mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-12-22 09:05:06 +01:00
Handy-BloodHound-Cypher-Queries.md updated.
This commit is contained in:
parent
36864d57cf
commit
ad47ea57d5
@ -1 +1 @@
|
||||
Subproject commit 5830ad897e323325e854e70b7c69ffad623b7d17
|
||||
Subproject commit 7848ebc1e348a1c1811a048961f4b65255e3a532
|
@ -1 +1 @@
|
||||
Subproject commit 75f6270d0417d749b56c718d0d8ad0003c74d785
|
||||
Subproject commit 6ce9975ae639ac16b7dce5c6461a066d8988cec8
|
@ -348,7 +348,7 @@ class ExchangeRecon:
|
||||
MAX_RECONNECTS = 3
|
||||
MAX_REDIRECTS = 10
|
||||
HEADERS = {
|
||||
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0',
|
||||
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36',
|
||||
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
||||
'Accept-Language': 'en-US,en;q=0.5',
|
||||
'Accept-Encoding': 'gzip, deflate',
|
||||
@ -788,24 +788,25 @@ class ExchangeRecon:
|
||||
if resp['code'] in [301, 302, 303] and followRedirect:
|
||||
Logger.dbg(f'Following redirect. Depth: {redirect}...')
|
||||
|
||||
location = urlparse(resp['headers']['location'])
|
||||
port = 80 if location.scheme == 'http' else 443
|
||||
host = location.netloc
|
||||
if not host: host = self.hostname
|
||||
if ':' in location.netloc:
|
||||
port = int(location.netloc.split(':')[1])
|
||||
host = location.netloc.split(':')[0]
|
||||
if 'location' in resp['headers'].keys():
|
||||
location = urlparse(resp['headers']['location'])
|
||||
port = 80 if location.scheme == 'http' else 443
|
||||
host = location.netloc
|
||||
if not host: host = self.hostname
|
||||
if ':' in location.netloc:
|
||||
port = int(location.netloc.split(':')[1])
|
||||
host = location.netloc.split(':')[0]
|
||||
|
||||
if self.connect(host, port):
|
||||
pos = resp['headers']['location'].find(location.path)
|
||||
return self.http(
|
||||
method = 'GET',
|
||||
url = resp['headers']['location'][pos:],
|
||||
host = host,
|
||||
data = '',
|
||||
headers = headers,
|
||||
followRedirect = redirect < ExchangeRecon.MAX_REDIRECTS,
|
||||
redirect = redirect + 1)
|
||||
if self.connect(host, port):
|
||||
pos = resp['headers']['location'].find(location.path)
|
||||
return self.http(
|
||||
method = 'GET',
|
||||
url = resp['headers']['location'][pos:],
|
||||
host = host,
|
||||
data = '',
|
||||
headers = headers,
|
||||
followRedirect = redirect < ExchangeRecon.MAX_REDIRECTS,
|
||||
redirect = redirect + 1)
|
||||
|
||||
return resp, raw
|
||||
|
||||
@ -1148,6 +1149,7 @@ class ExchangeRecon:
|
||||
except Exception:
|
||||
server = ExchangeRecon._smtpconnect(host, port, _ssl)
|
||||
if not server:
|
||||
Logger.info('Could not interact with SMTP.')
|
||||
return None
|
||||
code, msg = server.ehlo()
|
||||
|
||||
|
@ -25,6 +25,8 @@ MATCH (u {highvalue: true}) WHERE toLower(u.name) ENDS WITH "" RETURN
|
||||
MATCH (c {hasspn: True}) RETURN c.name as name, c.allowedtodelegate as AllowedToDelegate, c.unconstraineddelegation as UnconstrainedDelegation, c.admincount as AdminCount, c.serviceprincipalnames as SPNs
|
||||
```
|
||||
|
||||
### Principals with most Outbound Controlled objects
|
||||
|
||||
- Returns Top 100 **Outbound Control Rights** --> **First Degree Object Control** principals in domain:
|
||||
```
|
||||
MATCH p=(u)-[r1]->(n) WHERE r1.isacl=true
|
||||
@ -59,6 +61,37 @@ ORDER BY controlled DESC
|
||||
LIMIT 50
|
||||
```
|
||||
|
||||
- Returns principals having more than 1000 **Outbound Control Rights** --> **First Degree Object Control** controlled:
|
||||
```
|
||||
MATCH p=(u)-[r1]->(n) WHERE r1.isacl=true
|
||||
WITH u.name as name, LABELS(u)[1] as type,
|
||||
COUNT(DISTINCT(n)) as controlled
|
||||
WHERE name IS NOT NULL AND controlled > 1000
|
||||
RETURN type, name, controlled
|
||||
ORDER BY controlled DESC
|
||||
```
|
||||
|
||||
- Returns principals having more than 1000 **Outbound Control Rights** --> **Group Delegated Object Control** controlled and whether that object is member of high privileged group (such a `Domain Admins` or `Domain Controllers`):
|
||||
```
|
||||
MATCH p=(u)-[r1:MemberOf*1..]->(g:Group)-[r2]->(n) WHERE r2.isacl=true
|
||||
WITH u.name as name, LABELS(u)[1] as type, g.highvalue as highly_privileged,
|
||||
COUNT(DISTINCT(n)) as controlled
|
||||
WHERE name IS NOT NULL AND controlled > 1000
|
||||
RETURN type, name, highly_privileged, controlled
|
||||
ORDER BY controlled DESC
|
||||
```
|
||||
|
||||
- Returns principals having more than 1000 **Outbound Control Rights** --> **Transitive Object Control** controlled (TAKES ENORMOUS TIME TO COMPUTE! You were warned):
|
||||
```
|
||||
MATCH p=shortestPath((u)-[r1:MemberOf|AddMember|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner|Owns*1..]->(n))
|
||||
WHERE u<>n
|
||||
WITH u.name as name, LABELS(u)[1] as type,
|
||||
COUNT(DISTINCT(n)) as controlled
|
||||
WHERE name IS NOT NULL AND controlled > 1000
|
||||
RETURN type, name, controlled
|
||||
ORDER BY controlled DESC
|
||||
```
|
||||
|
||||
### Users
|
||||
|
||||
- Pulls users eligible for ASREP roasting
|
||||
|
@ -1 +0,0 @@
|
||||
Subproject commit 9707453f60255221b0493aa5e9367d59d7bcc8ab
|
Loading…
Reference in New Issue
Block a user