Scribd
Upload
127 views3 pages

Summary AnsibleHound BloodHound Collector For Ansible WorX and

AnsibleHound is a BloodHound OpenGraph collector designed for Ansible WorX and Tower, enabling users to map organizational structures and permissions into an attack-path graph using a Read-only API token. It enumerates resources via the Tower REST API, transforming the collected data into a BloodHound-compatible format with custom nodes and edges to visualize permission hierarchies. The tool allows security teams to identify potential escalation paths and includes a script for loading custom icons to enhance graph readability.

Uploaded by

dhh jsjdjdj
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
127 views3 pages

Summary AnsibleHound BloodHound Collector For Ansible WorX and

AnsibleHound is a BloodHound OpenGraph collector designed for Ansible WorX and Tower, enabling users to map organizational structures and permissions into an attack-path graph using a Read-only API token. It enumerates resources via the Tower REST API, transforming the collected data into a BloodHound-compatible format with custom nodes and edges to visualize permission hierarchies. The tool allows security teams to identify potential escalation paths and includes a script for loading custom icons to enhance graph readability.

Uploaded by

dhh jsjdjdj
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

AnsibleHound – BloodHound Collector for

Ansible WorX and Tower

Original URL: https://github.com/TheSleekBoyCompany/AnsibleHound

Tags: 🛠️ Tool, 📡 Ansible Tower, 🕵️ Enumeration, 🔗 BloodHound

Technical Summary

AnsibleHound: BloodHound OpenGraph


Collector for Ansible

AnsibleHound is a BloodHound OpenGraph collector for Ansible WorX and Ansible Tower,
implemented in Go to map your organization’s structure and permissions into a BloodHound attack-
path graph. By leveraging a user-generated Read-only API token, it enumerates all accessible
resources and relationships via the Tower REST API, enabling security teams or attackers to
visualize permission chains and identify potential escalation paths.

Prerequisites

Ansible Tower instance with API access


User account with a Read-only API token

Usage Steps

1. Token Creation

In the Ansible Tower web UI, navigate to User Details → Tokens, click Create Token, select
Read scope, then copy the generated token.

2. Building the Collector

cd collector
go build . -o build/collector

3. Running the Collector

Invoke the binary with the Tower URL and token:

./build/collector -u 'http://tower.example.com/' -t 'YOUR_READ_TOKEN'

Under the hood, the tool issues paginated GET requests to endpoints such as
/api/v2/organizations/ , /api/v2/inventories/ , /api/v2/hosts/ ,
/api/v2/job_templates/ , /api/v2/projects/ , /api/v2/credentials/ , /api/v2/users/
and /api/v2/teams/ , extracting IDs, names and scopes, then follows nested links to build a
complete object graph.

4. Graph Transformation

The collected JSON is converted into a BloodHound OpenGraph format. Custom node types
are defined with the AT prefix:

ATOrganization
ATInventory

ATHost
ATJobTemplate
ATProject
ATCredential
ATUser

ATTeam

Edge types model relationships and permissions:

ATContains
ATUses
ATExecute
ATRead
ATAdmin

5. Loading Custom Icons

To visually distinguish nodes, run:

python3 scripts/import-icons.py 'http://bloodhound.example.com' 'YOUR_JWT_TOKEN'

6. Samples & Visualization


If no live Tower is available, import ./samples/example.json into BloodHound Enterprise
(BHCE) to explore a pre-built graph.

Schema Overview

Nodes represent organizational objects; edges represent relationships and permission levels. This
allows pinpointing hosts, credentials and users reachable under the supplied token, revealing attack
paths up to full admin control.

Hacking Tricks Summary

AnsibleHound exploits Ansible Tower’s REST API with a least-privileged Read token to perform
comprehensive enumeration: it traverses endpoints such as /api/v2/organizations/ ,
/inventories/ , /hosts/ , /job_templates/ , /projects/ , /credentials/ , /users/ and /teams/ ,
handling JSON pagination and nested links to extract object IDs, names, and scopes, thereby
revealing the full structure and accessible resources.

It then transforms the collected data into BloodHound OpenGraph JSON by defining custom nodes
prefixed with AT (e.g., ATOrganization , ATHost ) and edges ( ATContains , ATUses , ATExecute ,
ATRead , ATAdmin ), enabling visualization of permission hierarchies and attack paths within
BloodHound. A supplementary Python script imports tailored icons to enhance graph readability.

You might also like