infosecn1nja
/
BloodHound
mirror of https://github.com/infosecn1nja/BloodHound.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add missing edges to AddEdgeModal 

Add some more help text
Fix missing edge styles
master
Rohan Vazarkar 2018-07-30 20:24:15 -04:00
parent 9448534024
commit d36058faab
6 changed files with 35 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/components/Graph.jsx
View File

@ -134,7 +134,7 @@ export default class GraphContainer extends Component {
this.doQueryNative({
//statement:'MATCH (n:Group) WHERE n.objectsid =~ "(?i)S-1-5.*-512" WITH n MATCH (n)<-[r:MemberOf*1..]-(m) RETURN n,r,m',
statement: 'MATCH (n)-[r:CanRDP]->(m) RETURN n,r,m LIMIT 5',
statement: 'MATCH (n)-[r:AllowedToDelegate]->(m) RETURN n,r,m LIMIT 5',
//statement: 'MATCH p=(n:Domain)-[r]-(m:Domain) RETURN p',
allowCollapse: false,
props: {}

7
src/components/Modals/AddEdgeModal.jsx
View File

@ -130,10 +130,9 @@ export default class AddEdgeModal extends Component {
}else{
this.targetFocus();
this.targetBlur();
}
}
}
})
});
}
validate(){
@ -343,8 +342,10 @@ export default class AddEdgeModal extends Component {
<option>Owns</option>
<option>WriteDacl</option>
<option>WriteOwner</option>
<option>ReadLAPSPassword</option>
<option>CanRDP</option>
<option>ExecuteDCOM</option>
<option>AllowedToDelegate</option>
</select>
<span className="help-block" ref="edgeError">
Looks good!

16
src/components/Modals/HelpModal.jsx
View File

@ -101,9 +101,9 @@ export default class HelpModal extends Component {
}else if (edge.label === "AllowedToDelegate"){
let text = `The {} {} has the constrained delegation privilege to the computer {}.
The constrained delegation privilege allows a principal to authenticate to specific services (found in the msds-AllowedToDelegateTo LDAP property in the source node tab) on the target computer. This includes principals such as Domain Admins.
The constrained delegation primitive allows a principal to authenticate as any user to specific services (found in the msds-AllowedToDelegateTo LDAP property in the source node tab) on the target computer. That is, a node with this privilege can impersonate any domain principal (including Domain Admins) to the specific service on the target host.
An issue exists in constrained delegation that allows an attacker to modify the target service to any service of their choice.`;
An issue exists in the constrained delegation where the service name (sname) of the resulting ticket is not a part of the protected ticket information, meaning that an attacker can modify the target service name to any service of their choice. For example, if msds-AllowedToDelegateTo is HTTP/host.domain.com, tickets can be modified for LDAP/HOST/etc. service names, resulting in complete server compromise, regardless of the specific service listed.`;
formatted = text.format(sourceType, sourceName, targetName);
}else if (edge.label === "GetChanges"){
let text = `${this.groupSpecialFormat(source)} the DS-Replication-Get-Changes privilege on the domain ${targetName}.
@ -848,7 +848,7 @@ export default class HelpModal extends Component {
let text = ``;
formatted = text.format(sourceType, sourceName, targetName);
}else if (edge.label === "AllowedToDelegate"){
let text = `Abusing this privilege will require either kekeo on a compromised host, or impacket with a way to proxy traffic into the network. See the references tab for more detailed information on exploiting this privilege.`;
let text = `Abusing this privilege will require either using Benjamin Delpys Kekeo project on a compromised host, or proxying in traffic generated from the Impacket library. See the references tab for more detailed information on exploiting this privilege.`;
formatted = text.format(sourceType, sourceName, targetName);
}else if (edge.label === "GetChanges"){
let text = `With both GetChanges and GetChangesAll privileges in BloodHound, you may perform a dcsync attack to get the password hash of an arbitrary principal using mimikatz:
@ -937,13 +937,15 @@ export default class HelpModal extends Component {
let text = `This depends on the target object and how to take advantage of this privilege. Opsec considerations for each abuse primitive are documented on the specific abuse edges and on the BloodHound wiki.`;
formatted = text;
}else if (edge.label === "CanRDP"){
let text = ``;
let text = `If the target computer is a workstation and a user is currently logged on, one of two things will happen. If the user you are abusing is the same user as the one logged on, you will effectively take over their session and kick the logged on user off, resulting in a message to the user. If the users are different, you will be prompted to kick the currently logged on user off the system and log on. If the target computer is a server, you will be able to initiate the connection without issue provided the user you are abusing is not currently logged in.
Remote desktop will create Logon and Logoff events with the access type RemoteInteractive.`;
formatted = text;
}else if (edge.label === "ExecuteDCOM"){
let text = ``;
formatted = text;
}else if (edge.label === "AllowedToDelegate"){
let text = ``;
let text = `As mentioned in the abuse info, in order to currently abuse this primitive either the Kekeo binary will need to be dropped to disk on the target or traffic from Impacket will need to be proxied in. See the References for more information.`;
formatted = text;
}else if (edge.label === "GetChanges"){
let text = `For detailed information on detection of dcsync as well as opsec considerations, see the adsecurity post in the references tab.`;
@ -1042,7 +1044,9 @@ export default class HelpModal extends Component {
let text = ``;
formatted = text;
}else if (edge.label === "AllowedToDelegate"){
let text = `<a href="http://www.harmj0y.net/blog/activedirectory/s4u2pwnage/">http://www.harmj0y.net/blog/activedirectory/s4u2pwnage/</a>
let text = `<a href="https://labs.mwrinfosecurity.com/blog/trust-years-to-earn-seconds-to-break/">https://labs.mwrinfosecurity.com/blog/trust-years-to-earn-seconds-to-break/</a>
<a href="http://www.harmj0y.net/blog/activedirectory/s4u2pwnage/">http://www.harmj0y.net/blog/activedirectory/s4u2pwnage/</a>
<a href="https://twitter.com/gentilkiwi/status/806643377278173185">https://twitter.com/gentilkiwi/status/806643377278173185</a>
<a href="https://www.coresecurity.com/blog/kerberos-delegation-spns-and-more">https://www.coresecurity.com/blog/kerberos-delegation-spns-and-more</a>`;
formatted = text;
}else if (edge.label === "GetChanges"){

