,
  passwordnotreqd: n.passwordnotreqd,
  unconstraineddelegation: n.unconstraineddelegation,
  sensitive: n.sensitive,
  trustedtoauth: n.trustedtoauth,
  owned: n.owned,
  highvalue: n.highvalue,

  // Computer specific properties
  operatingsystem: n.operatingsystem,
  operatingsystemversion: n.operatingsystemversion,
  serviceprincipalnames: n.serviceprincipalnames,
  haslaps: n.haslaps,

  // Group specific properties
  admincount: n.admincount,
  description: n.description,

  // Domain specific properties
  functionallevel: n.functionallevel,

  // GPO specific pproperties
  gpcpath: n.gpcpath,

  // OU specific properties
  blocksinheritance: n.blocksinheritance,

  // CA specific properties
  isrootca: n.isrootca,

  // Certificate Template specific properties
  enrollmentrights: n.enrollmentrights,
  authentication_enabled: n.authentication_enabled,
  requires_approval: n.requires_approval,
  requires_manager_approval: n.requires_manager_approval,
  enrollment_agent: n.enrollment_agent,
  certificate_name_flag: n.certificate_name_flag,
  ekus: n.ekus,
  authorized_signatures_required: n.authorized_signatures_required,
  validity_period: n.validity_period,
  renewal_period: n.renewal_period,
  schema_version: n.schema_version,

  // Trust specific properties
  trusttype: n.trusttype,
  trustdirection: n.trustdirection,
  transitive: n.transitive,

  // Azure specific properties
  tenantid: n.tenantid,
  appid: n.appid,
  appownerid: n.appownerid,
  serviceprincipalid: n.serviceprincipalid,
  directoryid: n.directoryid,
  roleid: n.roleid,
  roledisplayname: n.roledisplayname,
  roledescription: n.roledescription,
  subscriptionid: n.subscriptionid,
  resourcegroupid: n.resourcegroupid,
  accountenabled: n.accountenabled,

  // Properties that might be in a node
  guid: n.guid,
  sid: n.sid,

  // Relationships and their properties
  outboundRelationships: outRelations,
  inboundRelationships: inRelations
}) AS nodes
"""
all_nodes = []
# Process in batches
for skip in range(0, node_count, batch_size):
    results = []
    print(f"Processing nodes {skip} to {min(skip + batch_size, node_count)}...")

    # Replace parameters in query
    query = base_query.replace("{skip}", str(skip)).replace("{limit}", str(batch_size))

    # Execute query
    request_data = {"statements": [{"statement": query}]}
    batch_results = graph.evaluate(query)
    # results.extend(batch_results)
    print(f"Processed {min(skip + batch_size, node_count)}/{node_count} nodes")

    # Save results

    try:
        # all_nodes.extend(results)

        # Save progress after each batch
        with open(f"../data/bloodhound/bloodhound_export_{skip}.json", "w") as f:
            json.dump(batch_results, f, cls=Neo4jEncoder, indent=2)

        print(f"Saved progress: {len(all_nodes)}/{node_count} nodes processed")

    except (KeyError, IndexError) as e:
        print(f"Error processing batch at offset {skip}: {e}")

### Queries to attempt to extract enriched data
Looks like some enrichment data is locked behind the enterprise edition.

```cypher
CALL db.labels() YIELD label
RETURN label
ORDER BY label
```
-------------------------------
```cypher
MATCH (n)
WHERE any(key IN keys(n) WHERE toLower(key) =~ '.*(opsec|notes|references|abuse|description|comment|security|relationship).*')
WITH labels(n) AS nodeType,
     n,
     [key IN keys(n) WHERE toLower(key) =~ '.*(opsec|notes|references|abuse|description|comment|security|relationship).*' |
      key + ': ' + toString(coalesce(n[key], ''))] AS opsecData
RETURN nodeType,
       collect(DISTINCT opsecData) AS opsecFields,
       count(n) AS nodeCount
ORDER BY nodeType
```

## BloodHound API

Extract all information including attack paths, and complete nodes.
- Agg, and join on IDs to create a single node representing all the associations

Calls against the APIed to include the following headers:
```
'Authorization': bhesignature $TOKEN_ID
'RequestDate': $RFC3339_DATETIME
'Signature': $BASE64ENCODED_HMAC_SIGNATURE
```

* Individual entity endpoints - Each entity's detailed view contains BloodHound's analysis
* Controllables/Controllers endpoints - Provide relationship context and abuse info
* Edge composition endpoint - Contains edge metadata including abuse information
* Attack path endpoints - Provide comp
* Base Entity Calls - Always call /api/v2/base/{object_id}/controllables and /api/v2/base/{object_id}/controllers for
maximum relationship data
* meta/entitied - meta-entity types (users, groups, computers, domains, etc.)

