{"id":13642760,"url":"https://github.com/knavesec/Max","last_synced_at":"2025-04-20T20:32:48.548Z","repository":{"id":40679881,"uuid":"266183097","full_name":"knavesec/Max","owner":"knavesec","description":"Maximizing BloodHound. Max is a good boy.","archived":false,"fork":false,"pushed_at":"2025-01-29T22:05:04.000Z","size":649,"stargazers_count":503,"open_issues_count":9,"forks_count":59,"subscribers_count":10,"default_branch":"master","last_synced_at":"2025-01-29T23:18:56.240Z","etag":null,"topics":["bloodhound","dogs","dpat","hacktoberfest","max"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/knavesec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-05-22T18:41:32.000Z","updated_at":"2025-01-29T22:05:08.000Z","dependencies_parsed_at":"2023-02-09T21:45:57.915Z","dependency_job_id":"10d56db7-e9ab-4d84-8297-bc755ce4d51b","html_url":"https://github.com/knavesec/Max","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/knavesec%2FMax","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/knavesec%2FMax/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/knavesec%2FMax/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/knavesec%2FMax/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/knavesec","download_url":"https://codeload.github.com/knavesec/Max/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249959158,"owners_count":21351776,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bloodhound","dogs","dpat","hacktoberfest","max"],"created_at":"2024-08-02T01:01:35.925Z","updated_at":"2025-04-20T20:32:45.105Z","avatar_url":"https://github.com/knavesec.png","language":"Python","funding_links":[],"categories":["Tools","Python"],"sub_categories":[],"readme":"# Maximizing BloodHound with a simple suite of tools\n\n## Description\n\nNew Release:\n\n- [dpat](https://github.com/knavesec/Max/blob/master/wiki/dpat.md) - The BloodHound Domain Password Audit Tool (DPAT)\n\nA simple suite of tools:\n- [get-info](https://github.com/knavesec/Max/blob/master/wiki/get-info.md) - Pull lists of information from the Neo4j database\n- [mark-owned](https://github.com/knavesec/Max/blob/master/wiki/mark-owned.md) - Mark a list of objects as Owned\n- [mark-hvt](https://github.com/knavesec/Max/blob/master/wiki/mark-hvt.md) - Mark a list of objects as High Value Targets\n- [query](https://github.com/knavesec/Max/blob/master/wiki/query.md) - Run a raw Cypher query and return output\n- [export](https://github.com/knavesec/Max/blob/master/wiki/export.md) - Export all outbound controlling privileges of a domain object to a CSV file\n- [del-edge](https://github.com/knavesec/Max/blob/master/wiki/del-edge.md) - Delete an edge from the database\n- [add-spns](https://github.com/knavesec/Max/blob/master/wiki/add-spns.md) - Create HasSPNConfigured relationships, new attack primitive\n- [add-spw](https://github.com/knavesec/Max/blob/master/wiki/add-spw.md) - Create SharesPasswordWith relationships\n- [dpat](https://github.com/knavesec/Max/blob/master/wiki/dpat.md) - The BloodHound Domain Password Audit Tool (DPAT)\n- [pet-max](https://github.com/knavesec/Max/blob/master/wiki/pet-max.md) - Dogsay, happiness for stressful engagements\n\nThis was released with screenshots \u0026 use-cases on the following blogs: [Max Release](https://whynotsecurity.com/blog/max/),  [Updates \u0026 Primitives](https://whynotsecurity.com/blog/max2/) \u0026 [DPAT](https://whynotsecurity.com/blog/max3/)\n\nA new potential attack primitive was added to this tool during my research, see the `add-spns` section for full details.\n\n\n## Usage\n\n### Installation\n\nIdeally there shouldn't be much to install, but I've included a requirements.txt file just in case. Tested on Kali Linux \u0026 Windows 10, all functionality should work for both linux and Windows operating systems.