Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.
Awesome Lists | Featured Topics | Projects
https://github.com/kaluche/bloodhound-quickwin

Simple script to extract useful informations from the combo BloodHound + Neo4j
https://github.com/kaluche/bloodhound-quickwin
Last synced: 3 months ago
JSON representation
Simple script to extract useful informations from the combo BloodHound + Neo4j
Host: GitHub
URL: https://github.com/kaluche/bloodhound-quickwin
Owner: kaluche
Created: 2021-02-16T16:04:16.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2023-12-18T13:23:10.000Z (11 months ago)
Last Synced: 2024-06-06T23:40:28.164Z (5 months ago)
Language: Python
Size: 23.4 KB
Stars: 187
Watchers: 5
Forks: 19
Open Issues: 0
Metadata Files:
- Readme: README.md
Awesome Lists containing this project

awesome-hacking-lists - kaluche/bloodhound-quickwin - Simple script to extract useful informations from the combo BloodHound + Neo4j (Python)
README

        # bloodhound-quickwin

Simple script to extract useful informations from the combo BloodHound + Neo4j. Can help to choose a target.

## Prerequisites

- python3

```bash

pip3 install py2neo

pip3 install pandas

pip3 install prettytable

```

## Example

- Use your favorite [ingestor](https://github.com/fox-it/BloodHound.py) to gather ".json"

- Start your neo4j console

- Import "*.json" in [bloodhounnd](https://github.com/fox-it/BloodHound.py)

- Run ./bhqc.py

## Usage

### Help 

```bash

kaluche@pwn $ ./bhqc.py -h

usage: bhqc.py [-h] [-b BOLT] [-u USERNAME] [-p PASSWORD] [-d DOMAIN] [--heavy] [-l] [--debug]

Quick win for bloodhound + neo4j

options:

  -h, --help            show this help message and exit

  -b BOLT, --bolt BOLT  Neo4j bolt connexion (default: bolt://127.0.0.1:7687)

  -u USERNAME, --username USERNAME

                        Neo4j username (default : neo4j)

  -p PASSWORD, --password PASSWORD

                        Neo4j password (default : neo4j)

  -d DOMAIN, --domain DOMAIN

                        Domain filtering (default: no filtering). It's case sensitive and should be mostly in UPPERCASE.

  --heavy               Using this flag to enable heavy querying (ACL, relationships, etc.) can result in durations of seconds or

                        minutes.

  -l, --list-domains    List available domains and exit.

  --debug               Debug queries, more output

```

### Run

Note that you can now :

- list available domain "-l" and exit ;

- filtering domain with "-d DOMAIN".

