bloodhound custom queries linux

• Home
• Themes
• Blog
• Location
• About
• Contact

---

neo4j console You can edit the “Custom Queries” from the BloodHound GUI, copy our queries from here, paste them and reload. If you’d like to skip to the new features then start here. that can be used between User nodes or Computer nodes to show password reuse. Make “Owned in Wave” and “Owned via Method” values fillable from the UI. Add more options when a node is right-clicked. It’s tedious to manually run these queries each time a node is compromised. A Computer might use the same local admin password as another Computer’s local admin. Depending on the type of node, this will be one of: To track owned Users and Computers, we’ll set two new properties on relevant nodes: These properties can be added to a specified node using Cypher. Besides pre-built queries, custom queries can also be used. Neat. This is the first installment in a series of posts regarding modifications to BloodHound and lessons learned while working with Neo4j & Cypher. I’d really appreciate some help from those of you who are skilled with front-end development :D, porterhau5 2017-03-22 BLOG BloodHound pen-testing, A collection of infosec projects & blog posts by @porterhau5 More ›, "OPTIONAL MATCH (n1:User {wave:{wave}}) WITH collect(distinct n1) as c1 OPTIONAL MATCH (n2:Computer {wave:{wave}}) WITH collect(distinct n2) + c1 as c2 OPTIONAL MATCH (n3:Group {wave:{wave}}) WITH c2, collect(distinct n3) + c2 as c3 UNWIND c2 as n UNWIND c3 as m MATCH (n)-[r]->(m) RETURN n,r,m", Representing Password Reuse in BloodHound, Creating Conditional Statements with Cypher, Finding the Collateral Spread When a Node is Compromised, « Using xkeyscan to Parse an X-Based Linux Keylogger, Representing Password Reuse in BloodHound ». For troubleshooting steps, see Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux.. How to update Microsoft Defender for Endpoint on Linux. 5Useful Pieces of Information You Can Get Out of Bloodhound •BloodHound is supported by Linux, Windows, and MacOS. Queries include: viewing all domain administrators; viewing users with the most local administrator rights; or viewing computers with the most administrative user access. A User might use the same password for their normal account and their DA account. Like the additions to the Node Info tab, this feature is currently only available in the modified version of BloodHound. Download the 'Custom Queries' json file here: https://github.com/hausec/Bloodhound-Custom-Queries GUI Return All Azure Users that are part of the 'Global Administrator' Role… My workflow stems from being a penetration tester. The clause AND not(EXISTS(m.wave)) ensures we don’t include any destination nodes with the wave property set. A notable query here is "shortest path to Domain Admins". If you do not wish to use this option, you can register your VM hostnames in your DNS server using dynamic DNS (DDNS). Analyzing BloodHound and other tool data AD enumeration from a non-domain joined Linux and Windows attack box as well as a compromised domain-joined host Extending BloodHound by writing custom Cipher queries This module is broken down into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. Let’s use BloodHound to answer a simple question: When a new set of nodes are owned by some method, what other nodes can we now collaterally reach? Notice that a magenta lightning bolt appears on the top-left of nodes relevant to our custom query. Assume we were able to crack the hashes and obtain cleartext passwords for two accounts, [email protected] and [email protected] Let’s mark those two accounts as compromised using Cypher:// Adding [email protected] to wave 1 via LLMNR wpadMATCH (n) WHERE n.name="[email protected]" SET n.owned="LLMNR wpad", n.wave=1 > Set 2 properties, statement completed in 5 ms.// Adding [email protected] to wave 1 via NBNS wpadMATCH (n) WHERE n.name="[email protected]" SET n.owned="NBNS wpad", n.wave=1 > Set 2 properties, statement completed in 6 ms.