Christopher Maddalena chrismaddalena

## adm_user_sessions.py
##########################################################################################
#                                                                                        #
# Locate accounts with a specific suffix or prefix and fetch their regular accounts      #
# to identify user sessions for both accounts. Then output a JSON file that details      #
# session data for these accounts.                                                       #
#                                                                                        #
# Useful if you are looking for computers used by the target users.                      #
#                                                                                        #
##########################################################################################

## setup_neo4j_database.py
from neo4j import GraphDatabase

def setup_database_conn():
    """Function to setup the database connection to the Neo4j project containing the BloodHound data."""
    try:
        database_uri = 'bolt://localhost:7687'
        database_user = 'neo4j'
        database_pass = 'bloodhound'
        print("[!] Attempting to connect to your Neo4j project using {}:{} @ {}.".format(database_user, database_pass, database_uri))
        neo4j_driver = GraphDatabase.driver(database_uri, auth=(database_user, database_pass))

## execute_query.py
def execute_query(driver, user, enabled=True):
    """Execute the provided query using the current Neo4j database connection."""
    if enabled:
        query = """
        MATCH (u:User)
        WHERE u.name =~ UPPER('%s@.*') AND (u.enabled = True)
        RETURN u.enabled, u.pwdlastset, u.domain
        """ % user
    else:
        query = """

## sanitize_hash.py
def sanitize(string):
    """Sanitize the provided string by replacing chunks with asterisks."""
    sanitized_string = string
    length = len(string)
    if length == 32:
        sanitized_string = string[0:4] + "*"*(length-8) + string[length-5:length-1]
    elif length > 2:
        sanitized_string = string[0] + "*"*(length-2) + string[length-1]
    return sanitized_string

## process_potfile.py
def process_potfile(hashcat_potfile):
    """Process the provided Hashcat potfile to return a dictionary of hash values and plaintext values."""
    with open(hashcat_potfile, 'r') as potfile:
        potfile_hashes = {}
        for line in potfile:
            # This doesn't account for potfile entries for NTLMv2, etc.
            array = line.split(':')
            if len(array) > 2:
                pass
            else:

## process_hashes.py
def process_hashes(hash_file):
    """Process the hashes in the provided file and return a dictionary."""
    # Create hashes of the hashes, lol
    with open(hash_file, 'r') as hash_dump:
        hashes = {}
        for line in hash_dump:
            # Ignore machine accounts
            if not '$' in line:
                # Separate DOMAIN\USER from NTLM and USER from DOMAIN
                array = line.split(':::')

## compare_dumps.py
def compare_dumps(first_hashdump, second_hashdump):
    """Compare the two password dumps and return a dictionary of the results. JSON output:
    {
    "accounts": {
        "CHRISM": {
            "enabled": true,
            "pwdlastset": "2019-04-14 22:53:08",
            "domain": "DOMAIN.COM"
            },
            "matching_accounts": {}

## azure.csv

          
            Service
            Description
            Command

            
              CLI
              Search for a command
              az find -q KEYWORD

            
              CLI
              List all subcommands
              az --help and az SUBGROUP --help

            
              Account
              List authenticated accounts
              az account list --output table

            
              Account
              Set the active subscription
              az account set --subscription 'SUBSCRIPTION NAME'

            
              File Share
              List file storage accounts
              az storage account list

            
              VM
              List virtual machines
              az vm list --output table

            
              VM
              List machine snapshots
              az snapshot list --output table

## compute.csv

          
            Service
            Description
            Command

            
              User
              List logged-in users
              gcloud auth list

            
              User
              Switch active user
              gcloud config set account 'ACCOUNT'

            
              User
              Logout an account
              gcloud auth revoke --all or gcloud auth revoke 'ACCOUNT'

            
              Storage
              List buckets
              gsutil ls

            
              Storage
              Copy object from bucket
              gsutil cp gs://BUCKET_NAME/FILENAME .