- enable "--heavy" querying. Depends of your dataset size (ex for me: 1000 users < 5 sec ; 6000 users ~ 2 min)

```bash

kaluche@pwn $ ./bhqc.py -p passwordNeo4JHere -d UCA.LAN  --heavy

▬▬ι═══════ﺤ  BloodHound QuickWin @ kaluche_   -═══════ι▬▬ 

###########################################################

[*] Enumerating all domains admins (rid:512|519|544) (recursive)

###########################################################

[+] Domain admins (group) 	: ADMINISTRATEURS DE L’[email protected]

[+] Domain admins (group) 	: ADMINS DU [email protected]

[+] Domain admins (group) 	: [email protected]

[+] Domain admins (enabled) 	: [email protected] [LASTLOG: < 1 year]

[+] Domain admins (enabled) 	: [email protected] [LASTLOG:  NEVER]

[+] Domain admins (enabled) 	: [email protected] [LASTLOG:  NEVER]

[+] Domain admins (enabled) 	: [email protected] [LASTLOG:  NEVER]

[+] Domain admins (enabled) 	: [email protected] [LASTLOG: < 1 year]

[+] Domain admins (enabled) 	: [email protected] [LASTLOG: > 3 years]

[+] Domain admins (enabled) 	: [email protected] [ASREP] [LASTLOG:  NEVER]

[+] Domain admins (enabled) 	: PENTEST.UCA.LAN [LASTLOG:  NEVER]

[+] Domain admins (enabled) 	: [email protected] [SPN] [LASTLOG:  NEVER]

[+] Domain admins (disabled) 	: [email protected] [LASTLOG:  NEVER]

###########################################################

[*] Enumerating privileges SPN

###########################################################

[+] SPN DA (enabled) 	: [email protected]

###########################################################

[*] Enumerating privileges AS REP ROAST

###########################################################

[+] AS-Rep Roast DA (enabled) 	: [email protected]

###########################################################

[*] Enumerating all SPN

###########################################################

[+] SPN (enabled) 	: [email protected]

[+] SPN (enabled) 	: [email protected]

[+] SPN (enabled) 	: [email protected] [AdminCount]

[+] SPN (enabled) 	: [email protected]

[+] SPN (enabled) 	: [email protected]

[+] SPN (disabled) 	: [email protected] [AdminCount]

###########################################################

[*] Enumerating AS-REP ROSTING

###########################################################

[+] AS-Rep Roast (enabled) 	: [email protected]

[+] AS-Rep Roast (enabled) 	: [email protected] [AdminCount]

[+] AS-Rep Roast (enabled) 	: [email protected]

[+] AS-Rep Roast (enabled) 	: [email protected]

###########################################################

[*] Enumerating Unconstrained user account

###########################################################

[+] Unconstrained user (enabled) 	: [email protected]

[+] Unconstrained user (enabled) 	: [email protected]

###########################################################

[*] Enumerating Constrained user account

###########################################################

[+] Constrained user (enabled) 	: [email protected] ['CIFS/pc1.uca.lan', 'CIFS/pc1', 'CIFS/pc1.pwn.lab']

###########################################################

[*] Enumerating Constrained computer

###########################################################

[+] Constrained computer (enabled) 	: PC1.UCA.LAN ['HTTP/pc2', 'HTTP/pc2.UCA.LAN']

###########################################################

[*] Enumerating Unconstrained computer (DC)

###########################################################

[+] Unconstrained computer (enabled) 	: DC1.UCA.LAN [Windows Server 2012 R2 Standard]

###########################################################

[*] Enumerating Unconstrained computer (not a DC)

###########################################################

[+] Unconstrained computer (enabled) 	: CERT1.UCA.LAN

###########################################################

[*] Resource-Based Constrained Delegation abuse

###########################################################

[+] RBCD : from PC2.UCA.LAN to CERT1.UCA.LAN

###########################################################

[*] Can configure Resource-Based Constrained Delegation

###########################################################

[-] No entries found

###########################################################

[*] Non-Admins who can DCSYNC

###########################################################

[+] DCSYNC (enabled) 	: [email protected] --> UCA.LAN

###########################################################

[*] LAPS Readers

###########################################################

[+] LAPS ACL : [email protected]> ReadLAPSPassword --> COMP00758.UCA.LAN

###########################################################

[*] relationships - testing which group can do what to others (all)

###########################################################

[+] ACL : [email protected]> WriteDacl --> [email protected]

[+] ACL : [email protected]> WriteOwner --> [email protected]

[+] ACL : SERVEURS RAS ET [email protected]> WriteDacl --> RAS AND IAS SERVERS ACCESS [email protected]

[+] ACL : SERVEURS RAS ET [email protected]> WriteOwner --> RAS AND IAS SERVERS ACCESS [email protected]

[+] ACL : [email protected]> DCSync --> UCA.LAN

###########################################################

[*] relationships - testing which (non admins) users can do what to others (all)

###########################################################

[+] ACL : [email protected]> WriteSPN --> [email protected]

[+] ACL : [email protected]> GetChangesAll --> UCA.LAN

[+] ACL : [email protected]> CanPSRemote --> DC1.UCA.LAN

[+] ACL : [email protected]> ForceChangePassword --> [email protected]

[+] ACL : [email protected]> GenericAll --> CERT1.UCA.LAN

[+] ACL : [email protected]> AllExtendedRights --> FAKE01.UCA.LAN

[+] ACL : [email protected]> WriteAccountRestrictions --> FAKE01.UCA.LAN

###########################################################

[*] Stats (all domains)

###########################################################

+--------------------------------------------+------------+-------+

|                Description                 | Percentage | Total |

+--------------------------------------------+------------+-------+

|                 All users                  |    N/A     |   37  |

|             All users (enabed)             |   86.49    |   32  |

|            All users (disabled)            |    8.11    |   3   |

|     Users with 'domain admins' rights      |   28.12    |   9   |

|      Not logged (all) since 6 months       |   13.51    |   5   |

|    Not logged (enabled) since 6 months     |   15.62    |   5   |

| Password not changed > 1 y (enabled only)  |   40.62    |   13  |

| Password not changed > 2 y (enabled only)  |   31.25    |   10  |

| Password not changed > 5 y (enabled only)  |    0.0     |   0   |

| Password not changed > 10 y (enabled only) |    0.0     |   0   |

|               Users with SPN               |   18.75    |   6   |

|          Users with AS REP ROAST           |    12.5    |   4   |

|               All Computers                |    N/A     |   11  |

|               LAPS Computers               |    0.0     |   0   |

+--------------------------------------------+------------+-------+

./bhqc.py -p passwordNeo4JHere -d UCA.LAN --heavy  0,26s user 0,03s system 69% cpu 0,422 total

```