Handy-BloodHound-Cypher-Queries.md updated.

This commit is contained in:
Mariusz B. / mgeeky 2022-04-13 16:42:31 +02:00
parent 36864d57cf
commit ad47ea57d5
5 changed files with 55 additions and 21 deletions

@ -1 +1 @@
Subproject commit 5830ad897e323325e854e70b7c69ffad623b7d17 Subproject commit 7848ebc1e348a1c1811a048961f4b65255e3a532

@ -1 +1 @@
Subproject commit 75f6270d0417d749b56c718d0d8ad0003c74d785 Subproject commit 6ce9975ae639ac16b7dce5c6461a066d8988cec8

View File

@ -348,7 +348,7 @@ class ExchangeRecon:
MAX_RECONNECTS = 3 MAX_RECONNECTS = 3
MAX_REDIRECTS = 10 MAX_REDIRECTS = 10
HEADERS = { HEADERS = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5', 'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate', 'Accept-Encoding': 'gzip, deflate',
@ -788,6 +788,7 @@ class ExchangeRecon:
if resp['code'] in [301, 302, 303] and followRedirect: if resp['code'] in [301, 302, 303] and followRedirect:
Logger.dbg(f'Following redirect. Depth: {redirect}...') Logger.dbg(f'Following redirect. Depth: {redirect}...')
if 'location' in resp['headers'].keys():
location = urlparse(resp['headers']['location']) location = urlparse(resp['headers']['location'])
port = 80 if location.scheme == 'http' else 443 port = 80 if location.scheme == 'http' else 443
host = location.netloc host = location.netloc
@ -1148,6 +1149,7 @@ class ExchangeRecon:
except Exception: except Exception:
server = ExchangeRecon._smtpconnect(host, port, _ssl) server = ExchangeRecon._smtpconnect(host, port, _ssl)
if not server: if not server:
Logger.info('Could not interact with SMTP.')
return None return None
code, msg = server.ehlo() code, msg = server.ehlo()

View File

@ -25,6 +25,8 @@ MATCH (u {highvalue: true}) WHERE toLower(u.name) ENDS WITH "" RETURN
MATCH (c {hasspn: True}) RETURN c.name as name, c.allowedtodelegate as AllowedToDelegate, c.unconstraineddelegation as UnconstrainedDelegation, c.admincount as AdminCount, c.serviceprincipalnames as SPNs MATCH (c {hasspn: True}) RETURN c.name as name, c.allowedtodelegate as AllowedToDelegate, c.unconstraineddelegation as UnconstrainedDelegation, c.admincount as AdminCount, c.serviceprincipalnames as SPNs
``` ```
### Principals with most Outbound Controlled objects
- Returns Top 100 **Outbound Control Rights** --> **First Degree Object Control** principals in domain: - Returns Top 100 **Outbound Control Rights** --> **First Degree Object Control** principals in domain:
``` ```
MATCH p=(u)-[r1]->(n) WHERE r1.isacl=true MATCH p=(u)-[r1]->(n) WHERE r1.isacl=true
@ -59,6 +61,37 @@ ORDER BY controlled DESC
LIMIT 50 LIMIT 50
``` ```
- Returns principals having more than 1000 **Outbound Control Rights** --> **First Degree Object Control** controlled:
```
MATCH p=(u)-[r1]->(n) WHERE r1.isacl=true
WITH u.name as name, LABELS(u)[1] as type,
COUNT(DISTINCT(n)) as controlled
WHERE name IS NOT NULL AND controlled > 1000
RETURN type, name, controlled
ORDER BY controlled DESC
```
- Returns principals having more than 1000 **Outbound Control Rights** --> **Group Delegated Object Control** controlled and whether that object is member of high privileged group (such a `Domain Admins` or `Domain Controllers`):
```
MATCH p=(u)-[r1:MemberOf*1..]->(g:Group)-[r2]->(n) WHERE r2.isacl=true
WITH u.name as name, LABELS(u)[1] as type, g.highvalue as highly_privileged,
COUNT(DISTINCT(n)) as controlled
WHERE name IS NOT NULL AND controlled > 1000
RETURN type, name, highly_privileged, controlled
ORDER BY controlled DESC
```
- Returns principals having more than 1000 **Outbound Control Rights** --> **Transitive Object Control** controlled (TAKES ENORMOUS TIME TO COMPUTE! You were warned):
```
MATCH p=shortestPath((u)-[r1:MemberOf|AddMember|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner|Owns*1..]->(n))
WHERE u<>n
WITH u.name as name, LABELS(u)[1] as type,
COUNT(DISTINCT(n)) as controlled
WHERE name IS NOT NULL AND controlled > 1000
RETURN type, name, controlled
ORDER BY controlled DESC
```
### Users ### Users
- Pulls users eligible for ASREP roasting - Pulls users eligible for ASREP roasting

@ -1 +0,0 @@
Subproject commit 9707453f60255221b0493aa5e9367d59d7bcc8ab