do some cleanup for hash_spider for #38
parent
76bf3be084
commit
2a5c01d6b6
|
@ -12,7 +12,6 @@ from lsassy.session import Session
|
||||||
from lsassy.impacketfile import ImpacketFile
|
from lsassy.impacketfile import ImpacketFile
|
||||||
|
|
||||||
credentials_data = []
|
credentials_data = []
|
||||||
admin_results = []
|
|
||||||
found_users = []
|
found_users = []
|
||||||
reported_da = []
|
reported_da = []
|
||||||
|
|
||||||
|
@ -37,15 +36,15 @@ def neo4j_conn(context, connection, driver):
|
||||||
|
|
||||||
|
|
||||||
def neo4j_local_admins(context, driver):
|
def neo4j_local_admins(context, driver):
|
||||||
global admin_results
|
|
||||||
try:
|
try:
|
||||||
session = driver.session()
|
session = driver.session()
|
||||||
admins = session.run("MATCH (c:Computer) OPTIONAL MATCH (u1:User)-[:AdminTo]->(c) OPTIONAL MATCH (u2:User)-[:MemberOf*1..]->(:Group)-[:AdminTo]->(c) WITH COLLECT(u1) + COLLECT(u2) AS TempVar,c UNWIND TempVar AS Admins RETURN c.name AS COMPUTER, COUNT(DISTINCT(Admins)) AS ADMIN_COUNT,COLLECT(DISTINCT(Admins.name)) AS USERS ORDER BY ADMIN_COUNT DESC") # This query pulls all PCs and their local admins from Bloodhound. Based on: https://github.com/xenoscr/Useful-BloodHound-Queries/blob/master/List-Queries.md and other similar posts
|
admins = session.run("MATCH (c:Computer) OPTIONAL MATCH (u1:User)-[:AdminTo]->(c) OPTIONAL MATCH (u2:User)-[:MemberOf*1..]->(:Group)-[:AdminTo]->(c) WITH COLLECT(u1) + COLLECT(u2) AS TempVar,c UNWIND TempVar AS Admins RETURN c.name AS COMPUTER, COUNT(DISTINCT(Admins)) AS ADMIN_COUNT,COLLECT(DISTINCT(Admins.name)) AS USERS ORDER BY ADMIN_COUNT DESC") # This query pulls all PCs and their local admins from Bloodhound. Based on: https://github.com/xenoscr/Useful-BloodHound-Queries/blob/master/List-Queries.md and other similar posts
|
||||||
context.log.success("Admins and PCs obtained.")
|
context.log.success("Admins and PCs obtained")
|
||||||
except Exception:
|
except Exception as e:
|
||||||
context.log.fail("Could not pull admins")
|
context.log.fail(f"Could not pull admins: {e}")
|
||||||
exit()
|
return None
|
||||||
admin_results = [record for record in admins.data()]
|
results = [record for record in admins.data()]
|
||||||
|
return results
|
||||||
|
|
||||||
|
|
||||||
def create_db(local_admins, dbconnection, cursor):
|
def create_db(local_admins, dbconnection, cursor):
|
||||||
|
@ -69,7 +68,7 @@ def create_db(local_admins, dbconnection, cursor):
|
||||||
if user not in admin_users:
|
if user not in admin_users:
|
||||||
admin_users.append(user)
|
admin_users.append(user)
|
||||||
for user in admin_users:
|
for user in admin_users:
|
||||||
cursor.execute("""INSERT OR IGNORE INTO admin_users(username) VALUES(?)""", [user])
|
cursor.execute("INSERT OR IGNORE INTO admin_users(username) VALUES(?)", [user])
|
||||||
dbconnection.commit()
|
dbconnection.commit()
|
||||||
|
|
||||||
|
|
||||||
|
@ -113,7 +112,7 @@ def process_creds(context, connection, credentials_data, dbconnection, cursor, d
|
||||||
if path:
|
if path:
|
||||||
for key, value in path.items():
|
for key, value in path.items():
|
||||||
for item in value:
|
for item in value:
|
||||||
if type(item) == dict:
|
if isinstance(item, dict):
|
||||||
if {item["name"]} not in reported_da:
|
if {item["name"]} not in reported_da:
|
||||||
context.log.success(f"You have a valid path to DA as {item['name']}.")
