Add missing edges to AddEdgeModal
Add some more help text Fix missing edge stylesmaster
parent
9448534024
commit
d36058faab
|
@ -134,7 +134,7 @@ export default class GraphContainer extends Component {
|
||||||
|
|
||||||
this.doQueryNative({
|
this.doQueryNative({
|
||||||
//statement:'MATCH (n:Group) WHERE n.objectsid =~ "(?i)S-1-5.*-512" WITH n MATCH (n)<-[r:MemberOf*1..]-(m) RETURN n,r,m',
|
//statement:'MATCH (n:Group) WHERE n.objectsid =~ "(?i)S-1-5.*-512" WITH n MATCH (n)<-[r:MemberOf*1..]-(m) RETURN n,r,m',
|
||||||
statement: 'MATCH (n)-[r:CanRDP]->(m) RETURN n,r,m LIMIT 5',
|
statement: 'MATCH (n)-[r:AllowedToDelegate]->(m) RETURN n,r,m LIMIT 5',
|
||||||
//statement: 'MATCH p=(n:Domain)-[r]-(m:Domain) RETURN p',
|
//statement: 'MATCH p=(n:Domain)-[r]-(m:Domain) RETURN p',
|
||||||
allowCollapse: false,
|
allowCollapse: false,
|
||||||
props: {}
|
props: {}
|
||||||
|
|
|
@ -130,10 +130,9 @@ export default class AddEdgeModal extends Component {
|
||||||
}else{
|
}else{
|
||||||
this.targetFocus();
|
this.targetFocus();
|
||||||
this.targetBlur();
|
this.targetBlur();
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
})
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
validate(){
|
validate(){
|
||||||
|
@ -343,8 +342,10 @@ export default class AddEdgeModal extends Component {
|
||||||
<option>Owns</option>
|
<option>Owns</option>
|
||||||
<option>WriteDacl</option>
|
<option>WriteDacl</option>
|
||||||
<option>WriteOwner</option>
|
<option>WriteOwner</option>
|
||||||
|
<option>ReadLAPSPassword</option>
|
||||||
<option>CanRDP</option>
|
<option>CanRDP</option>
|
||||||
<option>ExecuteDCOM</option>
|
<option>ExecuteDCOM</option>
|
||||||
|
<option>AllowedToDelegate</option>
|
||||||
</select>
|
</select>
|
||||||
<span className="help-block" ref="edgeError">
|
<span className="help-block" ref="edgeError">
|
||||||
Looks good!
|
Looks good!
|
||||||
|
|
|
@ -101,9 +101,9 @@ export default class HelpModal extends Component {
|
||||||
}else if (edge.label === "AllowedToDelegate"){
|
}else if (edge.label === "AllowedToDelegate"){
|
||||||
let text = `The {} {} has the constrained delegation privilege to the computer {}.
|
let text = `The {} {} has the constrained delegation privilege to the computer {}.
|
||||||
|
|
||||||
The constrained delegation privilege allows a principal to authenticate to specific services (found in the msds-AllowedToDelegateTo LDAP property in the source node tab) on the target computer. This includes principals such as Domain Admins.
|
The constrained delegation primitive allows a principal to authenticate as any user to specific services (found in the msds-AllowedToDelegateTo LDAP property in the source node tab) on the target computer. That is, a node with this privilege can impersonate any domain principal (including Domain Admins) to the specific service on the target host.
|
||||||
|
|
||||||
An issue exists in constrained delegation that allows an attacker to modify the target service to any service of their choice.`;
|
An issue exists in the constrained delegation where the service name (sname) of the resulting ticket is not a part of the protected ticket information, meaning that an attacker can modify the target service name to any service of their choice. For example, if msds-AllowedToDelegateTo is “HTTP/host.domain.com”, tickets can be modified for LDAP/HOST/etc. service names, resulting in complete server compromise, regardless of the specific service listed.`;
|
||||||
formatted = text.format(sourceType, sourceName, targetName);
|
formatted = text.format(sourceType, sourceName, targetName);
|
||||||
}else if (edge.label === "GetChanges"){
|
}else if (edge.label === "GetChanges"){
|
||||||
let text = `${this.groupSpecialFormat(source)} the DS-Replication-Get-Changes privilege on the domain ${targetName}.
|
let text = `${this.groupSpecialFormat(source)} the DS-Replication-Get-Changes privilege on the domain ${targetName}.
