Bloodhound

Extra: https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/

Start Neo4j

Open a web browser and navigate to http://localhost:7474/

C:\Tools\neo4j\bin>neo4j.bat console
2021-05-11 10:03:21.143+0000 INFO  Starting...
2021-05-11 10:03:28.065+0000 INFO  ======== Neo4j 4.2.3 ========
2021-05-11 10:03:32.143+0000 INFO  Performing postInitialization step for component 'security-users' with version 2 and status CURRENT
2021-05-11 10:03:32.143+0000 INFO  Updating the initial password in component 'security-users'
2021-05-11 10:03:33.128+0000 INFO  Bolt enabled on localhost:7687.
2021-05-11 10:03:36.096+0000 INFO  Remote interface available at http://localhost:7474/
2021-05-11 10:03:36.096+0000 INFO  Started.

SharpHound.exe

SharpHound has a number of different collection methods (all documented on the repository):

Default - Performs group membership collection, domain trust collection, local group collection, session collection, ACL collection, object property collection, and SPN target collection
Group - Performs group membership collection
LocalAdmin - Performs local admin collection
RDP - Performs Remote Desktop Users collection
DCOM - Performs Distributed COM Users collection
PSRemote - Performs Remote Management Users collection
GPOLocalGroup - Performs local admin collection using Group Policy Objects
Session - Performs session collection
ComputerOnly - Performs local admin, RDP, DCOM and session collection
LoggedOn - Performs privileged session collection (requires admin rights on target systems)
Trusts - Performs domain trust enumeration
ACL - Performs collection of ACLs
Container - Performs collection of Containers
DcOnly - Performs collection using LDAP only. Includes Group, Trusts, ACL, ObjectProps, Container, and GPOLocalGroup.
ObjectProps - Performs Object Properties collection for properties such as LastLogon or PwdLastSet
All - Performs all Collection Methods except GPOLocalGroup.

C:\> SharpHound.exe -c DcOnly
C:\> SharpHound.exe -c DcOnly -d vulnableone.local
C:\> SharpHound.exe --CollectionMethod All,GPOLocalGroup --Domain vulnableone.local
C:\> SharpHound.exe --CollectionMethod All --Domain vulnableone.local --LdapUsername khan.chanthou --LdapPassword Password123 --ZipFileName output.zip

SharpHound.ps1

Invoke-BloodHound -CollectionMethod All

Bloodhound Query

Service Principal Name (SPN)

MATCH (u:User {hasspn:true}) RETURN u

Shortest Paths from Kerberoastable Users

MATCH (u:User {hasspn:true}), (c:Computer), p=shortestPath((u)-[*1..]->(c)) RETURN p

Unconstrained Delegation

MATCH (c:Computer {unconstraineddelegation:true}) RETURN c

AllowedToDelegate to other computers

MATCH (c:Computer), (t:Computer), p=((c)-[:AllowedToDelegate]->(t)) RETURN p

ASREP Roasting

MATCH (u:User {dontreqpreauth:true}) RETURN u

Constrained Delegation

MATCH (c:Computer), (t:Computer), p=((c)-[:AllowedToDelegate]->(t)) RETURN p

GPO Query

MATCH (gr:Group), (gp:GPO), p=((gr)-[:GenericWrite]->(gp)) RETURN p

Discretionary Access Control Lists

MATCH (g1:Group), (g2:Group), p=((g1)-[:GenericAll]->(g2)) RETURN p

MATCH (g1:Group {name:"IT_Support"}), (g2:Group), p=((g1)-[:GenericAll]->(g2)) RETURN p

Potential MS SQL Admins

MATCH p=(u:User)-[:SQLAdmin]->(c:Computer) RETURN p

LAPS

MATCH (c:Computer {haslaps: true}) RETURN c

MATCH p=(g:Group)-[:ReadLAPSPassword]->(c:Computer) RETURN p

PreviousAD-Module NextAbuse ACLs

Last updated 1 year ago

hashtagStart Neo4j

hashtagSharpHound.exe

hashtagSharpHound.ps1

hashtagBloodhound Query

hashtagService Principal Name (SPN)

hashtagShortest Paths from Kerberoastable Users

hashtagUnconstrained Delegation

hashtagAllowedToDelegate to other computers

hashtagASREP Roasting

hashtagConstrained Delegation

hashtagGPO Query

hashtagDiscretionary Access Control Lists

hashtagPotential MS SQL Admins

hashtag LAPS