\n\n`pip3 install -r requirements.txt`\n\n### Neo4j Creds\n\nNeo4j credentials can be hardcoded at the beginning of the script, they can be provided as CLI arguments, or stored as environment variables. If either parameter  is left blank, you will be prompted for the uname/password. To use environment variables, it is probably easiest to add a line (e.g., `export NEO4J_USERNAME='neo4j'`) within *~/.bashrc* or *~/.zshrc*  to store the username since it isn't really sensitive. The database password can be set within your shell's tab prior to running Max. Adding a space before the export command should prevent it from appearing within history.\n\n```bash\n export NEO4J_PASSWORD='bloodhound' # Notice whitespace before 'export'\npython3 max.py {module} {args}\n\n```\n\n```\npython3 max.py -u neo4j -p neo4j {module} {args}\n```\n\n```\npython3 max.py {module} {args}\nNeo4j Username: neo4j\nNeo4j Password:\n```\n\n### Quick Use\n\nGetting help in general, and module specific\n```\npython3 max.py -h\npython3 max.py {module} -h\n```\n\nImporting owned objects into BH\n```\npython3 max.py mark-owned -f owned.txt\npython3 max.py mark-owned -f owned.txt --add-note \"Owned by repeated local admin\"\n```\n\nGet list of users\n```\npython3 max.py get-info --users\npython3 max.py get-info --users --enabled\n\nUSER01@DOMAIN.LOCAL\nUSER02@DOMAIN.LOCAL\n...\n```\n\nGet list of objects in a target group\n```\npython3 max.py get-info --group-members \"domain controllers@domain.local\"\n```\n\nGet a list of computers that a user has administrative rights to\n```\npython3 max.py get-info --adminto USER01@DOMAIN.LOCAL\n```\n\nGet a list of owned objects with the notes for each\n```\npython3 max.py get-info --owned --get-note\n```\n\nRunning a query - return a list of all users with a path to DA\n```\npython3 max.py query -q \"MATCH (n:User),(m:Group {name:'DOMAIN ADMINS@DOMAIN.LOCAL'}) MATCH (n)-[*1..]-\u003e(m) RETURN DISTINCT(n.name)\"\n```\n\nDelete an edge from the database\n```\npython3 max.py del-edge CanRDP\n```\n\nAdd HasSPNConfigured relationship using the information stored within BloodHound, or with a GetUserSPNs impacket file\n```\npython3 max.py add-spns -b\npython3 max.py add-spns -i getuserspns-raw-output.txt\n```\n\nDPAT\n```\npython3 max.py dpat -n ~/client/ntds.dit -c ~/.hashcat/hashcat.potfile -o ouputdir --html --sanitize\n```\n\nPet max\n```\npython3 max.py pet-max\n```\n\n#### Object Files \u0026 Specification\n\nObjects in file, must contain FQDN within, capitalization does not matter. This also applies to whenever a CLI username/computer name is supplied.\n\n```\nuser01@domain.local      \u003c- will be added / correct CLI input\ngroup01@domain.local     \u003c- will be added / correct CLI input\ncomputer01.domain.local  \u003c- will be added / correct CLI input\nComPutEr01.doMAIn.LOcaL  \u003c- will be added / correct CLI input\nuser02                   \u003c- will not be added / incorrect CLI input\ncomputer02               \u003c- will not be added / incorrect CLI input\n```\n\n## Further work\n\nI hope to include an `analyze` function to provide some sort functionality similar to PlumHound/Cypheroth. Lastly, thinking about creating a Powershell version for those running Neo4j on Windows, but I'm trash at Powershell so TBD.\n\nAny other features and improvements welcome, find me @knavesec in the BloodHoundGang Slack channel and on Twitter\n\n\n## Contributors\n\nI'd like to especially thank those who have contributed their time to developing \u0026 improving this tool:\n\n* [Nic Losby @blurbdust](https://twitter.com/blurbdust) (DPAT Module)\n* [Scott Brink @_sandw1ch](https://twitter.com/_sandw1ch) (Various)\n* [Logan @TheToddLuci0](https://infosec.exchange/@TheToddLuci0) (Many PRs)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fknavesec%2FMax","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fknavesec%2FMax","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fknavesec%2FMax/lists"}