Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/Coalfire-Research/Vampire

Vampire is an aggressor script which integrates with BloodHound to mark nodes as owned.
https://github.com/Coalfire-Research/Vampire

active-directory aggressor bloodhound cna cobalt-strike

Last synced: 3 months ago
JSON representation

Vampire is an aggressor script which integrates with BloodHound to mark nodes as owned.

Host: GitHub
URL: https://github.com/Coalfire-Research/Vampire
Owner: Coalfire-Research
License: other
Created: 2019-04-08T17:20:07.000Z (over 5 years ago)
Default Branch: main
Last Pushed: 2021-04-06T23:11:38.000Z (over 3 years ago)
Last Synced: 2024-04-08T21:20:32.273Z (7 months ago)
Topics: active-directory, aggressor, bloodhound, cna, cobalt-strike
Language: Python
Homepage:
Size: 72.3 KB
Stars: 79
Watchers: 7
Forks: 19
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# Vampire

__Vampire__ is an aggressor script which adds a "Mark Owned" right click option to beacons. This allows you to select either the Computer or User (or Default, which will choose based on your user), along with the domain they belong to. There is an additional optional cna script for marking new credentials as owned. Vampire will communicate with your neo4j REST API on localhost:7474 to mark the node as owned.

How to use
---

0. Put `vampire.cna`, `vampire_creds.cna`, and `owned_utils.py` in the root of your cobaltstrike folder
1. `chmod u+x owned_utils.py`
1. Load `vampire.cna` and `vampire_creds.cna` into Cobalt Strike through the Script Manager
1. Rain shells
2. Start neo4j and BloodHound as normal
2. Run BloodHound data collection and import data
3. Right click your beacon(s) and mark them as owned
4. Run logonpasswords

Considerations
---

- neo4j must be running on localhost, on the standard port - 7474
- Your neo4j database creds should be Kali standard `neo4j:BloodHound` (you can change the base64 in `owned_utils.py` otherwise)
- `echo -n 'neo4j:yourpassword' | base64` and then replace the auth in owned_utils.py

Benefits
---

- Never miss an attack path
- Quickly keep up with other team members' movement

How it works
---

0. Uses `owned_utils.py` to query the list of domains from neo4j
1. Obtain user selection
2. Foreach selected beacon ID:
3. Append `@` + the specified domain to the user/computer name
4. For `Default`, it will choose based on whether you're a local admin
4. Uses `owned_utils.py` to query the neo4j REST API
- `'MATCH (n:*) WHERE lower(n.name) = "' + nodelabel.lower() + '" SET n.owned = TRUE'`

---

1. Listens for the `on credentials` callback
1. Loops through all the credentials, keeping an internal state
1. Optionally excludes 32 byte passwords (NTLM hashes - see $ignore_hash)
1. Reconstructs a valid domain for the user
1. Checks the user exists
1. Marks new credentials as owned

Extensibility
---

The cna script handles the Cobalt Strike GUI, while the Python script handles Bloodhound/neo4j interaction. The reason I did it this way is because I couldn't get the HTTP request working nicely through Sleep sockets. The plus side is, you can call/import the Python code into your own project which doesn't use Cobalt Strike. The code in the functions is pretty much ripped from the neo4j syntax examples in the Bloodhound Github wiki.

Author
---

Patrick Hurd