// Show names of nodes from the first waveMATCH (n) WHERE n.wave=1 RETURN n.name+-------------------------+| n.name |+-------------------------+| [email protected] || [email protected] |+-------------------------+. The following command sets all the hosts in “high_value.txt” to high value targets: The names of users and computers in the text file should match the name shown on the GUI for the node: Assessment after assessment, we see that BloodHound is an exceptional tool that can be further extended to match our needs. Let’s remove that hassle and take it a step further by tweaking the UI and writing some custom queries. Rohan has also become a cypher expert, developing several general and analytical queries to run with BloodHound. Finding Active Directory attack paths using BloodHound, https://github.com/CompassSecurity/BloodHoundQueries, https://github.com/BloodHoundAD/BloodHound/blob/master/src/components/SearchContainer/Tabs/PrebuiltQueries.json, https://blog.cptjesus.com/posts/introtocypher, https://github.com/SadProcessor/Cheats/blob/master/DogWhispererV2.md, https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/, Printer Tricks Episode II – Attack of the Clones, All Computers Local Admin to Another Computer, Computer admin to another computer (discovered thanks to this BloodHound query! Now I know which machines I should go plunder for sensitive documents, local hashes, cached passwords, etc. It is recommended to run the following update commands before installing Bloodhound tool. Bloodhound uses Neo4j, a graphing database, which uses the Cypher language. It would be terrific if we could see what’s available to us now that wasn’t available to us before. Additionally, you can execute your own cypher queries using the raw query bar. You can even modify them directly from the GUI. The value derived from BloodHound on an engagement for me is obvious – I can quickly identify those complex attack paths that otherwise would have taken OVER 9000 BILLABLE HOURS to discover. Other posts can be found here: If you’re new to BloodHound, I highly recommend checking out this blog, this video, or this wiki to familiarize yourself. Afterwards, you’ll see the queries used in “Raw Query”. Here are great links about BloodHound: - BloodHound wiki - The Dog Whisperer's Handbook - BloodHound Custom Queries if you need help when setting up BloodHound and using it, contact me on twitter! Go ahead and add both of those nodes to wave 1 as well:MATCH (n)-[r*]->(m) WHERE n.wave=1 SET m.wave=1 > Set 3 properties, statement completed in 5 ms.// Show updated names of nodes from the first waveMATCH (n) WHERE n.wave=1 RETURN n.name+-----------------------------+| n.name |+-----------------------------+| [email protected] || DOMAIN [email protected] || [email protected] || SYSTEM38.INTERNAL.LOCAL |+-----------------------------+. It’s interactive, it gives a tangible view of the network to less technical people, and it’s not Powerpoint.). BloodHound is a tool to analyze and understand Active Directory Trust Relationships. *DOMAIN ADMINS. To show the queries that are already configured to run against the analyzed data, select the Queries option within the BloodHound console. With these two nodes as our source, let’s use BloodHound’s Raw Query feature to find the other nodes collaterally included in this wave of compromise: We see two additions – both users are a MemberOf “DOMAIN [email protected]”, and one user is AdminTo “SYSTEM38.INTERNAL.LOCAL”. These can be used in queries. On Windows, the file falls under AppData\Roaming\bloodhound. For instance, users are symbolized by (:User) and the “member of” relationship by [:MemberOf]. It then increments it by one so that the incoming additions will be in wave ‘3’. This is similar to the “Find Shortest Paths to Here” idea, but we’re now interested in the paths branching out of a node instead of those coming in. Displaying raw queries. This cheatsheet is separated… BloodHound is built on neo4j and depends on it. Here are the requirements of such an attack: In order to extract data from BloodHound, the underlying database can be queried directly by using the Neo4j Browser (by default at http://localhost:7474). Imagine that the next step of our penetration test involved a password spraying attack against domain users. And now click on the “Find all owned Domain Admins” custom query: Boom, we got one. The nodes are symbolized by () and the relationships by []. Using these requires Neo4j, a populated database, and a BloodHound app. We decided to publish them to help everyone assess their environment and to possibly foster further improvements. ​Install neo4jCommunity Editionmanually from their website, not through apt. BloodHound also includes custom node selection where a specified source, and target node are selected for attack path mapping. Expressing this in the form of a relationship allows us to leverage BloodHound’s pre-built queries. Create