This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
########################################################################################## | |
# # | |
# Locate accounts with a specific suffix or prefix and fetch their regular accounts # | |
# to identify user sessions for both accounts. Then output a JSON file that details # | |
# session data for these accounts. # | |
# # | |
# Useful if you are looking for computers used by the target users. # | |
# # | |
########################################################################################## |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from neo4j import GraphDatabase | |
def setup_database_conn(): | |
"""Function to setup the database connection to the Neo4j project containing the BloodHound data.""" | |
try: | |
database_uri = 'bolt://localhost:7687' | |
database_user = 'neo4j' | |
database_pass = 'bloodhound' | |
print("[!] Attempting to connect to your Neo4j project using {}:{} @ {}.".format(database_user, database_pass, database_uri)) | |
neo4j_driver = GraphDatabase.driver(database_uri, auth=(database_user, database_pass)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def execute_query(driver, user, enabled=True): | |
"""Execute the provided query using the current Neo4j database connection.""" | |
if enabled: | |
query = """ | |
MATCH (u:User) | |
WHERE u.name =~ UPPER('%s@.*') AND (u.enabled = True) | |
RETURN u.enabled, u.pwdlastset, u.domain | |
""" % user | |
else: | |
query = """ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def sanitize(string): | |
"""Sanitize the provided string by replacing chunks with asterisks.""" | |
sanitized_string = string | |
length = len(string) | |
if length == 32: | |
sanitized_string = string[0:4] + "*"*(length-8) + string[length-5:length-1] | |
elif length > 2: | |
sanitized_string = string[0] + "*"*(length-2) + string[length-1] | |
return sanitized_string |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def process_potfile(hashcat_potfile): | |
"""Process the provided Hashcat potfile to return a dictionary of hash values and plaintext values.""" | |
with open(hashcat_potfile, 'r') as potfile: | |
potfile_hashes = {} | |
for line in potfile: | |
# This doesn't account for potfile entries for NTLMv2, etc. | |
array = line.split(':') | |
if len(array) > 2: | |
pass | |
else: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def process_hashes(hash_file): | |
"""Process the hashes in the provided file and return a dictionary.""" | |
# Create hashes of the hashes, lol | |
with open(hash_file, 'r') as hash_dump: | |
hashes = {} | |
for line in hash_dump: | |
# Ignore machine accounts | |
if not '$' in line: | |
# Separate DOMAIN\USER from NTLM and USER from DOMAIN | |
array = line.split(':::') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def compare_dumps(first_hashdump, second_hashdump): | |
"""Compare the two password dumps and return a dictionary of the results. JSON output: | |
{ | |
"accounts": { | |
"CHRISM": { | |
"enabled": true, | |
"pwdlastset": "2019-04-14 22:53:08", | |
"domain": "DOMAIN.COM" | |
}, | |
"matching_accounts": {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Service | Description | Command | |
---|---|---|---|
CLI | Search for a command | az find -q KEYWORD | |
CLI | List all subcommands | az --help and az SUBGROUP --help | |
Account | List authenticated accounts | az account list --output table | |
Account | Set the active subscription | az account set --subscription 'SUBSCRIPTION NAME' | |
File Share | List file storage accounts | az storage account list | |
VM | List virtual machines | az vm list --output table | |
VM | List machine snapshots | az snapshot list --output table |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Service | Description | Command | |
---|---|---|---|
User | List logged-in users | gcloud auth list | |
User | Switch active user | gcloud config set account 'ACCOUNT' | |
User | Logout an account | gcloud auth revoke --all or gcloud auth revoke 'ACCOUNT' | |
Storage | List buckets | gsutil ls | |
Storage | Copy object from bucket | gsutil cp gs://BUCKET_NAME/FILENAME . | |
VM | List virtual machine instances | gcloud compute instances list | |
VM | List virtual machine snapshots | gcloud compute snapshots list |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Service | Description | Command | |
---|---|---|---|
IAM | Create a profile with a set of keys | aws configure --profile PROFILE_NAME | |
IAM | Get account information | aws --profile PROFILE_NAME iam get-user | |
IAM | Get attached policies for user | aws --profile PROFILE_NAME iam list-attached-user-policies --user-name USERNAME | |
IAM | Get a policy's version information | aws --profile flaws iam get-policy - policy-arn POLICY_ARN_STRING | |
IAM | Get policy details | aws --profile PROFILE_NAME iam get-policy-version --policy-arn POLICY_ARN_STRING --version-id VERSION_NUMBER | |
S3 | List contents of an S3 bucket (without creds) | aws s3 ls s3://BUCKET_NAME --no-sign-request | |
S3 | List contents of an S3 bucket (with creds) | aws s3 ls s3://BUCKET_NAME --profile PROFILE_NAME | |
S3 | Download contents of an S3 bucket | aws s3 sync s3://BUCKET_NAME/ . --no-sign-request |
NewerOlder