-
-
Notifications
You must be signed in to change notification settings - Fork 9
Configuration
FlashIngestor is configured through a combination of command-line arguments and a YAML configuration file (config.yaml). This page describes all available configuration options organized by category.
Note
If config.yaml is not present in the current directory or the path specified via --config, FlashIngestor will use built-in defaults (hardcoded in config/fallback.go).
| Flag | Type | Default | Description |
|---|---|---|---|
--dc |
string | (auto-discovered) | Domain controller to use for LDAP queries. If not specified, FlashIngestor will attempt to discover it via SRV/A DNS lookups. |
--dns |
string | (system default) | Custom DNS resolver IP address. Required when system DNS doesn't know about the AD domain. |
--dns-tcp |
bool | false |
Use DNS over TCP instead of UDP. Useful when proxying traffic over SOCKS when UDP is not supported. |
--outdir |
string | ./output |
Directory to store results (intermediate msgpack files and final JSON). |
--log |
string | (none) | Path to log file. If specified, logs will be written to both the file and the TUI. |
--config |
string | config.yaml |
Path to YAML configuration file. |
-w, --remote-workers
|
int | 50 |
Number of concurrent workers for remote collection. Increase for better throughput in large environments. |
--computer-timeout |
duration | 10s |
Timeout per computer for remote collection (all methods combined). |
--method-timeout |
duration | 4s |
Timeout per individual remote collection method. |
-v, --verbose
|
count | 0 |
Increase verbosity level. Use -v for verbose, -vv for debug (maximum). |
--pprof |
bool | false |
Enable pprof profiling server on http://localhost:6060 for performance analysis. |
--version |
bool | false |
Show version information and exit. |
FlashIngestor uses the following hardcoded timeouts for various network operations (defined in config/config.go):
| Operation | Timeout | Description |
|---|---|---|
| LDAP Connection | 30s |
Timeout for establishing LDAP connections |
| Port Check | 2s |
Generic timeout for port availability checks |
| NetBIOS | 2s |
Timeout for NetBIOS operations |
| HTTP | 3s |
Timeout for HTTP requests (CA enrollment endpoint checks) |
| DCE/RPC EPM | 2s |
Timeout for DCE/RPC endpoint mapper |
| Kerberos | 2s |
Timeout for Kerberos operations |
| SMB | 2s |
Timeout for SMB operations |
| DNS Dial | 5s |
Timeout for connecting to DNS server |
| DNS Lookup | 10s |
Timeout for DNS resolution |
These flags control the LDAP connection behavior during the ingestion step.
| Flag | Type | Default | Description |
|---|---|---|---|
--scheme |
string | ldaps |
LDAP scheme: ldap (port 389) or ldaps (port 636). |
--timeout |
duration | 30s |
LDAP connection timeout. Increase if working with a slow DC or network environment. |
--verify |
bool | false |
Verify LDAP TLS certificate (for LDAPS). Generally not needed for auditing purposes. |
--start-tls |
bool | false |
Negotiate StartTLS on plain LDAP connection (port 389) before authenticating. |
--simple-bind |
bool | false |
Use LDAP Simple Bind authentication instead of SASL (NTLM/Kerberos). Only works with password or anonymous authentication. |
Tip
If connecting via LDAPS (636) fails, FlashIngestor will automatically fall back to plain LDAP (389) when ingestion.ldaps_to_ldap_fallback is enabled in config.yaml (default: true).
These flags enable obfuscation of LDAP queries using the ldapx library.
| Flag | Type | Default | Description |
|---|---|---|---|
-f, --ldapx-filter
|
string | (none) | LDAP filter obfuscation middleware chain. Each letter represents a transformation applied in sequence. |
-a, --ldapx-attrs
|
string | (none) | LDAP attributes obfuscation middleware chain. |
-b, --ldapx-basedn
|
string | (none) | LDAP base DN obfuscation middleware chain. |
Example:
$ ./flashingestor --user admin@domain.corp --password Password@123 -f OGDR -a Owp -b OXRefer to the ldapx documentation for the complete list of available middlewares and their detailed behavior.
Important
Be aware that transforming LDAP queries, althugh safe, may be prone to error - not all obfuscation middlewares are completely stable, and using complex middleware chains may break queries in unexpected ways, leading to missing data in the final dump.
Note
When obfuscation is enabled, FlashIngestor will log both original and obfuscated queries at debug verbosity level (-vv). This allows you to verify the transformations being applied.