### Work flow to pull all data via REST API:
OpenAPI endpoints are in `data/bloodhound/openapi.yaml`.
```
auth -> meta discovery -> domain discovery -> base entities (domain, computer, user, ..) -> certificate infra ->
azure entities -> individual entity enrichment -> graph analysis + custom nodes
```

In [None]:
import requests
import json
import hmac
import hashlib
from typing import Optional
import datetime
import base64

top_level_fields = [
    "Roles",
    "Execution Privileges",
    "Member Of",
    "Outbound Object Control",
    "Inbound Object Control",
    "OPSEC",
    "Descriptioin",
    "Abuse",
    "Object Information",
]
# data/bloodhound/openapi.yaml - openapi specs from bloodhound github
endpoints = {
        "custom_nodes": "/api/v2/customnodes",
        "api_spec": { "endpoint": "/api/v2/spec/openapi.yaml", "method": "GET"},
        "search": {"endpoint": "/api/v2/search", "method": "POST"},
        "audit_logs": {"endpoint": "/api/v2/audit", "method": "GET"},
        "list_asset_groups": {"endpoint": "/api/v2/asset-groups", "method": "GET"},
        "login":{"endpoint":"/api/v2/login", "method":"POST"},
        "core_meta": {"endpoint": "/api/v2/meta/entities", "method": "GET"},
        "available_domains": {"endpoint": "/api/v2/meta/available-domains", "method": "GET"},

}


In [None]:
import os
from urllib.parse import urljoin
from typing import Optional

def format_url(uri: str, base_url: Optional[str] = None) -> str:
    if not base_url.endswith("/"):
        base_url += "/"
    # Remove leading /
    if uri.startswith("/"):
        uri = uri[1:]

    return urljoin(base_url, uri)


# https://bloodhound.specterops.io/integrations/bloodhound-api/working-with-api
def _request(method: str, uri: str, body: Optional[bytes] = None, headers: dict | None = None) -> requests.Response:
    # Digester is initialized with HMAC-SHA-256 using the token key as the HMAC digest key.
    digester = hmac.new(BH_API_KEY.encode(), None, hashlib.sha256)

    # OperationKey is the first HMAC digest link in the signature chain. This prevents replay attacks that seek to
    # modify the request method or URI. It is composed of concatenating the request method and the request URI with
    # no delimiter and computing the HMAC digest using the token key as the digest secret.
    #
    # Example: GET /api/v2/test/resource HTTP/1.1
    # Signature Component: GET/api/v2/test/resource
    digester.update(f"{method}{uri}".encode())

    # Update the digester for further chaining
    digester = hmac.new(digester.digest(), None, hashlib.sha256)

    # DateKey is the next HMAC digest link in the signature chain. This encodes the RFC3339 formatted datetime
    # value as part of the signature to the hour to prevent replay attacks that are older than max two hours. This
    # value is added to the signature chain by cutting off all values from the RFC3339 formatted datetime from the
    # hours value forward:
    #
    # Example: 2020-12-01T23:59:60Z
    # Signature Component: 2020-12-01T23
    datetime_formatted = datetime.datetime.now().astimezone().isoformat("T")
    digester.update(datetime_formatted[:13].encode())

    # Update the digester for further chaining
    digester = hmac.new(digester.digest(), None, hashlib.sha256)

    # Body signing is the last HMAC digest link in the signature chain. This encodes the request body as part of
    # the signature to prevent replay attacks that seek to modify the payload of a signed request. In the case
    # where there is no body content the HMAC digest is computed anyway, simply with no values written to the
    # digester.
    if body is not None:
        digester.update(body)
    if headers is None:
        headers = {
            "User-Agent": "bhe-python-sdk 0001",
            "Authorization": f"bhesignature {BH_API_ID}",
            "RequestDate": datetime_formatted,
            "Signature": base64.b64encode(digester.digest()),
            "Content-Type": "application/json",
        }
    # Perform the request with the signed and expected headers
    print(headers)
    if body:
        return requests.request(
            method=method,
            url=format_url(uri, "http://127.0.0.1:8080"),
            headers=headers,
            data=body,
        )
    else:
        return requests.request(
            method=method,
            url=format_url(uri, "http://127.0.0.1:8080"),
            headers=headers
        )

In [None]:
# Auth First
# "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3NTIxODA5NjAsImp0aSI6IjIiLCJpYXQiOjE3NTIxNTIxNjAsInN1YiI6IjljNmNjYzdmLTkxYWQtNDMwZi1iZjMxLWJiYjZjYTU2ZmMzMSJ9.g4EjGZG7wKdY0uNrrK6w5q07lmTt5kaE4cLEhgC1-gI"
login_body = {
    "login_method": "secret",
    "username": "admin",
    "secret": "ReachSecurity783!",
}
body_bytes = json.dumps(login_body).encode('utf-8')
auth_resp = _request(endpoints["login"]["method"], endpoints["login"]["endpoint"], body_bytes)
# auth_resp.raise_for_status()
print(auth_resp.text)
bearer_token ={"session_token": auth_resp.json().get("data").get("session_token"), "user_id": auth_resp.json().get("data").get
("user_id")}
print(bearer_token)

