Optional Credential Metadata in BloodHound Integration

[A3-N]

This might be more of a personal preference, but I’d like to propose adding an optional way to add credential metadata in BloodHound when using NetExec.

At some point in time, I enjoyed using Max, the dpatoption to import NTDS/clears into BloodHound Legacy. That workflow was convenient in GOAD and some small/short assessments, because it attached cleartext and NTLM evidence directly to user nodes. I'd usually opt out of doing this on larger scale systems or assessments that would span more than a week.

I was thinking of making my own fork with logic similar to this:
nxc/data/nxc.conf

[BloodHound]
bh_enabled = True
bh_uri = 
bh_port = 
bh_user = 
bh_pass = 
bh_show_hash = False
bh_show_password = False

TL;DR:
Add config flags to control whether hashes/passwords are included as metadata on matching user nodes.
Both flags default to False.
The goal is lab/QOL use cases (e.g. GOAD), not production defaults. Real-world deployments would need more care due to the sensitivity of credential data.

Would a PR implementing this as an opt-in feature be considered? I know people would have varying opinions on storing credential via this means, but then again, its up to you whether you want to use it or not and for what.

[A3-N]

Honestly, this had me second guessing. It would be enough just knowing where the "Owned" state comes from and what I have; showing the actual creds isn’t needed if the object info already says “user X came from host Y with retrieved password/hash within LSA or whatever.”