These flags control authentication for the LDAP ingestion step. At minimum, you must provide --user and one authentication method.
| Flag | Type | Description |
|---|---|---|
-u, --user
|
string |
Required. Username with domain in one of these formats: • UPN: user@domain.com• NetBIOS: DOMAIN\user or DOMAIN/user• Simple: user (domain inferred)• Anonymous: @domain.com (with empty password) |
-p, --password
|
string | Password for authentication. Use with -k for Kerberos or without for NTLM. |
-H, --nt-hash
|
string | NT hash for pass-the-hash authentication (NTLM or Kerberos). |
--aes-key |
string | AES128 or AES256 key for pass-the-key (Kerberos only). Requires -k. |
--ccache |
string | Path to Kerberos credential cache (TGT) file. Requires -k. Alternative: set KRB5CCNAME environment variable. |
--pfx |
string | Path to PFX/PKCS#12 certificate file for certificate-based authentication. |
--pfx-password |
string | Password for PFX file (if encrypted). |
--cert |
string | Path to PEM certificate file for certificate-based authentication. |
--key |
string | Path to PEM private key file for certificate-based authentication. |
-k, --kerberos
|
bool | Force Kerberos authentication instead of NTLM. |
Warning
When using Kerberos or certificates for ingestion, only DCs of the same domain as the user will be enumerated. Cross-domain ingestion requires NTLM (password/hash).
These flags provide separate credentials for remote collection. If not specified, FlashIngestor will use the same credentials as ingestion.
| Flag | Type | Description |
|---|---|---|
--remote-user |
string | Username for remote collection (same format as --user). |
--remote-password |
string | Password for remote collection. |
--remote-nthash |
string | NT hash for remote collection. |
--remote-aeskey |
string | AES key for remote collection. Requires --remote-kerberos. |
--remote-ccache |
string | Path to credential cache for remote collection. Requires --remote-kerberos. |
--remote-pfx |
string | Path to PFX file for remote collection. |
--remote-pfx-password |
string | Password for PFX file. |
--remote-cert |
string | Path to PEM certificate for remote collection. |
--remote-key |
string | Path to PEM key for remote collection. |
--remote-kerberos |
bool | Force Kerberos for remote collection. |
Use Cases:
-
Local admin for remote collection:
--remote-user Administrator@.(effectiveness depends onFilterAdministratorToken/LocalAccountTokenFilterPolicyregistry settings) - Different privileges: Running remote collection with a privileged user, but ingestion with a low-privilege user.
Warning
When using Kerberos or certificates for remote collection, only computers in the same domain as the user will be authenticated. Cross-domain remote collection requires NTLM (password/hash).
The configuration file is divided into three main sections: ingestion, remote_collection, and conversion.
Controls behavior during the LDAP ingestion step (Ctrl+L in the TUI).
ingestion:
include_acls: true
recurse_trusts: false
recurse_feasible_only: true
search_forest: false
ldaps_to_ldap_fallback: true
prompt_msgpack_overwrite: true
append_forest_domains: true
queries:
- name: Configuration
filter: "(objectClass=*)"
page_size: 1000
attributes:
- "*"
- nTSecurityDescriptor
# ... more queries| Option | Type | Default | Description |
|---|---|---|---|
include_acls |
bool | true |
Include nTSecurityDescriptor attribute in queries to collect ACLs. Critical for BloodHound ACL abuse paths. Set to false only for evasion or testing. |
recurse_trusts |
bool | false |
Recursively ingest trusted domains using the same credentials. Only works with password or NT hash over NTLM. |
recurse_feasible_only |
bool | true |
When recurse_trusts is enabled, only ingest trusts that are:1. Inbound or bidirectional 2. Either involve the initial domain OR are transitive This prevents traversing outbound-only trusts and stops at nontransitive trust boundaries. |
search_forest |
bool | false |
Ingest all domains in the same forest by reading the Configuration partition. Can be used with recurse_trusts (domains found via either method are only ingested once). |
ldaps_to_ldap_fallback |
bool | true |
If LDAPS (636) connection fails, automatically retry with plain LDAP (389). |
prompt_msgpack_overwrite |
bool | true |
Prompt for confirmation before overwriting existing msgpack files during ingestion or remote collection. |
append_forest_domains |
bool | true |
Append newly discovered domain↔forest mappings to output/ldap/ForestDomains.json instead of overwriting. |