Plan:

- get all domains: /api/v2/available-domains
```json
{"data":[{"type":"active-directory","name":"VECNA.CORP","id":"NO OBJECT ID","collected":false}]}
//Required headers
  -H 'accept: application/json' \
  -H 'Prefer: 0' \
  -H 'Authorization: Bearer
```
- Get the Note Types:/api/v2/graphs/kinds
```json
{"data":{"kinds":["ADLocalGroup","ADLocalUser","AIACA","AZApp","AZAutomationAccount","AZBase","AZContainerRegistry","AZDevice","AZFunctionApp","AZGroup","AZKeyVault","AZLogicApp","AZManagedCluster","AZManagementGroup","AZResourceGroup","AZRole","AZServicePrincipal","AZSubscription","AZTenant","AZUser","AZVM","AZVMScaleSet","AZWebApp","Base","CertTemplate","Computer","Container","Domain","EnterpriseCA","GPO","Group","IssuancePolicy","MigrationData","NTAuthStore","OU","RootCA","User"]}}
```

In [None]:
# Get all the
headers = {"accept": "application/json", "Prefer": "0",
           "Authorization": f"Bearer {bearer_token['session_token']}"}

endpoint_list = ["/api/v2/graphs/kinds", "/api/v2/available-domains" ]


for uri in endpoint_list:
    resp = _request(method="GET", uri=f"{uri}", headers=headers)
    print(resp.content)

In [None]:
#This does not work on a local instance, not sure why, had to download the openapi.yaml from their github repository.
import yaml
api_spec_headers = {"accept": "text/x-yaml", "Prefer": "0", "Authorization": f"Bearer {bearer_token['session_token']}"}
resp = _request(method=endpoints["api_spec"]["method"], uri=endpoints["api_spec"]["endpoint"], headers=api_spec_headers)
print(resp.text)

content_type = resp.headers.get('content-type', '').lower()

if 'yaml' in content_type or 'text/x-yaml' in content_type:
# Parse as YAML
    data = yaml.safe_load(resp.text)
    print(f"YAML Response: \n{data}")

In [None]:
endpoints_all = {
    # Authentication & Session
    "login": {"endpoint": "/api/v2/login", "method": "POST"},
    "logout": {"endpoint": "/api/v2/logout", "method": "POST"},
    "self": {"endpoint": "/api/v2/self", "method": "GET"},

    # Discovery & Config
    "available_domains": {"endpoint": "/api/v2/available-domains", "method": "GET"},
    "search": {"endpoint": "/api/v2/search", "method": "POST"},
    "graph_kinds": {"endpoint": "/api/v2/graphs/kinds", "method": "GET"},
    "features": {"endpoint": "/api/v2/features", "method": "GET"},
    "config": {"endpoint": "/api/v2/config", "method": "GET"},
    "version": {"endpoint": "/api/version", "method": "GET"},

    # Domain Enumeration
    "domain_detail": {"endpoint": "/api/v2/domains/{object_id}", "method": "GET"},
    "domain_users": {"endpoint": "/api/v2/domains/{object_id}/users", "method": "GET"},
    "domain_computers": {"endpoint": "/api/v2/domains/{object_id}/computers", "method": "GET"},
    "domain_groups": {"endpoint": "/api/v2/domains/{object_id}/groups", "method": "GET"},
    "domain_gpos": {"endpoint": "/api/v2/domains/{object_id}/gpos", "method": "GET"},
    "domain_ous": {"endpoint": "/api/v2/domains/{object_id}/ous", "method": "GET"},
    "domain_controllers": {"endpoint": "/api/v2/domains/{object_id}/controllers", "method": "GET"},
    "domain_dc_syncers": {"endpoint": "/api/v2/domains/{object_id}/dc-syncers", "method": "GET"},
    "domain_foreign_admins": {"endpoint": "/api/v2/domains/{object_id}/foreign-admins", "method": "GET"},
    "domain_foreign_gpo_controllers": {"endpoint": "/api/v2/domains/{object_id}/foreign-gpo-controllers",
                                       "method": "GET"},
    "domain_foreign_groups": {"endpoint": "/api/v2/domains/{object_id}/foreign-groups", "method": "GET"},
    "domain_foreign_users": {"endpoint": "/api/v2/domains/{object_id}/foreign-users", "method": "GET"},
    "domain_linked_gpos": {"endpoint": "/api/v2/domains/{object_id}/linked-gpos", "method": "GET"},
    "domain_inbound_trusts": {"endpoint": "/api/v2/domains/{object_id}/inbound-trusts", "method": "GET"},
    "domain_outbound_trusts": {"endpoint": "/api/v2/domains/{object_id}/outbound-trusts", "method": "GET"},

