A tool to generate wordlists from BloodHound Neo4j databases. This tool extracts usernames, computer names, group names, and other valuable information from your BloodHound database to create comprehensive wordlists for password cracking.
Inspired by:
- https://github.com/p0dalirius/pyLDAPWordlistHarvester/tree/main
- https://github.com/kaluche/bloodhound-quickwin/tree/main
- Extracts various types of data from BloodHound Neo4j database:
- User SamAccountNames
- Usernames
- Computer names
- Group SamAccountNames
- OU names
- Service Principal Names (SPNs)
- Domain trusts
- Supports domain filtering
- Clone the repository:
git clone https://github.com/yourusername/Neo4jWordlistHarvester.git
cd Neo4jWordlistHarvester- Install required packages:
pip install -r requirements.txtBasic usage:
python Neo4jWordlistHarvester.py-b, --bolt: Neo4j bolt connection (default: bolt://127.0.0.1:7687)-u, --username: Neo4j username (default: neo4j)-p, --password: Neo4j password (default: neo4j)-d, --domain: Domain filtering (case sensitive, typically UPPERCASE)-o, --output: Output file name (default: wordlist.txt)-l, --list-domains: List available domains and exit--debug: Enable debug mode for query inspection
List all domains in the database:
python Neo4jWordlistHarvester.py -lGenerate wordlist for a specific domain:
python Neo4jWordlistHarvester.py -d CONTOSO.LOCAL -o contoso_wordlist.txtConnect to a remote Neo4j instance:
python Neo4jWordlistHarvester.py -b bolt://neo4j.example.com:7687 -u admin -p password123Enable debug mode to see queries:
python Neo4jWordlistHarvester.py --debugThe tool generates a wordlist file containing:
- Usernames (both SamAccountNames and display names)
- Computer names
- Group names
- OU names
- Service Principal Names
- Domain names and their components
Each entry is unique (duplicates are removed) and empty/null values are filtered out.