-
Notifications
You must be signed in to change notification settings - Fork 0
Configuration
ADPathfinder reads config.ini from the working directory. Any supported value can be overridden with an ADPF_* environment variable. Environment variables win for the current run and are not written back to disk.
- Environment variable.
-
config.ini. - Built-in default.
Set up BloodHound CE API access interactively:
adpathfinder --setup-bloodhound-apiThe Neo4j section is bootstrapped on first run when stored credentials are missing.
| Variable | Purpose |
|---|---|
ADPF_NEO4J_URI |
Neo4j connection URI. Default: neo4j://localhost:7687
|
ADPF_NEO4J_USERNAME |
Neo4j username |
ADPF_NEO4J_PASSWORD |
Neo4j password |
ADPF_BLOODHOUND_URL |
BloodHound CE base URL. Default: http://localhost:8080
|
ADPF_BLOODHOUND_USERNAME |
BloodHound CE API username |
ADPF_BLOODHOUND_PASSWORD |
BloodHound CE API password |
ADPF_BLOODHOUND_ENABLED |
BloodHound CE API toggle. Accepts 1/true/yes/on or 0/false/no/off
|
ADPF_HASHCAT_FILE_PATH |
Hashcat potfile used by the password audit |
ADPF_BH_INGESTION_TIMEOUT_SECONDS |
BloodHound CE ingestion wait timeout. Default: 600 seconds |
ADPF_BH_REQUEST_TIMEOUT_SECONDS |
HTTP request timeout for BloodHound CE API calls. Default: 60 seconds |
Passwords loaded from environment variables or config.ini are wrapped so their normal string and repr output is redacted in logs and diagnostics.
ADPF_HASHCAT_FILE_PATH is ignored if the file does not exist. BloodHound timeout values must be positive integers. ADPF_BLOODHOUND_URL and [BLOODHOUND] url may include a trailing slash; ADPathfinder strips it when loading configuration.
The Neo4j driver accepts these schemes through ADPF_NEO4J_URI or [NEO4J] uri:
| Scheme | Use |
|---|---|
neo4j:// |
Unencrypted local Neo4j, and the default setting |
bolt:// |
Single-instance unencrypted Neo4j |
neo4j+s://, bolt+s://
|
Encrypted connection with a CA-trusted certificate |
neo4j+ssc://, bolt+ssc://
|
Encrypted connection accepting a self-signed certificate |
Use a +ssc scheme when Neo4j presents a self-signed certificate. The +s schemes expect a certificate trusted by the client.
When ADPathfinder creates config.ini, it writes the file with mode 0600 so only the owner can read or write it. If the file already exists with looser permissions, ADPathfinder warns but does not change them. Fix that manually:
chmod 600 config.iniPath output excludes a default set of structural and duplicate BloodHound relationships to keep attack paths readable. The setting lives at [EXCLUSIONS] excluded_relationships. See Excluded relationships for the parsing rules and the exact behaviour of empty or missing values.
[NEO4J]
uri = neo4j://localhost:7687
username = neo4j
password = your-neo4j-password
[BLOODHOUND]
enabled = True
url = http://localhost:8080
username = admin
password = your-bloodhound-password
[HASHCAT]
file_path = /path/to/hashcat.potfile
[EXCLUSIONS]
excluded_relationships = Contains,
LocalToComputer,
Enroll