    # User Analysis
    "user_detail": {"endpoint": "/api/v2/users/{object_id}", "method": "GET"},
    "user_controllables": {"endpoint": "/api/v2/users/{object_id}/controllables", "method": "GET"},
    "user_controllers": {"endpoint": "/api/v2/users/{object_id}/controllers", "method": "GET"},
    "user_admin_rights": {"endpoint": "/api/v2/users/{object_id}/admin-rights", "method": "GET"},
    "user_sessions": {"endpoint": "/api/v2/users/{object_id}/sessions", "method": "GET"},
    "user_memberships": {"endpoint": "/api/v2/users/{object_id}/memberships", "method": "GET"},
    "user_constrained_delegation_rights": {"endpoint": "/api/v2/users/{object_id}/constrained-delegation-rights",
                                           "method": "GET"},
    "user_dcom_rights": {"endpoint": "/api/v2/users/{object_id}/dcom-rights", "method": "GET"},
    "user_ps_remote_rights": {"endpoint": "/api/v2/users/{object_id}/ps-remote-rights", "method": "GET"},
    "user_rdp_rights": {"endpoint": "/api/v2/users/{object_id}/rdp-rights", "method": "GET"},
    "user_sql_admin_rights": {"endpoint": "/api/v2/users/{object_id}/sql-admin-rights", "method": "GET"},

    # Computer Analysis
    "computer_detail": {"endpoint": "/api/v2/computers/{object_id}", "method": "GET"},
    "computer_controllables": {"endpoint": "/api/v2/computers/{object_id}/controllables", "method": "GET"},
    "computer_controllers": {"endpoint": "/api/v2/computers/{object_id}/controllers", "method": "GET"},
    "computer_admin_rights": {"endpoint": "/api/v2/computers/{object_id}/admin-rights", "method": "GET"},
    "computer_admin_users": {"endpoint": "/api/v2/computers/{object_id}/admin-users", "method": "GET"},
    "computer_sessions": {"endpoint": "/api/v2/computers/{object_id}/sessions", "method": "GET"},
    "computer_constrained_delegation_rights": {
        "endpoint": "/api/v2/computers/{object_id}/constrained-delegation-rights", "method": "GET"},
    "computer_constrained_users": {"endpoint": "/api/v2/computers/{object_id}/constrained-users", "method": "GET"},
    "computer_dcom_rights": {"endpoint": "/api/v2/computers/{object_id}/dcom-rights", "method": "GET"},
    "computer_dcom_users": {"endpoint": "/api/v2/computers/{object_id}/dcom-users", "method": "GET"},
    "computer_group_membership": {"endpoint": "/api/v2/computers/{object_id}/group-membership", "method": "GET"},
    "computer_ps_remote_rights": {"endpoint": "/api/v2/computers/{object_id}/ps-remote-rights", "method": "GET"},
    "computer_ps_remote_users": {"endpoint": "/api/v2/computers/{object_id}/ps-remote-users", "method": "GET"},
    "computer_rdp_rights": {"endpoint": "/api/v2/computers/{object_id}/rdp-rights", "method": "GET"},
    "computer_rdp_users": {"endpoint": "/api/v2/computers/{object_id}/rdp-users", "method": "GET"},
    "computer_sql_admins": {"endpoint": "/api/v2/computers/{object_id}/sql-admins", "method": "GET"},

    # Group Analysis
    "group_detail": {"endpoint": "/api/v2/groups/{object_id}", "method": "GET"},
    "group_controllables": {"endpoint": "/api/v2/groups/{object_id}/controllables", "method": "GET"},
    "group_controllers": {"endpoint": "/api/v2/groups/{object_id}/controllers", "method": "GET"},
    "group_members": {"endpoint": "/api/v2/groups/{object_id}/members", "method": "GET"},
    "group_memberships": {"endpoint": "/api/v2/groups/{object_id}/memberships", "method": "GET"},
    "group_admin_rights": {"endpoint": "/api/v2/groups/{object_id}/admin-rights", "method": "GET"},
    "group_dcom_rights": {"endpoint": "/api/v2/groups/{object_id}/dcom-rights", "method": "GET"},
    "group_ps_remote_rights": {"endpoint": "/api/v2/groups/{object_id}/ps-remote-rights", "method": "GET"},
    "group_rdp_rights": {"endpoint": "/api/v2/groups/{object_id}/rdp-rights", "method": "GET"},
    "group_sessions": {"endpoint": "/api/v2/groups/{object_id}/sessions", "method": "GET"},

