
Advanced Active Directory network topology analyzer with SMB validation, multiple authentication methods (password/NTLM/Kerberos), and comprehensive network discovery. Export results as BloodHound‑compatible OpenGraph JSON.
NetworkHound connects to Active Directory Domain Controllers, discovers computer objects, resolves hostnames to IP addresses using multiple DNS methods, performs comprehensive network scanning (port scanning, HTTP/HTTPS validation), and discovers shadow-IT devices. It then builds a detailed network topology graph in OpenGraph JSON format compatible with BloodHound.
Requirements: Python 3.8+
Install dependencies:
pip3 install -r requirements.txt
Note: NetworkHound uses impacket for all Active Directory authentication (password, NTLM hash, Kerberos tickets).
The model.json file defines icons/styles for all custom kinds. Upload it to BloodHound via API using update_custom_nodes_to_bloodhound.py.
Authenticate and upload:
python update_custom_nodes_to_bloodhound.py -s https://bloodhound.example.com -u admin@domain.com -p "Password!" -m model.json
Basic scan with AD authentication:
python NetworkHound.py --dc 192.168.0.11 -d company.local -u admin -p password
Full network analysis with port scanning, HTTP and SMB validation:
python NetworkHound.py --dc 192.168.0.11 -d company.local -u admin -p password --shadow-it --port-scan --valid-http --ssl --valid-smb --scan-threads 50 -Pn
Using NTLM hash authentication:
python NetworkHound.py --dc 192.168.0.11 -d company.local -u admin --hashes aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76
Using Kerberos ticket authentication:
python NetworkHound.py --dc dc.company.local -d company.local -u admin --kerberos
DNS over TCP (for proxy/firewall bypass):
python NetworkHound.py --dc dc.company.local -d company.local -u admin -p password --dns 8.8.8.8 --dns-tcp --verbose
Via proxychains with DNS over TCP:
proxychains python NetworkHound.py --dc dc.company.local -d company.local -u admin -p password --dns-tcp --port-scan
⚠️ Proxychains Note: When using proxychains, always use
--dns-tcpflag. This prevents multicast IP issues (224.*) that occur with UDP DNS through SOCKS proxies. SeeBUGFIX_PROXYCHAINS_DNS.mdfor details.
Required Arguments:
- --dc: Domain Controller hostname or IP address
- -d/--domain: Domain name (e.g., company.local)
- -u/--user: Username for authentication
Authentication (choose one):
- -p/--password: Password authentication
- --hashes: NTLM hash authentication (LM:NT or just NT)
- -k/--kerberos: Kerberos ticket file (requires KRB5CCNAME pointing to a ccache file)
Network Scanning:
- --port-scan: Enable TCP port scanning
- --ports: Comma-separated ports to scan (default: common ports)
- --scan-timeout: Port scan timeout in seconds (default: 3)
- --scan-threads: Number of concurrent threads (default: 10)
- -Pn: Only port scan hosts that respond to ping
Service Validation:
- --valid-smb: Test SMB connectivity and enumerate shares on SMB ports
- --valid-http: Test HTTP/HTTPS connectivity on open ports
- --ssl: Extract detailed SSL certificate information (slower)
Additional Options:
- --dns: DNS server for queries (defaults to DC if not specified)
- --dns-tcp: Use TCP for DNS queries instead of UDP (useful for proxy/firewall bypass)
- -o/--output: Output JSON file (default: network_opengraph.json)
- --shadow-it: Scan subnet ranges for shadow-IT devices
- -v/--verbose: Enable verbose output with detailed resolution methods
Site → DomainSubnet → SiteComputer/Device → SubnetComputer/Device → Website/FileShareComputer/Device Nodes:
- ip_addresses[]: All resolved IP addresses
- open_ports[]: Discovered open ports
- is_shadow_it: Boolean flag for shadow-IT devices
Website Nodes:
- url: Full website URL
- protocol: HTTP or HTTPS
- status_code: HTTP response code
- has_ssl: SSL/TLS enabled
- is_self_signed: Certificate validation status
- ssl_*: Detailed SSL certificate properties (when -s flag used)
Subnet Nodes:
- subnet: CIDR notation
- network_address: Network address
- broadcast_address: Broadcast address
- host_count: Number of hosts in subnet
NetworkHound - Active Directory Network Topology Analyzer
Author: Mor David (www.mordavid.com) | License: Non-Commercial
2025-09-19 01:26:07 - INFO - Starting NetworkHound
2025-09-19 01:26:07 - INFO - 🔗 STEP 1: Connecting to Domain Controller
2025-09-19 01:26:07 - INFO - 💻 STEP 2: Querying Active Directory Computer Objects
2025-09-19 01:26:07 - INFO - 🔍 STEP 3: Resolving Computer Hostnames to IP Addresses
2025-09-19 01:26:07 - INFO - 👻 STEP 4: Scanning for Shadow-IT Devices
2025-09-19 01:26:07 - INFO - 🔍 STEP 5: Network Port Scanning
2025-09-19 01:26:07 - INFO - 🌐 STEP 6: HTTP/HTTPS Validation
2025-09-19 01:26:07 - INFO - 📁 STEP 6.5: SMB Validation
2025-09-19 01:26:07 - INFO - 📊 STEP 7: Creating Network Topology Graph
2025-09-19 01:26:58 - INFO - ✅ ANALYSIS COMPLETED SUCCESSFULLY!
Mor David - Offensive Security Specialist & AI Security Researcher
I specialize in offensive security with a focus on integrating Artificial Intelligence and Large Language Models (LLM) into penetration testing workflows. My expertise combines traditional red team techniques with cutting‑edge AI technologies to develop next‑generation security tools.
⭐ Found this useful? Star the repo!
Made with ❤️ by Mor David
$ claude mcp add NetworkHound \
-- python -m otcore.mcp_server <graph>