2
src/components/SearchContainer/SearchContainer.jsx
View File

@ -524,7 +524,7 @@ export default class SearchContainer extends Component {
<i
data-toggle="tooltip"
data-placement="right"
title="Filters edges outside prebuilt queries"
title="Filters edges in shortest path queries"
className="glyphicon glyphicon-question-sign"
/>
</div>

2
src/components/SearchContainer/Tabs/PrebuiltQueries.json
View File

@ -100,7 +100,7 @@
]
},
{
"name": "Shortest Path from Kerberoastable Users",
"name": "Shortest Paths from Kerberoastable Users",
"queryList": [
{
"final": false,

22
src/index.js
View File

@ -135,7 +135,11 @@ global.appStore = {
DCSync: "tapered",
Contains: "tapered",
GpLink: "tapered",
Owns: "tapered"
Owns: "tapered",
CanRDP: "tapered",
ExecuteDCOM: "tapered",
ReadLAPSPassword: "tapered",
AllowedToDelegate: "tapered"
}
},
lowResPalette: {
@ -143,7 +147,9 @@ global.appStore = {
User: "#17E625",
Computer: "#E67873",
Group: "#DBE617",
Domain: "#17E6B9"
Domain: "#17E6B9",
OU: "#FFAA00",
GPO: "#7F72FD"
},
edgeScheme: {
AdminTo: "line",
@ -153,10 +159,18 @@ global.appStore = {
ForceChangePassword: "line",
GenericAll: "line",
GenericWrite: "line",
WriteDACL: "line",
WriteDacl: "line",
WriteOwner: "line",
AddMember: "line",
TrustedBy: "curvedArrow"
TrustedBy: "curvedArrow",
DCSync: "line",
Contains: "line",
GpLink: "line",
Owns: "line",
CanRDP: "line",
ExecuteDCOM: "line",
ReadLAPSPassword: "line",
AllowedToDelegate: "line"
}
},
highResStyle: {