    # GPO Analysis
    "gpo_detail": {"endpoint": "/api/v2/gpos/{object_id}", "method": "GET"},
    "gpo_controllers": {"endpoint": "/api/v2/gpos/{object_id}/controllers", "method": "GET"},
    "gpo_computers": {"endpoint": "/api/v2/gpos/{object_id}/computers", "method": "GET"},
    "gpo_users": {"endpoint": "/api/v2/gpos/{object_id}/users", "method": "GET"},
    "gpo_ous": {"endpoint": "/api/v2/gpos/{object_id}/ous", "method": "GET"},
    "gpo_tier_zero": {"endpoint": "/api/v2/gpos/{object_id}/tier-zero", "method": "GET"},

    # OU Analysis
    "ou_detail": {"endpoint": "/api/v2/ous/{object_id}", "method": "GET"},
    "ou_computers": {"endpoint": "/api/v2/ous/{object_id}/computers", "method": "GET"},
    "ou_users": {"endpoint": "/api/v2/ous/{object_id}/users", "method": "GET"},
    "ou_groups": {"endpoint": "/api/v2/ous/{object_id}/groups", "method": "GET"},
    "ou_gpos": {"endpoint": "/api/v2/ous/{object_id}/gpos", "method": "GET"},

    # Certificate Infrastructure
    "aiaca_detail": {"endpoint": "/api/v2/aiacas/{object_id}", "method": "GET"},
    "aiaca_controllers": {"endpoint": "/api/v2/aiacas/{object_id}/controllers", "method": "GET"},
    "rootca_detail": {"endpoint": "/api/v2/rootcas/{object_id}", "method": "GET"},
    "rootca_controllers": {"endpoint": "/api/v2/rootcas/{object_id}/controllers", "method": "GET"},
    "enterpriseca_detail": {"endpoint": "/api/v2/enterprisecas/{object_id}", "method": "GET"},
    "enterpriseca_controllers": {"endpoint": "/api/v2/enterprisecas/{object_id}/controllers", "method": "GET"},
    "ntauthstore_detail": {"endpoint": "/api/v2/ntauthstores/{object_id}", "method": "GET"},
    "ntauthstore_controllers": {"endpoint": "/api/v2/ntauthstores/{object_id}/controllers", "method": "GET"},
    "certtemplate_detail": {"endpoint": "/api/v2/certtemplates/{object_id}", "method": "GET"},
    "certtemplate_controllers": {"endpoint": "/api/v2/certtemplates/{object_id}/controllers", "method": "GET"},

    # Container Analysis
    "container_detail": {"endpoint": "/api/v2/containers/{object_id}", "method": "GET"},
    "container_controllers": {"endpoint": "/api/v2/containers/{object_id}/controllers", "method": "GET"},

    # Base Entity Analysis
    "base_entity": {"endpoint": "/api/v2/base/{object_id}", "method": "GET"},
    "base_controllables": {"endpoint": "/api/v2/base/{object_id}/controllables", "method": "GET"},
    "base_controllers": {"endpoint": "/api/v2/base/{object_id}/controllers", "method": "GET"},

    # Graph Relationship Analysis
    "edge_composition": {"endpoint": "/api/v2/graphs/edge-composition", "method": "GET"},
    "shortest_path": {"endpoint": "/api/v2/graphs/shortest-path", "method": "GET"},
    "pathfinding": {"endpoint": "/api/v2/pathfinding", "method": "GET"},
    "relay_targets": {"endpoint": "/api/v2/graphs/relay-targets", "method": "GET"},
    "graph_search": {"endpoint": "/api/v2/graph-search", "method": "GET"},

    # Azure Analysis
    "azure_entity": {"endpoint": "/api/v2/azure/{entity_type}", "method": "GET"},

    # Attack Analysis (Enterprise)
    "attack_paths": {"endpoint": "/api/v2/attack-paths", "method": "GET"},
    "attack_path_findings": {"endpoint": "/api/v2/domains/{domain_id}/attack-path-findings", "method": "GET"},
    "attack_path_types": {"endpoint": "/api/v2/attack-path-types", "method": "GET"},
    "attack_path_finding_trends": {"endpoint": "/api/v2/attack-paths/finding-trends", "method": "GET"},
    "domain_available_types": {"endpoint": "/api/v2/domains/{domain_id}/available-types", "method": "GET"},
    "domain_details": {"endpoint": "/api/v2/domains/{domain_id}/details", "method": "GET"},
    "domain_sparkline": {"endpoint": "/api/v2/domains/{domain_id}/sparkline", "method": "GET"},
    "attack_path_acceptance": {"endpoint": "/api/v2/attack-paths/{attack_path_id}/acceptance", "method": "PUT"},
    "meta_nodes": {"endpoint": "/api/v2/meta-nodes/{domain_id}", "method": "GET"},
    "meta_trees": {"endpoint": "/api/v2/meta-trees/{domain_id}", "method": "GET"},
    "asset_group_combo_node": {"endpoint": "/api/v2/asset-groups/{asset_group_id}/combo-node", "method": "GET"},