|
context.log.success(f"You have a valid path to DA as {item['name']}.")
|
||||||
reported_da.append({item["name"]})
|
reported_da.append({item["name"]})
|
||||||
|
@ -147,6 +146,7 @@ class NXCModule:
|
||||||
self.reset = None
|
self.reset = None
|
||||||
self.reset_dumped = None
|
self.reset_dumped = None
|
||||||
self.method = None
|
self.method = None
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def save_credentials(context, connection, domain, username, password, lmhash, nthash):
|
def save_credentials(context, connection, domain, username, password, lmhash, nthash):
|
||||||
host_id = context.db.get_computers(connection.host)[0][0]
|
host_id = context.db.get_computers(connection.host)[0][0]
|
||||||
|
@ -156,6 +156,7 @@ class NXCModule:
|
||||||
credential_type = 'hash'
|
credential_type = 'hash'
|
||||||
password = ':'.join(h for h in [lmhash, nthash] if h is not None)
|
password = ':'.join(h for h in [lmhash, nthash] if h is not None)
|
||||||
context.db.add_credential(credential_type, domain, username, password, pillaged_from=host_id)
|
context.db.add_credential(credential_type, domain, username, password, pillaged_from=host_id)
|
||||||
|
|
||||||
def options(self, context, module_options):
|
def options(self, context, module_options):
|
||||||
"""
|
"""
|
||||||
METHOD Method to use to dump lsass.exe with lsassy
|
METHOD Method to use to dump lsass.exe with lsassy
|
||||||
|
@ -220,17 +221,23 @@ class NXCModule:
|
||||||
cred["lmhash"],
|
cred["lmhash"],
|
||||||
cred["nthash"],
|
cred["nthash"],
|
||||||
] not in credentials_unique:
|
] not in credentials_unique:
|
||||||
credentials_unique.append(
|
credentials_unique.append([
|
||||||
[
|
|
||||||
cred["domain"],
|
cred["domain"],
|
||||||
cred["username"],
|
cred["username"],
|
||||||
cred["password"],
|
cred["password"],
|
||||||
cred["lmhash"],
|
cred["lmhash"],
|
||||||
cred["nthash"],
|
cred["nthash"],
|
||||||
]
|
])
|
||||||
)
|
|
||||||
credentials_output.append(cred)
|
credentials_output.append(cred)
|
||||||
self.save_credentials(context, connection, cred["domain"], cred["username"], cred["password"], cred["lmhash"], cred["nthash"])
|
self.save_credentials(
|
||||||
|
context,
|
||||||
|
connection,
|
||||||
|
cred["domain"],
|
||||||
|
cred["username"],
|
||||||
|
cred["password"],
|
||||||
|
cred["lmhash"],
|
||||||
|
cred["nthash"]
|
||||||
|
)
|
||||||
global credentials_data
|
global credentials_data
|
||||||
credentials_data = credentials_output
|
credentials_data = credentials_output
|
||||||
|
|
||||||
|
@ -302,7 +309,7 @@ class NXCModule:
|
||||||
neo4j_db = f"bolt://{neo4j_uri}:{neo4j_port}"
|
neo4j_db = f"bolt://{neo4j_uri}:{neo4j_port}"
|
||||||
driver = GraphDatabase.driver(neo4j_db, auth=basic_auth(neo4j_user, neo4j_pass), encrypted=False)
|
driver = GraphDatabase.driver(neo4j_db, auth=basic_auth(neo4j_user, neo4j_pass), encrypted=False)
|
||||||
neo4j_conn(context, connection, driver)
|
neo4j_conn(context, connection, driver)
|
||||||
neo4j_local_admins(context, driver)
|
admin_results = neo4j_local_admins(context, driver)
|
||||||
create_db(admin_results, dbconnection, cursor)
|
create_db(admin_results, dbconnection, cursor)
|
||||||
initial_run(connection, cursor)
|
initial_run(connection, cursor)
|
||||||
context.log.display("Running lsassy")
|
context.log.display("Running lsassy")
|
||||||
|
|
Loading…
Reference in New Issue