|
||||||
|
@ -848,7 +848,7 @@ export default class HelpModal extends Component {
|
||||||
let text = ``;
|
let text = ``;
|
||||||
formatted = text.format(sourceType, sourceName, targetName);
|
formatted = text.format(sourceType, sourceName, targetName);
|
||||||
}else if (edge.label === "AllowedToDelegate"){
|
}else if (edge.label === "AllowedToDelegate"){
|
||||||
let text = `Abusing this privilege will require either kekeo on a compromised host, or impacket with a way to proxy traffic into the network. See the references tab for more detailed information on exploiting this privilege.`;
|
let text = `Abusing this privilege will require either using Benjamin Delpy’s Kekeo project on a compromised host, or proxying in traffic generated from the Impacket library. See the references tab for more detailed information on exploiting this privilege.`;
|
||||||
formatted = text.format(sourceType, sourceName, targetName);
|
formatted = text.format(sourceType, sourceName, targetName);
|
||||||
}else if (edge.label === "GetChanges"){
|
}else if (edge.label === "GetChanges"){
|
||||||
let text = `With both GetChanges and GetChangesAll privileges in BloodHound, you may perform a dcsync attack to get the password hash of an arbitrary principal using mimikatz:
|
let text = `With both GetChanges and GetChangesAll privileges in BloodHound, you may perform a dcsync attack to get the password hash of an arbitrary principal using mimikatz:
|
||||||
|
@ -937,13 +937,15 @@ export default class HelpModal extends Component {
|
||||||
let text = `This depends on the target object and how to take advantage of this privilege. Opsec considerations for each abuse primitive are documented on the specific abuse edges and on the BloodHound wiki.`;
|
let text = `This depends on the target object and how to take advantage of this privilege. Opsec considerations for each abuse primitive are documented on the specific abuse edges and on the BloodHound wiki.`;
|
||||||
formatted = text;
|
formatted = text;
|
||||||
}else if (edge.label === "CanRDP"){
|
}else if (edge.label === "CanRDP"){
|
||||||
let text = ``;
|
let text = `If the target computer is a workstation and a user is currently logged on, one of two things will happen. If the user you are abusing is the same user as the one logged on, you will effectively take over their session and kick the logged on user off, resulting in a message to the user. If the users are different, you will be prompted to kick the currently logged on user off the system and log on. If the target computer is a server, you will be able to initiate the connection without issue provided the user you are abusing is not currently logged in.
|
||||||
|
|
||||||
|
Remote desktop will create Logon and Logoff events with the access type RemoteInteractive.`;
|
||||||
formatted = text;
|
formatted = text;
|
||||||
}else if (edge.label === "ExecuteDCOM"){
|
}else if (edge.label === "ExecuteDCOM"){
|
||||||
let text = ``;
|
let text = ``;
|
||||||
formatted = text;
|
formatted = text;
|
||||||
}else if (edge.label === "AllowedToDelegate"){
|
}else if (edge.label === "AllowedToDelegate"){
|
||||||
let text = ``;
|
let text = `As mentioned in the abuse info, in order to currently abuse this primitive either the Kekeo binary will need to be dropped to disk on the target or traffic from Impacket will need to be proxied in. See the References for more information.`;
|
||||||
formatted = text;
|
formatted = text;
|
||||||
}else if (edge.label === "GetChanges"){
|
}else if (edge.label === "GetChanges"){
|
||||||
let text = `For detailed information on detection of dcsync as well as opsec considerations, see the adsecurity post in the references tab.`;
|
let text = `For detailed information on detection of dcsync as well as opsec considerations, see the adsecurity post in the references tab.`;