    # Cypher Queries
    "saved_queries": {"endpoint": "/api/v2/saved-queries", "method": "GET"},
    "saved_query_detail": {"endpoint": "/api/v2/saved-queries/{saved_query_id}", "method": "GET"},
    "saved_query_permissions": {"endpoint": "/api/v2/saved-queries/{saved_query_id}/permissions", "method": "GET"},
    "saved_query_export": {"endpoint": "/api/v2/saved-queries/{saved_query_id}/export", "method": "GET"},
    "saved_queries_import": {"endpoint": "/api/v2/saved-queries/import", "method": "POST"},
    "saved_queries_export_multiple": {"endpoint": "/api/v2/saved-queries/export", "method": "GET"},
    "cypher": {"endpoint": "/api/v2/graphs/cypher", "method": "POST"},

    # Data Quality
    "completeness": {"endpoint": "/api/v2/completeness", "method": "GET"},
    "ad_domain_data_quality": {"endpoint": "/api/v2/ad-domains/{domain_id}/data-quality-stats", "method": "GET"},
    "azure_tenant_data_quality": {"endpoint": "/api/v2/azure-tenants/{tenant_id}/data-quality-stats", "method": "GET"},
    "platform_data_quality": {"endpoint": "/api/v2/platform/{platform_id}/data-quality-stats", "method": "GET"},
    "datapipe_status": {"endpoint": "/api/v2/datapipe/status", "method": "GET"},
    "analysis": {"endpoint": "/api/v2/analysis", "method": "GET"},

    # Administrative
    "audit": {"endpoint": "/api/v2/audit", "method": "GET"},
    "bloodhound_users": {"endpoint": "/api/v2/bloodhound-users", "method": "GET"},
    "tokens": {"endpoint": "/api/v2/tokens", "method": "GET"},
    "roles": {"endpoint": "/api/v2/roles", "method": "GET"},
    "permissions": {"endpoint": "/api/v2/permissions", "method": "GET"},
    "custom_nodes": {"endpoint": "/api/v2/custom-nodes", "method": "GET"},
    "events": {"endpoint": "/api/v2/events", "method": "GET"},
    "jobs": {"endpoint": "/api/v2/jobs", "method": "GET"},
    "clients": {"endpoint": "/api/v2/clients", "method": "GET"},
    "posture_stats": {"endpoint": "/api/v2/posture-stats", "method": "GET"},
    "meta_entity": {"endpoint": "/api/v2/meta/{object_id}", "method": "GET"}
}

workflow = {
    "phase_1_authentication": ["login"],

    "phase_2_discovery": [
        "available_domains", "search", "graph_kinds", "features", "config", "version"
    ],

    "phase_3_domain_enumeration": [
        "domain_detail", "domain_users", "domain_computers", "domain_groups",
        "domain_gpos", "domain_ous", "domain_controllers", "domain_dc_syncers",
        "domain_foreign_admins", "domain_foreign_gpo_controllers",
        "domain_foreign_groups", "domain_foreign_users", "domain_linked_gpos",
        "domain_inbound_trusts", "domain_outbound_trusts"
    ],

    "phase_4_detailed_entity_analysis": [
        "user_detail", "user_controllables", "user_controllers", "user_admin_rights",
        "user_sessions", "user_memberships", "user_constrained_delegation_rights",
        "user_dcom_rights", "user_ps_remote_rights", "user_rdp_rights", "user_sql_admin_rights",

        "computer_detail", "computer_controllables", "computer_controllers", "computer_admin_rights",
        "computer_admin_users", "computer_sessions", "computer_constrained_delegation_rights",
        "computer_constrained_users", "computer_dcom_rights", "computer_dcom_users",
        "computer_group_membership", "computer_ps_remote_rights", "computer_ps_remote_users",
        "computer_rdp_rights", "computer_rdp_users", "computer_sql_admins",

        "group_detail", "group_controllables", "group_controllers", "group_members",
        "group_memberships", "group_admin_rights", "group_dcom_rights",
        "group_ps_remote_rights", "group_rdp_rights", "group_sessions",

        "gpo_detail", "gpo_controllers", "gpo_computers", "gpo_users", "gpo_ous", "gpo_tier_zero",

        "ou_detail", "ou_computers", "ou_users", "ou_groups", "ou_gpos",

        "aiaca_detail", "aiaca_controllers", "rootca_detail", "rootca_controllers",
        "enterpriseca_detail", "enterpriseca_controllers", "ntauthstore_detail",
        "ntauthstore_controllers", "certtemplate_detail", "certtemplate_controllers",

