mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-11-23 02:51:38 +01:00
Handy-BloodHound-Cypher-Queries.md updated.
This commit is contained in:
parent
36864d57cf
commit
ad47ea57d5
@ -1 +1 @@
|
|||||||
Subproject commit 5830ad897e323325e854e70b7c69ffad623b7d17
|
Subproject commit 7848ebc1e348a1c1811a048961f4b65255e3a532
|
@ -1 +1 @@
|
|||||||
Subproject commit 75f6270d0417d749b56c718d0d8ad0003c74d785
|
Subproject commit 6ce9975ae639ac16b7dce5c6461a066d8988cec8
|
@ -348,7 +348,7 @@ class ExchangeRecon:
|
|||||||
MAX_RECONNECTS = 3
|
MAX_RECONNECTS = 3
|
||||||
MAX_REDIRECTS = 10
|
MAX_REDIRECTS = 10
|
||||||
HEADERS = {
|
HEADERS = {
|
||||||
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0',
|
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36',
|
||||||
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
||||||
'Accept-Language': 'en-US,en;q=0.5',
|
'Accept-Language': 'en-US,en;q=0.5',
|
||||||
'Accept-Encoding': 'gzip, deflate',
|
'Accept-Encoding': 'gzip, deflate',
|
||||||
@ -788,6 +788,7 @@ class ExchangeRecon:
|
|||||||
if resp['code'] in [301, 302, 303] and followRedirect:
|
if resp['code'] in [301, 302, 303] and followRedirect:
|
||||||
Logger.dbg(f'Following redirect. Depth: {redirect}...')
|
Logger.dbg(f'Following redirect. Depth: {redirect}...')
|
||||||
|
|
||||||
|
if 'location' in resp['headers'].keys():
|
||||||
location = urlparse(resp['headers']['location'])
|
location = urlparse(resp['headers']['location'])
|
||||||
port = 80 if location.scheme == 'http' else 443
|
port = 80 if location.scheme == 'http' else 443
|
||||||
host = location.netloc
|
host = location.netloc
|
||||||
@ -1148,6 +1149,7 @@ class ExchangeRecon:
|
|||||||
except Exception:
|
except Exception:
|
||||||
server = ExchangeRecon._smtpconnect(host, port, _ssl)
|
server = ExchangeRecon._smtpconnect(host, port, _ssl)
|
||||||
if not server:
|
if not server:
|
||||||
|
Logger.info('Could not interact with SMTP.')
|
||||||
return None
|
return None
|
||||||
code, msg = server.ehlo()
|
code, msg = server.ehlo()
|
||||||
|
|
||||||
|
@ -25,6 +25,8 @@ MATCH (u {highvalue: true}) WHERE toLower(u.name) ENDS WITH "" RETURN
|
|||||||
MATCH (c {hasspn: True}) RETURN c.name as name, c.allowedtodelegate as AllowedToDelegate, c.unconstraineddelegation as UnconstrainedDelegation, c.admincount as AdminCount, c.serviceprincipalnames as SPNs
|
MATCH (c {hasspn: True}) RETURN c.name as name, c.allowedtodelegate as AllowedToDelegate, c.unconstraineddelegation as UnconstrainedDelegation, c.admincount as AdminCount, c.serviceprincipalnames as SPNs
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Principals with most Outbound Controlled objects
|
||||||
|
|
||||||
- Returns Top 100 **Outbound Control Rights** --> **First Degree Object Control** principals in domain:
|
- Returns Top 100 **Outbound Control Rights** --> **First Degree Object Control** principals in domain:
|
||||||
```
|
```
|
||||||
MATCH p=(u)-[r1]->(n) WHERE r1.isacl=true
|
MATCH p=(u)-[r1]->(n) WHERE r1.isacl=true
|
||||||
@ -59,6 +61,37 @@ ORDER BY controlled DESC
|
|||||||
LIMIT 50
|
LIMIT 50
|
||||||
```
|
```
|
||||||
|
|
||||||
|
- Returns principals having more than 1000 **Outbound Control Rights** --> **First Degree Object Control** controlled:
|
||||||
|
```
|
||||||
|
MATCH p=(u)-[r1]->(n) WHERE r1.isacl=true
|
||||||
|
WITH u.name as name, LABELS(u)[1] as type,
|
||||||
|
COUNT(DISTINCT(n)) as controlled
|
||||||
|
WHERE name IS NOT NULL AND controlled > 1000
|
||||||
|
RETURN type, name, controlled
|
||||||
|
ORDER BY controlled DESC
|
||||||
|
```
|
||||||
|
|
||||||
|
- Returns principals having more than 1000 **Outbound Control Rights** --> **Group Delegated Object Control** controlled and whether that object is member of high privileged group (such a `Domain Admins` or `Domain Controllers`):
|
||||||
|
```
|
||||||
|
MATCH p=(u)-[r1:MemberOf*1..]->(g:Group)-[r2]->(n) WHERE r2.isacl=true
|
||||||
|
WITH u.name as name, LABELS(u)[1] as type, g.highvalue as highly_privileged,
|
||||||
|
COUNT(DISTINCT(n)) as controlled
|
||||||
|
WHERE name IS NOT NULL AND controlled > 1000
|
||||||
|
RETURN type, name, highly_privileged, controlled
|
||||||
|
ORDER BY controlled DESC
|
||||||
|
```
|
||||||
|
|
||||||
|
- Returns principals having more than 1000 **Outbound Control Rights** --> **Transitive Object Control** controlled (TAKES ENORMOUS TIME TO COMPUTE! You were warned):
|
||||||
|
```
|
||||||
|
MATCH p=shortestPath((u)-[r1:MemberOf|AddMember|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner|Owns*1..]->(n))
|
||||||
|
WHERE u<>n
|
||||||
|
WITH u.name as name, LABELS(u)[1] as type,
|
||||||
|
COUNT(DISTINCT(n)) as controlled
|
||||||
|
WHERE name IS NOT NULL AND controlled > 1000
|
||||||
|
RETURN type, name, controlled
|
||||||
|
ORDER BY controlled DESC
|
||||||
|
```
|
||||||
|
|
||||||
### Users
|
### Users
|
||||||
|
|
||||||
- Pulls users eligible for ASREP roasting
|
- Pulls users eligible for ASREP roasting
|
||||||
|
@ -1 +0,0 @@
|
|||||||
Subproject commit 9707453f60255221b0493aa5e9367d59d7bcc8ab
|
|
Loading…
Reference in New Issue
Block a user