|
||||||
|
@ -1042,7 +1044,9 @@ export default class HelpModal extends Component {
|
||||||
let text = ``;
|
let text = ``;
|
||||||
formatted = text;
|
formatted = text;
|
||||||
}else if (edge.label === "AllowedToDelegate"){
|
}else if (edge.label === "AllowedToDelegate"){
|
||||||
let text = `<a href="http://www.harmj0y.net/blog/activedirectory/s4u2pwnage/">http://www.harmj0y.net/blog/activedirectory/s4u2pwnage/</a>
|
let text = `<a href="https://labs.mwrinfosecurity.com/blog/trust-years-to-earn-seconds-to-break/">https://labs.mwrinfosecurity.com/blog/trust-years-to-earn-seconds-to-break/</a>
|
||||||
|
<a href="http://www.harmj0y.net/blog/activedirectory/s4u2pwnage/">http://www.harmj0y.net/blog/activedirectory/s4u2pwnage/</a>
|
||||||
|
<a href="https://twitter.com/gentilkiwi/status/806643377278173185">https://twitter.com/gentilkiwi/status/806643377278173185</a>
|
||||||
<a href="https://www.coresecurity.com/blog/kerberos-delegation-spns-and-more">https://www.coresecurity.com/blog/kerberos-delegation-spns-and-more</a>`;
|
<a href="https://www.coresecurity.com/blog/kerberos-delegation-spns-and-more">https://www.coresecurity.com/blog/kerberos-delegation-spns-and-more</a>`;
|
||||||
formatted = text;
|
formatted = text;
|
||||||
}else if (edge.label === "GetChanges"){
|
}else if (edge.label === "GetChanges"){
|
||||||
|
|
|
@ -524,7 +524,7 @@ export default class SearchContainer extends Component {
|
||||||
<i
|
<i
|
||||||
data-toggle="tooltip"
|
data-toggle="tooltip"
|
||||||
data-placement="right"
|
data-placement="right"
|
||||||
title="Filters edges outside prebuilt queries"
|
title="Filters edges in shortest path queries"
|
||||||
className="glyphicon glyphicon-question-sign"
|
className="glyphicon glyphicon-question-sign"
|
||||||
/>
|
/>
|
||||||
</div>
|
</div>
|
||||||
|
|
|
@ -100,7 +100,7 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"name": "Shortest Path from Kerberoastable Users",
|
"name": "Shortest Paths from Kerberoastable Users",
|
||||||
"queryList": [
|
"queryList": [
|
||||||
{
|
{
|
||||||
"final": false,
|
"final": false,
|
||||||
|
|
22
src/index.js
22
src/index.js
|
@ -135,7 +135,11 @@ global.appStore = {
|
||||||
DCSync: "tapered",
|
DCSync: "tapered",
|
||||||
Contains: "tapered",
|
Contains: "tapered",
|
||||||
GpLink: "tapered",
|
GpLink: "tapered",
|
||||||
Owns: "tapered"
|
Owns: "tapered",
|
||||||
|
CanRDP: "tapered",
|
||||||
|
ExecuteDCOM: "tapered",
|
||||||
|
ReadLAPSPassword: "tapered",
|
||||||
|
AllowedToDelegate: "tapered"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
lowResPalette: {
|
lowResPalette: {
|
||||||
|
@ -143,7 +147,9 @@ global.appStore = {
|
||||||
User: "#17E625",
|
User: "#17E625",
|
||||||
Computer: "#E67873",
|
Computer: "#E67873",
|
||||||
Group: "#DBE617",
|
Group: "#DBE617",
|
||||||
Domain: "#17E6B9"
|
Domain: "#17E6B9",
|
||||||
|
OU: "#FFAA00",
|
||||||
|
GPO: "#7F72FD"
|
||||||
},
|
},
|
||||||
edgeScheme: {
|
edgeScheme: {
|
||||||
AdminTo: "line",
|
AdminTo: "line",
|
||||||
|
@ -153,10 +159,18 @@ global.appStore = {
|
||||||
ForceChangePassword: "line",
|
ForceChangePassword: "line",
|
||||||
GenericAll: "line",
|
GenericAll: "line",
|
||||||
GenericWrite: "line",
|
GenericWrite: "line",
|
||||||
WriteDACL: "line",
|
WriteDacl: "line",
|
||||||
WriteOwner: "line",
|
WriteOwner: "line",
|
||||||
AddMember: "line",
|
AddMember: "line",
|
||||||
TrustedBy: "curvedArrow"
|
TrustedBy: "curvedArrow",
|
||||||
|
DCSync: "line",
|
||||||
|
Contains: "line",
|
||||||
|
GpLink: "line",
|
||||||
|
Owns: "line",
|
||||||
|
CanRDP: "line",
|
||||||
|
ExecuteDCOM: "line",
|
||||||
|
ReadLAPSPassword: "line",
|
||||||
|
AllowedToDelegate: "line"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
highResStyle: {
|
highResStyle: {
|
||||||
|
|
Loading…
Reference in New Issue