a new relationship (maybe “SharesPasswordWith”?) For an offensive practitioner, this tool can highlight the hops you might take to reach a goal within a network. The import/export options are used to import or export the current graphs into JSON format. Neo4j is a graph database management system, which uses NoSQL as a graph database. Variables can be assigned for further use: (variable:User) for example. I’ve added four custom queries … Add property to nodes indicating their involvement in the CPTC. Cypher queries are made of nodes (User, Group, Computer…), relationships (MemberOf, AdminTo…) and properties (name, description…). ), Print spooler service active on the source computer, or another way of triggering an outgoing SMB connection, No firewall blocking SMB from the source computer to the attacker, No firewall blocking SMB from the attacker to the target computer. *DOMAIN ADMINS. Afterwards, you’ll see the queries used in “Raw Query”. • Hard: Custom Lucene Scoring – implement a query and scorer to explicitly control matching and scoring OpenSource Connections This is the Nuclear Option! After uploading these files, take advantage of the pre-built queries within BloodHound. Custom Queries and database updates can be done independent of the BloodHound application. We found two users with “Spring2017!” on the INTERNAL.LOCAL domain, ZDEVENS and BPICKEREL. I recommend using Neo4j’s web browser to tinker with queries since you get some nifty syntax highlighting and debugging tools. You probably have spotted which query is used most : “Find Shortest Paths to Domain Admins”. I recently did an installation of the new 3.0 version of BloodHound on Ubuntu 18.0.4 LTE, with a neo4j 4.0 database. neo4j by default only allows local connections. The interface is slick, the install is painless enough considering the dependencies, and the pre-built analytics deliver actionable intelligence. You can also use the “Raw Query” field to execute your own queries. The The piping is in place for users to extend the already-great features and tailor it to their specific job function or workflow. 2 accounts obtained. However, any modifications to BloodHound’s display requires changing BloodHound’s source. BloodHound is supported by Linux, Windows, and MacOS. *' RETURN pList all directly owned nodes:MATCH (n) WHERE exists(n.owned) RETURN nFind all nodes in wave $num:MATCH (n)-[r]->(m) WHERE n.wave=$num AND m.wave=$num RETURN n,r,mShow all waves up to and including wave $num:MATCH (n)-[r]->(m) WHERE n.wave<=$num RETURN n,r,mSet owned and wave properties for a node (named $name, compromised via $method in wave $num):MATCH (n) WHERE (n.name = '$name') SET n.owned = '$method', n.wave = $numFind spread of compromise for owned nodes in wave $num:OPTIONAL MATCH (n1:User {wave:$num}) WITH collect(distinct n1) as c1 OPTIONAL MATCH (n2:Computer {wave:$num}) WITH collect(distinct n2) + c1 as c2 UNWIND c2 as n OPTIONAL MATCH p=shortestPath((n)-[*..20]->(m)) WHERE not(exists(m.wave)) WITH DISTINCT(m) SET m.wave=$num, Continuing with our theoretical penetration test, let’s say that we found a juicy Excel spreadsheet which contained credentials for users [email protected] and [email protected] We’ll first create a CSV with the node names and method of compromise like so:$ cat 3rd-wave.txt[email protected],Creds in file on DATABASE5[email protected],Creds in file on DATABASE5, Then we use the -a flag to ingest:$ ruby bh-owned.rb -a 3rd-wave.txt[*] Using default username: neo4j[*] Using default password: BloodHound[*] Using default URL: http://127.0.0.1:7474/[+] Adding [email protected] to wave 3 via Creds in file on DATABASE5[+] Adding [email protected] to wave 3 via Creds in file on DATABASE5[+] Querying and updating new owned nodes. The upload option is used to feed the data into the Bloodhound interface. When your custom DNS servers are hosted as Azure VMs, you can forward hostname queries for the same virtual network to Azure to resolve hostnames. It uses query to present the user with wave values: It passes the choice to onFinish to display the result. In it’s current version, BloodHound stores one property for each node: name. To install on kali/debian/ubuntu the simplest thing to do is sudo apt install BloodHound, this will pull down all the required dependencies. Neo4j is a graph database management system, which uses NoSQL as a graph database. – our search test driven workbench . We can use the same queries as before, but we’ll want to