Skip to content

SQLite Database

Andi Morris edited this page Mar 8, 2022 · 1 revision

By default Goodhound will insert all of attack paths that it finds into a local SQLite database located in a db directory inside the current working directory.
This database can be then queried separately using the SQLite tools and queries.

In order to query the database you'll need the SQLite binaries available from https://www.sqlite.org/download.html

Example Goodhound SQLITE queries

Connect to DB

sqlite3.exe db\goodhound.db

Get paths not seen in over 90 days

select * from paths where date(last_seen, 'unixepoch') < date('now', '-90 days');

See number of paths containing a section of paths, useful for looking at the Nodes brought up in the Weakest Link report

select count(*) from paths where fullpath like'%ReadLAPSPassword -> SERVER%.DOMAIN.LOCAL%';

See bloodhound queries for paths containing a key starting group and scan time

select query from paths where groupname = '[email protected]' and datetime(last_seen, 'unixepoch') = '2021-10-28 05:15:22';

Close DB connection

.quit