            
              VM
              List virtual machine instances
              gcloud compute instances list

            
              VM
              List virtual machine snapshots
              gcloud compute snapshots list

## aws.csv

          
            Service
            Description
            Command

            
              IAM
              Create a profile with a set of keys
              aws configure --profile PROFILE_NAME

            
              IAM
              Get account information
              aws --profile PROFILE_NAME iam get-user

            
              IAM
              Get attached policies for user
              aws --profile PROFILE_NAME iam list-attached-user-policies --user-name USERNAME

            
              IAM
              Get a policy's version information
              aws --profile flaws iam get-policy - policy-arn POLICY_ARN_STRING

            
              IAM
              Get policy details
              aws --profile PROFILE_NAME iam get-policy-version --policy-arn POLICY_ARN_STRING --version-id VERSION_NUMBER

            
              S3
              List contents of an S3 bucket (without creds)
              aws s3 ls s3://BUCKET_NAME --no-sign-request

            
              S3
              List contents of an S3 bucket (with creds)
              aws s3 ls s3://BUCKET_NAME --profile PROFILE_NAME

            
              S3
              Download contents of an S3 bucket
              aws s3 sync s3://BUCKET_NAME/ . --no-sign-request
	##########################################################################################
	# #
	# Locate accounts with a specific suffix or prefix and fetch their regular accounts #
	# to identify user sessions for both accounts. Then output a JSON file that details #
	# session data for these accounts. #
	# #
	# Useful if you are looking for computers used by the target users. #
	# #
	##########################################################################################
	from neo4j import GraphDatabase

	def setup_database_conn():
	"""Function to setup the database connection to the Neo4j project containing the BloodHound data."""
	try:
	database_uri = 'bolt://localhost:7687'
	database_user = 'neo4j'
	database_pass = 'bloodhound'
	print("[!] Attempting to connect to your Neo4j project using {}:{} @ {}.".format(database_user, database_pass, database_uri))
	neo4j_driver = GraphDatabase.driver(database_uri, auth=(database_user, database_pass))
	def execute_query(driver, user, enabled=True):
	"""Execute the provided query using the current Neo4j database connection."""
	if enabled:
	query = """
	MATCH (u:User)
	WHERE u.name =~ UPPER('%s@.*') AND (u.enabled = True)
	RETURN u.enabled, u.pwdlastset, u.domain
	""" % user
	else:
	query = """
	def sanitize(string):
	"""Sanitize the provided string by replacing chunks with asterisks."""
	sanitized_string = string
	length = len(string)
	if length == 32:
	sanitized_string = string[0:4] + ""(length-8) + string[length-5:length-1]
	elif length > 2:
	sanitized_string = string[0] + ""(length-2) + string[length-1]
	return sanitized_string
	def process_potfile(hashcat_potfile):
	"""Process the provided Hashcat potfile to return a dictionary of hash values and plaintext values."""
	with open(hashcat_potfile, 'r') as potfile:
	potfile_hashes = {}
	for line in potfile:
	# This doesn't account for potfile entries for NTLMv2, etc.
	array = line.split(':')
	if len(array) > 2:
	pass
	else:
	def process_hashes(hash_file):
	"""Process the hashes in the provided file and return a dictionary."""
	# Create hashes of the hashes, lol
	with open(hash_file, 'r') as hash_dump:
	hashes = {}
	for line in hash_dump:
	# Ignore machine accounts
	if not '$' in line:
	# Separate DOMAIN\USER from NTLM and USER from DOMAIN
	array = line.split(':::')
	def compare_dumps(first_hashdump, second_hashdump):
	"""Compare the two password dumps and return a dictionary of the results. JSON output:
	{
	"accounts": {
	"CHRISM": {
	"enabled": true,
	"pwdlastset": "2019-04-14 22:53:08",
	"domain": "DOMAIN.COM"
	},
	"matching_accounts": {}
Service	Description	Command
CLI	Search for a command	az find -q KEYWORD
CLI	List all subcommands	az --help and az SUBGROUP --help
Account	List authenticated accounts	az account list --output table
Account	Set the active subscription	az account set --subscription 'SUBSCRIPTION NAME'
File Share	List file storage accounts	az storage account list
VM	List virtual machines	az vm list --output table
VM	List machine snapshots	az snapshot list --output table