        "container_detail", "container_controllers"
    ],

    "phase_5_base_entity_analysis": [
        "base_entity", "base_controllables", "base_controllers"
    ],

    "phase_6_graph_relationship_analysis": [
        "edge_composition", "shortest_path", "pathfinding", "relay_targets", "graph_search"
    ],

    "phase_7_azure_enumeration": ["azure_entity"],

    "phase_8_attack_analysis_enterprise": [
        "attack_paths", "attack_path_findings", "attack_path_types", "attack_path_finding_trends",
        "domain_available_types", "domain_details", "domain_sparkline", "attack_path_acceptance",
        "meta_nodes", "meta_trees", "asset_group_combo_node"
    ],

    "phase_9_cypher_queries": [
        "saved_queries", "saved_query_detail", "saved_query_permissions", "saved_query_export",
        "saved_queries_import", "saved_queries_export_multiple", "cypher"
    ],

    "phase_10_data_quality_analysis": [
        "completeness", "ad_domain_data_quality", "azure_tenant_data_quality",
        "platform_data_quality", "datapipe_status", "analysis"
    ],

    "phase_11_administrative_data": [
        "audit", "bloodhound_users", "tokens", "roles", "permissions", "custom_nodes",
        "events", "jobs", "clients", "posture_stats", "meta_entity"
    ]
}

In [None]:
# 'phase': 'phase_2_discovery'
# 'endpoint': 'features'
  # {'id': 10,
  #  'created_at': '2025-07-09T19:40:11.010859Z',
  #  'updated_at': '2025-07-09T19:40:11.010859Z',
  #  'deleted_at': {'Time': '0001-01-01T00:00:00Z', 'Valid': False},
  #  'key': 'risk_exposure_new_calculation',
  #  'name': 'Use new tier zero risk exposure calculation',
  #  'description': 'Enables the use of new tier zero risk exposure metatree metrics.',
  #  'enabled': False,
  #  'user_updatable': False},
# {'id': 8,
#  'created_at': '2025-07-09T19:40:11.010859Z',
#  'updated_at': '2025-07-09T19:40:11.010859Z',
#  'deleted_at': {'Time': '0001-01-01T00:00:00Z', 'Valid': False},
#  'key': 'pg_migration_dual_ingest',
#  'name': 'PostgreSQL Migration Dual Ingest',
#  'description': 'Enables dual ingest pathing for both Neo4j and PostgreSQL.',
#  'enabled': False,
#  'user_updatable': False}

In [None]:
import json
import datetime


def parse_json(data):
    """Parse user agent JSON with datetime handling"""

    def datetime_handler(obj):
        if isinstance(obj, datetime.datetime):
            return obj.isoformat()
        raise TypeError(f"Object of type {type(obj)} is not JSON serializable")

    if isinstance(data, str):
        return json.loads(data)
    return json.loads(json.dumps(data, default=datetime_handler))

login_body = {
    "login_method": "secret",
    "username": "admin",
    "secret": "ReachSecurity783!",
}

bh_api_data = []
bearer_token = {}
for phase, steps in workflow.items():
    print(f"Phase: {phase}")
    if isinstance(steps, list):
        for endpoint in steps:
            print(f"Endpoint: {endpoint}")
            if endpoint == "login":
                body_bytes = json.dumps(login_body).encode('utf-8')
                resp = _request(method=endpoints_all[endpoint]["method"], uri=endpoints_all[endpoint]["endpoint"],
                                body=body_bytes)
                print(resp.text)
                bearer_token = {"session_token": resp.json().get("data").get("session_token"),
                                "user_id": resp.json().get("data").get
                                ("user_id")}
            else:
                headers = {"accept": "application/json", "Prefer": "0",
                           "Authorization": f"Bearer {bearer_token['session_token']}"}
                resp = _request(method=endpoints_all[endpoint]["method"], uri=endpoints_all[endpoint]["endpoint"],
                                headers=headers)
                print(resp.content)
                try:
                    bh_api_data.append({"data": resp.json(object_hook=parse_json)["data"], "phase": phase,
                    "endpoint": endpoint})
                except Exception as e:
                    print(e)
                    print(resp.text)
                    bh_api_data.append({"error": resp.text, "phase": phase ,"endpoint": endpoint})
    # break

In [None]:
bh_api_data

In [None]:
    # Configuration
BLOODHOUND_URL = "http://127.0.0.1:8080"  # Replace with your BloodHound URL
JWT_TOKEN = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3NTIyMDUwODUsImp0aSI6IjI3IiwiaWF0IjoxNzUyMTc2Mjg1LCJzdWIiOiI5YzZjY2M3Zi05MWFkLTQzMGYtYmYzMS1iYmI2Y2E1NmZjMzEifQ.JpwXmmhV0z-k7nh11ejA4GeUkW4JubsifRZwpOsswZQ"  # Replace with your JWT token


