Git
/
mgeeky-Penetration-Testing-Tools
mirror of https://github.com/mgeeky/Penetration-Testing-Tools.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Handy-BloodHound-Cypher-Queries.md updated.

This commit is contained in:
Mariusz B. / mgeeky 2022-04-13 16:42:31 +02:00
parent 36864d57cf
commit ad47ea57d5
5 changed files with 55 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
clouds/azure/AzureRT

@ -1 +1 @@
Subproject commit 5830ad897e323325e854e70b7c69ffad623b7d17 Subproject commit 7848ebc1e348a1c1811a048961f4b65255e3a532

2
file-formats/PackMyPayload

@ -1 +1 @@
Subproject commit 75f6270d0417d749b56c718d0d8ad0003c74d785 Subproject commit 6ce9975ae639ac16b7dce5c6461a066d8988cec8

38
networks/exchangeRecon.py
View File

@ -348,7 +348,7 @@ class ExchangeRecon:
MAX_RECONNECTS = 3 MAX_RECONNECTS = 3
MAX_REDIRECTS = 10 MAX_REDIRECTS = 10
HEADERS = { HEADERS = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5', 'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate', 'Accept-Encoding': 'gzip, deflate',
@ -788,24 +788,25 @@ class ExchangeRecon:
if resp['code'] in [301, 302, 303] and followRedirect: if resp['code'] in [301, 302, 303] and followRedirect:
Logger.dbg(f'Following redirect. Depth: {redirect}...') Logger.dbg(f'Following redirect. Depth: {redirect}...')
location = urlparse(resp['headers']['location']) if 'location' in resp['headers'].keys():
port = 80 if location.scheme == 'http' else 443 location = urlparse(resp['headers']['location'])
host = location.netloc port = 80 if location.scheme == 'http' else 443
if not host: host = self.hostname host = location.netloc
if ':' in location.netloc: if not host: host = self.hostname
port = int(location.netloc.split(':')[1]) if ':' in location.netloc:
host = location.netloc.split(':')[0] port = int(location.netloc.split(':')[1])
host = location.netloc.split(':')[0]
if self.connect(host, port): if self.connect(host, port):
pos = resp['headers']['location'].find(location.path) pos = resp['headers']['location'].find(location.path)
return self.http( return self.http(
method = 'GET', method = 'GET',
url = resp['headers']['location'][pos:], url = resp['headers']['location'][pos:],
host = host, host = host,
data = '', data = '',
headers = headers, headers = headers,
followRedirect = redirect < ExchangeRecon.MAX_REDIRECTS, followRedirect = redirect < ExchangeRecon.MAX_REDIRECTS,
redirect = redirect + 1) redirect = redirect + 1)
return resp, raw return resp, raw
@ -1148,6 +1149,7 @@ class ExchangeRecon:
except Exception: except Exception:
server = ExchangeRecon._smtpconnect(host, port, _ssl) server = ExchangeRecon._smtpconnect(host, port, _ssl)
if not server: if not server:
Logger.info('Could not interact with SMTP.')
return None return None
code, msg = server.ehlo() code, msg = server.ehlo()

33
red-teaming/Handy-BloodHound-Cypher-Queries.md
View File

@ -25,6 +25,8 @@ MATCH (u {highvalue: true}) WHERE toLower(u.name) ENDS WITH "" RETURN
MATCH (c {hasspn: True}) RETURN c.name as name, c.allowedtodelegate as AllowedToDelegate, c.unconstraineddelegation as UnconstrainedDelegation, c.admincount as AdminCount, c.serviceprincipalnames as SPNs MATCH (c {hasspn: True}) RETURN c.name as name, c.allowedtodelegate as AllowedToDelegate, c.unconstraineddelegation as UnconstrainedDelegation, c.admincount as AdminCount, c.serviceprincipalnames as SPNs
``` ```
### Principals with most Outbound Controlled objects
- Returns Top 100 **Outbound Control Rights** --> **First Degree Object Control** principals in domain: - Returns Top 100 **Outbound Control Rights** --> **First Degree Object Control** principals in domain:
``` ```
MATCH p=(u)-[r1]->(n) WHERE r1.isacl=true MATCH p=(u)-[r1]->(n) WHERE r1.isacl=true
@ -59,6 +61,37 @@ ORDER BY controlled DESC
LIMIT 50 LIMIT 50
``` ```
- Returns principals having more than 1000 **Outbound Control Rights** --> **First Degree Object Control** controlled:
```
MATCH p=(u)-[r1]->(n) WHERE r1.isacl=true
WITH u.name as name, LABELS(u)[1] as type,
COUNT(DISTINCT(n)) as controlled
WHERE name IS NOT NULL AND controlled > 1000
RETURN type, name, controlled
ORDER BY controlled DESC
```
- Returns principals having more than 1000 **Outbound Control Rights** --> **Group Delegated Object Control** controlled and whether that object is member of high privileged group (such a `Domain Admins` or `Domain Controllers`):
```
MATCH p=(u)-[r1:MemberOf*1..]->(g:Group)-[r2]->(n) WHERE r2.isacl=true
WITH u.name as name, LABELS(u)[1] as type, g.highvalue as highly_privileged,
COUNT(DISTINCT(n)) as controlled
WHERE name IS NOT NULL AND controlled > 1000
RETURN type, name, highly_privileged, controlled
ORDER BY controlled DESC
```
- Returns principals having more than 1000 **Outbound Control Rights** --> **Transitive Object Control** controlled (TAKES ENORMOUS TIME TO COMPUTE! You were warned):
```
MATCH p=shortestPath((u)-[r1:MemberOf|AddMember|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner|Owns*1..]->(n))
WHERE u<>n
WITH u.name as name, LABELS(u)[1] as type,
COUNT(DISTINCT(n)) as controlled
WHERE name IS NOT NULL AND controlled > 1000
RETURN type, name, controlled
ORDER BY controlled DESC
```
### Users ### Users
- Pulls users eligible for ASREP roasting - Pulls users eligible for ASREP roasting

1
red-teaming/PackMyPayload

@ -1 +0,0 @@
Subproject commit 9707453f60255221b0493aa5e9367d59d7bcc8ab