The queries section defines LDAP searches executed during ingestion. Each query has:
| Field | Type | Description |
|---|---|---|
name |
string | Query identifier (used for logging and output filenames). |
filter |
string | LDAP search filter. Must be valid LDAP syntax. |
page_size |
int | Number of results returned per paged query (LDAP paging). Typical values: 100-1000. Should not matter usually. |
attributes |
list | LDAP attributes to retrieve. Use "*" for all standard attributes, explicitly list operational attributes like nTSecurityDescriptor. |
Default Queries:
| Name | Filter | Purpose |
|---|---|---|
| Configuration | (objectClass=*) |
Collects PKI objects (CAs, cert templates, issuance policies) from Configuration partition |
| Schema | (|(name=ms-mc*wd)(name=ms-lap*)) |
Detects LAPS schema extensions |
| Domains | (objectClass=domain) |
Domain partition roots |
| Trusts | (objectClass=trustedDomain) |
Trust relationships |
| Containers | (&(!(objectClass=groupPolicyContainer))(objectClass=container)) |
Container objects (excluding GPOs) |
| OrganizationalUnits | (objectClass=organizationalUnit) |
OUs |
| Users | (|(&(objectCategory=person)(objectClass=user))(objectClass=msDS-ManagedServiceAccount)(objectClass=msDS-GroupManagedServiceAccount)) |
Users, MSAs, and gMSAs |
| Computers | (&(sAMAccountType=805306369)(!(objectClass=msDS-GroupManagedServiceAccount))(!(objectClass=msDS-ManagedServiceAccount))) |
Computer objects (excluding MSA/gMSAs) |
| Groups | (objectClass=group) |
Security and distribution groups |
| GroupPolicies | (objectCategory=groupPolicyContainer) |
GPO objects |
Warning
Customizing Queries: You can modify filters and attributes, but be cautious:
- Removing required attributes may break BloodHound conversion
- Changing filter semantics may cause incomplete collection
- The default queries are tuned for BloodHound compatibility
Refer to Object-Model to see which attributes are needed for each object type.
Controls behavior during the remote collection step (Ctrl+R in the TUI).
remote_collection:
methods:
- userrights
- dcregistry
- sessions
- regsessions
- loggedon
- ntlmregistry
- caregistry
- certservices
- webclient
- localgroups
- ldapservices
- smbinfo
- gpolocalgroup
availability_checks:
- windows_os
- password_age
# - smb_port_scanEach method corresponds to a specific type of remote data collection. Toggle methods based on your objectives and environment constraints. For detailed information about each method, see SharpHound-x-FlashIngestor.
Availability checks filter which computers undergo remote collection, reducing wasted time and noise.
| Check | Description | When to Use |
|---|---|---|
windows_os |
Only collect from computers with operatingSystem attribute containing "Windows" |
Environments with mixed OS (exclude Linux/macOS) |
password_age |
Only collect from computers with pwdLastSet or lastLogonTimestamp within last 60 days |
Exclude stale/decommissioned computers |
smb_port_scan |
Only collect from computers with TCP port 445 open | Reduce failed connection attempts (adds latency per computer) |
Default: windows_os and password_age enabled, smb_port_scan disabled (adds overhead).
Note
If no checks are specified, remote collection runs on all computers found during ingestion (subject to enabled methods). This could be a big bottleneck depending on the size of the environment, as most environments have many computer objects that don't actually represent active computers.
Controls behavior during the conversion step (Ctrl+S in the TUI), which merges LDAP and remote data into BloodHound JSON.
conversion:
merge_remote: true
writer_bufsize: 33554432
compress_output: true
cleanup_after_compression: true| Option | Type | Default | Description |
|---|---|---|---|
merge_remote |
bool | true |
Merge remote collection results from output/remote/ into ingested LDAP data. Set to false to convert LDAP-only data. |
writer_bufsize |
int |
33554432 (32 MB) |
Size of the memory buffer (in bytes) for writing BloodHound JSON files. May improve write performance. |
compress_output |
bool | true |
Compress BloodHound JSON files into a ZIP archive after conversion. |
cleanup_after_compression |
bool | true |
Delete individual JSON files after successful ZIP compression. Saves disk space after conversion ends. |
Tip
Disk Space Management:
- Enable
compress_output+cleanup_after_compression(default) to minimize disk usage - Keep msgpack files (
output/ldap/,output/remote/) if you need to re-run conversion with different settings - After importing to BloodHound, you can safely delete msgpack files if not needed for analysis