# BloodHound Python SDK

Unfortunately there is little to no documentation for this SDK, the documenation in the code is insufficient to fully
 use this without spending a good amount of time debugging. I've

In [None]:
from blood_hound_api_client import AuthenticatedClient
from blood_hound_api_client.api.api_info import get_api_version
from blood_hound_api_client.models import GetApiVersionResponse200, get_shortest_path_response_200
import auth
from auth.hmac_authenticated_client import HMACAuthenticatedClient

base_url = "http://127.0.0.1:8080"
token_key = BH_API_KEY
token_id = BH_API_ID
bh_client = HMACAuthenticatedClient(base_url=base_url, token_key=token_key, token_id=token_id)

print(dir(bh_client))
version: GetApiVersionResponse200 = get_api_version.sync(client=bh_client)
# response: Response[GetApiVersionResponse200] = get_api_version.sync_detailed(client=client)
response = get_api_version.sync_detailed(client=bh_client)
print(f"version: {version.data.api}")
print(f"response: {response}")




In [None]:
from blood_hound_api_client.api.attack_paths import export_attack_path_findings, list_attack_path_types
from blood_hound_api_client.api.domains import get_domain_entity, get_domain_entity_groups
from blood_hound_api_client.models import GetApiVersionResponse200, GetClientResponse200

import datetime
from urllib.parse import urljoin
import requests
import json
import hmac
import base64
import hashlib
from typing import Optional
# https://github.com/SpecterOps/bloodhound-python-sdk/blob/main/sdk/blood_hound_api_client/api/attack_paths/list_attack_path_sparkline_values.py#L255-L265
#         finding (str): Filter results by column string value. Valid filter predicates are `eq`,
#             `neq`.
#         from_ (Union[Unset, datetime.datetime]): Filter results by column timestamp value
#             formatted as an RFC-3339 string.
#             Valid filter predicates are `eq`, `neq`, `gt`, `gte`, `lt`, `lte`.
#         to (Union[Unset, datetime.datetime]): Filter results by column timestamp value formatted
#             as an RFC-3339 string.
#             Valid filter predicates are `eq`, `neq`, `gt`, `gte`, `lt`, `lte`.
#         prefer (Union[Unset, int]):  Default: 0.

#https://github.com/SpecterOps/bloodhound-python-sdk/blob/main/sdk/blood_hound_api_client/api/attack_paths/list_attack_path_types.py#L86-L99
# Filter results by column string value. Valid filter
#             predicates are `eq`, `neq`.

findings = [
    "AdminTo",
    "AllExtendedRights",
    "CanRDP",
    "CanPSRemote",
    "ExecuteDCOM",
    "GenericAll",
    "GenericWrite",
    "GetChanges",
    "GetChangesAll",
    "WriteDacl",
    "WriteOwner",
    "AddMember",
    "Owner",
    "HasSession",
    "Kerberoasting",
    "UnconstrainedDelegation",
    "ReadLAPSPassword",
    "ReadGMSAPassword",
    "DCSync",
    "ResetPassword"
]
# GHOST.CORP - S-1-5-21-2845847946-3451170323-426113966

# attack_paths = export_attack_path_findings.sync_detailed(domain_id="S-1-5-21-2845847946-3451170323-426113966",
#                                                          finding="DCSync",
#                                                          client=bh_client)
# print(attack_paths)
# Key: wKUSd2e31sdQKdf/xEGH/SnC4nhGG6qWPf4xeHz3mhncVMnjJz9G5Q==
# ID: 66503156-19a6-4e45-b457-49871947ab56
# Replace this line in your _request function
datetime_formatted = datetime.datetime.now(datetime.timezone.utc).strftime('%Y-%m-%dT%H:%M:%SZ')
digester = hmac.new(BH_API_KEY.encode(), None, hashlib.sha256)
# In your headers dictionary, ensure the signature is decoded:
headers = {
    "User-Agent": "bhe-python-sdk 0001",
    "Authorization": f"bhesignature {BH_API_ID}",
    "RequestDate": datetime_formatted,
    "Signature": base64.b64encode(digester.digest()).decode('utf-8'),  # Add .decode('utf-8')
    "Content-Type": "application/json",
}

hmac_bh_client = HMACAuthenticatedClient(base_url="http://127.0.0.1:8080/",
                                    token_key=BH_API_KEY,
token_id=BH_API_ID)
domains_entities = None
client = hmac_bh_client
with client as client:
    domains_entities = list_attack_path_types.sync(client=bh_client, findings="eq")

In [None]:
domains_entities