be careful not to overwrite data from previous waves. -e, --examples reference doc of customized Cypher queries for BloodHound The file passed to -s should be newline-delimited with one node name per line. B.1.2 – Linux 36 B.1.3 – Mac/OSX 37 B.2 – UI Tour & Features 37 ... E.3.2 – Custom Queries 59 E.2 – Database Manipulation 61 E.2.1 – Creating/Deleting Nodes 62 ... BloodHound does not have any offensive capacity itself, but it is a fantastic tool for mapping the targeted Cypher is a bit complex since it’s almost like programming with ASCII art. Customizing BloodHound's UI and taking advantage of Custom Queries to document a compromise, find collateral spread of owned nodes, and visualize deltas in privilege gains. You can edit the file by clicking the crayon next to Custom Queries on the UI, which will ask your OS to open the file in whatever your default is. Here’s the Cypher syntax for adding the properties to a specified node:MATCH (n) WHERE n.name="[email protected]" SET n.owned="LLMNR wpad", n.wave=1, Now a query for [email protected] reflects the added properties:MATCH (n) WHERE n.name="[email protected]" RETURN n+-------------------------------+| n |+-------------------------------+| owned | LLMNR wpad || name | [email protected] || wave | 1 |+-------------------------------+. The BloodHound team has been relatively quiet for a while now. As I contemplated how to add this functionality into BloodHound, I thought more about my workflow and how compromises often unfold. As of BloodHound v1.2, a JSON file is saved in the Electron user directory associated with BloodHound. BloodHound (Neo4j) has its own query language: Cypher but also comes with a set of predefined -and very useful- queries. This looked like an opportunity to add in a feature that could make my life easier as a penetration tester. The two simplest options for issuing ad-hoc Cypher queries are BloodHound’s Raw Query feature (at the bottom of the app), and Neo4j’s web browser (http://localhost:7474/). When starting to write queries, it is easier to start with existing ones. Having a crisp, fast and smart search that displays suggestions as one types, is something that everyone would love to have on their website!. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment." Ditch the need for an external script to ingest data. Computer’s name (SYSTEM38.INTERNAL.LOCAL), Creates the Cypher queries to set properties on the owned nodes, Creates the Cypher query to find the spread of compromise for the new wave. Bloodhound is built on neo4j and depends on it. Required fields are marked *. Pass SQLSRV01 local administrator hash against other hosts. 4 more accounts obtained. What happens when we compromise a disjoint set of nodes via some new method? This tool is not for analyzing the permissions on a … Hardening, Penetration Test, Red Teaming, Research, Windows, Your email address will not be published. We’ll leverage this notion, that a node can be “owned” during a “wave” of compromise, to build some useful features. Each compromised node has a wave property that already exists. For those interested, here’s a sample of the changes made to src/components/SearchContainer/Tabs/UserNodeData.jsx to make this happen (diff here):var s8 = driver.session()var s9 = driver.session()...s8.run("MATCH (n {name:{name}}) RETURN n.wave", {name:payload}) .then(function(result){ if (result.records[0]._fields[0] != null) { this.setState({'ownedInWave':result.records[0]._fields[0].low}) } s8.close() }.bind(this))s9.run("MATCH (n {name:{name}}) RETURN n.owned", {name:payload}) .then(function(result){ if (result.records[0]._fields[0] != null) { this.setState({'ownedMethod':result.records[0]._fields[0]}) } s9.close() }.bind(this))...

Owned in Wave

(m) RETURN n,r,m", {wave:this.state.ownedInWave} ,this.state.label) }.bind(this)} />

Owned via Method

{this.state.ownedMethod}

, When we designate a node as owned, we want to see the ripple effect across the network. This is the same as the “Find Shortest Paths to Domain Admins”, but we’re focusing on nodes we’ve owned. “BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment.” In short, it analyzes group membership, GPOs, permissions, and currently logged-on sessions to visually displays links between objects in order to identify misconfigurations and easy paths to compromise. UI Customizations and Custom Queries. On the right side, we have different options like import/export graph, upload data, and thresholds settings.