Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/kaluche/bloodhound-quickwin
Simple script to extract useful informations from the combo BloodHound + Neo4j
https://github.com/kaluche/bloodhound-quickwin
Last synced: 21 days ago
JSON representation
Simple script to extract useful informations from the combo BloodHound + Neo4j
- Host: GitHub
- URL: https://github.com/kaluche/bloodhound-quickwin
- Owner: kaluche
- Created: 2021-02-16T16:04:16.000Z (almost 4 years ago)
- Default Branch: main
- Last Pushed: 2023-12-18T13:23:10.000Z (12 months ago)
- Last Synced: 2024-08-05T17:45:09.519Z (4 months ago)
- Language: Python
- Size: 23.4 KB
- Stars: 192
- Watchers: 5
- Forks: 19
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - kaluche/bloodhound-quickwin - Simple script to extract useful informations from the combo BloodHound + Neo4j (Python)
README
# bloodhound-quickwin
Simple script to extract useful informations from the combo BloodHound + Neo4j. Can help to choose a target.## Prerequisites
- python3
```bash
pip3 install py2neo
pip3 install pandas
pip3 install prettytable
```
## Example
- Use your favorite [ingestor](https://github.com/fox-it/BloodHound.py) to gather ".json"
- Start your neo4j console
- Import "*.json" in [bloodhounnd](https://github.com/fox-it/BloodHound.py)
- Run ./bhqc.py## Usage
### Help
```bash
kaluche@pwn $ ./bhqc.py -h
usage: bhqc.py [-h] [-b BOLT] [-u USERNAME] [-p PASSWORD] [-d DOMAIN] [--heavy] [-l] [--debug]Quick win for bloodhound + neo4j
options:
-h, --help show this help message and exit
-b BOLT, --bolt BOLT Neo4j bolt connexion (default: bolt://127.0.0.1:7687)
-u USERNAME, --username USERNAME
Neo4j username (default : neo4j)
-p PASSWORD, --password PASSWORD
Neo4j password (default : neo4j)
-d DOMAIN, --domain DOMAIN
Domain filtering (default: no filtering). It's case sensitive and should be mostly in UPPERCASE.
--heavy Using this flag to enable heavy querying (ACL, relationships, etc.) can result in durations of seconds or
minutes.
-l, --list-domains List available domains and exit.
--debug Debug queries, more output```
### Run
Note that you can now :
- list available domain "-l" and exit ;
- filtering domain with "-d DOMAIN".
- enable "--heavy" querying. Depends of your dataset size (ex for me: 1000 users < 5 sec ; 6000 users ~ 2 min)```bash
kaluche@pwn $ ./bhqc.py -p passwordNeo4JHere -d UCA.LAN --heavy▬▬ι═══════ﺤ BloodHound QuickWin @ kaluche_ -═══════ι▬▬
###########################################################
[*] Enumerating all domains admins (rid:512|519|544) (recursive)
###########################################################[+] Domain admins (group) : ADMINISTRATEURS DE L’[email protected]
[+] Domain admins (group) : ADMINS DU [email protected]
[+] Domain admins (group) : [email protected]
[+] Domain admins (enabled) : [email protected] [LASTLOG: < 1 year]
[+] Domain admins (enabled) : [email protected] [LASTLOG: NEVER]
[+] Domain admins (enabled) : [email protected] [LASTLOG: NEVER]
[+] Domain admins (enabled) : [email protected] [LASTLOG: NEVER]
[+] Domain admins (enabled) : [email protected] [LASTLOG: < 1 year]
[+] Domain admins (enabled) : [email protected] [LASTLOG: > 3 years]
[+] Domain admins (enabled) : [email protected] [ASREP] [LASTLOG: NEVER]
[+] Domain admins (enabled) : PENTEST.UCA.LAN [LASTLOG: NEVER]
[+] Domain admins (enabled) : [email protected] [SPN] [LASTLOG: NEVER]
[+] Domain admins (disabled) : [email protected] [LASTLOG: NEVER]###########################################################
[*] Enumerating privileges SPN
###########################################################[+] SPN DA (enabled) : [email protected]
###########################################################
[*] Enumerating privileges AS REP ROAST
###########################################################[+] AS-Rep Roast DA (enabled) : [email protected]
###########################################################
[*] Enumerating all SPN
###########################################################[+] SPN (enabled) : [email protected]
[+] SPN (enabled) : [email protected]
[+] SPN (enabled) : [email protected] [AdminCount]
[+] SPN (enabled) : [email protected]
[+] SPN (enabled) : [email protected]
[+] SPN (disabled) : [email protected] [AdminCount]###########################################################
[*] Enumerating AS-REP ROSTING
###########################################################[+] AS-Rep Roast (enabled) : [email protected]
[+] AS-Rep Roast (enabled) : [email protected] [AdminCount]
[+] AS-Rep Roast (enabled) : [email protected]
[+] AS-Rep Roast (enabled) : [email protected]###########################################################
[*] Enumerating Unconstrained user account
###########################################################[+] Unconstrained user (enabled) : [email protected]
[+] Unconstrained user (enabled) : [email protected]###########################################################
[*] Enumerating Constrained user account
###########################################################[+] Constrained user (enabled) : [email protected] ['CIFS/pc1.uca.lan', 'CIFS/pc1', 'CIFS/pc1.pwn.lab']
###########################################################
[*] Enumerating Constrained computer
###########################################################[+] Constrained computer (enabled) : PC1.UCA.LAN ['HTTP/pc2', 'HTTP/pc2.UCA.LAN']
###########################################################
[*] Enumerating Unconstrained computer (DC)
###########################################################[+] Unconstrained computer (enabled) : DC1.UCA.LAN [Windows Server 2012 R2 Standard]
###########################################################
[*] Enumerating Unconstrained computer (not a DC)
###########################################################[+] Unconstrained computer (enabled) : CERT1.UCA.LAN
###########################################################
[*] Resource-Based Constrained Delegation abuse
###########################################################[+] RBCD : from PC2.UCA.LAN to CERT1.UCA.LAN
###########################################################
[*] Can configure Resource-Based Constrained Delegation
###########################################################[-] No entries found
###########################################################
[*] Non-Admins who can DCSYNC
###########################################################[+] DCSYNC (enabled) : [email protected] --> UCA.LAN
###########################################################
[*] LAPS Readers
###########################################################[+] LAPS ACL : [email protected]> ReadLAPSPassword --> COMP00758.UCA.LAN
###########################################################
[*] relationships - testing which group can do what to others (all)
###########################################################[+] ACL : [email protected]> WriteDacl --> [email protected]
[+] ACL : [email protected]> WriteOwner --> [email protected]
[+] ACL : SERVEURS RAS ET [email protected]> WriteDacl --> RAS AND IAS SERVERS ACCESS [email protected]
[+] ACL : SERVEURS RAS ET [email protected]> WriteOwner --> RAS AND IAS SERVERS ACCESS [email protected]
[+] ACL : [email protected]> DCSync --> UCA.LAN###########################################################
[*] relationships - testing which (non admins) users can do what to others (all)
###########################################################[+] ACL : [email protected]> WriteSPN --> [email protected]
[+] ACL : [email protected]> GetChangesAll --> UCA.LAN
[+] ACL : [email protected]> CanPSRemote --> DC1.UCA.LAN
[+] ACL : [email protected]> ForceChangePassword --> [email protected]
[+] ACL : [email protected]> GenericAll --> CERT1.UCA.LAN
[+] ACL : [email protected]> AllExtendedRights --> FAKE01.UCA.LAN
[+] ACL : [email protected]> WriteAccountRestrictions --> FAKE01.UCA.LAN###########################################################
[*] Stats (all domains)
###########################################################+--------------------------------------------+------------+-------+
| Description | Percentage | Total |
+--------------------------------------------+------------+-------+
| All users | N/A | 37 |
| All users (enabed) | 86.49 | 32 |
| All users (disabled) | 8.11 | 3 |
| Users with 'domain admins' rights | 28.12 | 9 |
| Not logged (all) since 6 months | 13.51 | 5 |
| Not logged (enabled) since 6 months | 15.62 | 5 |
| Password not changed > 1 y (enabled only) | 40.62 | 13 |
| Password not changed > 2 y (enabled only) | 31.25 | 10 |
| Password not changed > 5 y (enabled only) | 0.0 | 0 |
| Password not changed > 10 y (enabled only) | 0.0 | 0 |
| Users with SPN | 18.75 | 6 |
| Users with AS REP ROAST | 12.5 | 4 |
| All Computers | N/A | 11 |
| LAPS Computers | 0.0 | 0 |
+--------------------------------------------+------------+-------+
./bhqc.py -p passwordNeo4JHere -d UCA.LAN --heavy 0,26s user 0,03s system 69% cpu 0,422 total```