-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathauto_mark_pwned.cna
114 lines (94 loc) · 3.37 KB
/
auto_mark_pwned.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
# This script will mark user accounts as "owned" in BloodHound
# It's a blind fire-and-forget across the cred store using USER@REALM,
# so it may mark more than necessary if you have overlapping REALMs in
# your cred store. And yeah, it's possible to get Injection in neo4j
# since the username parameter isn't sanitized.
#
# Set these in your neo4j.conf
# dbms.connector.http.enabled=true
# dbms.connector.http.listen_address=:7474
# or https
# dbms.connector.https.enabled=true
# dbms.connector.https.listen_address=:7473
# - @NotMedic
#
# sendhttp() code borrowed from @vysec and @Und3rf10w's prior work:
# https://github.com/vysec/Aggressor-VYSEC/blob/master/pushover-ng.cna
#
# Update the $bloodhoundurl to your bloodhound instance
# Update the $authheader to your creds. "echo -n neo4j:bloodhound | base64"
#
# TODO:
# 1. Parameterized query for neo4j
# 2. Parse JSON response using vysec's json code:
# https://github.com/vysec/ANGRYPUPPY/tree/master/json
# 3. Profit
import java.net.URLEncoder;
import java.io.BufferedReader;
import java.io.DataOutputStream;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.URL;
sub sendhttp{
$authheader = "Basic bmVvNGo6Ymxvb2Rob3VuZA==";
$bloodhoundurl = "http://localhost:7474/db/data/cypher/";
$method = $1;
$url = $2;
$body = $3;
$USER_AGENT = "Mozilla/5.0";
$urlobj = [new URL: $url];
$con = [$urlobj openConnection];
[$con setRequestMethod: $method];
[$con setRequestProperty: "User-Agent", $USER_AGENT];
[$con setRequestProperty: "Content-Type", "application/json"];
[$con setRequestProperty: "Authorization", $authheader];
[$con setRequestProperty: "Connection", "close"];
[$con setRequestProperty: "Accept-Encoding", "identity"];
[$con setRequestProperty: "Accept", "application/json"];
[$con setDoOutput: true];
$wr = [new DataOutputStream: [$con getOutputStream]];
[$wr writeBytes: $body];
[$wr flush];
[$wr close];
$responseCode = [$con getResponseCode];
$in = [new BufferedReader: [new InputStreamReader: [$con getInputStream]]];
$inputLine = "";
$response = "";
$inputLine = [$in readLine];
$response = $response . $inputLine . "\r\n";
while ($inputLine ne ""){
$inputLine = [$in readLine];
$response = $response . $inputLine . "\r\n";
}
[$in close];
return $response;
}
sub mark_owned {
$username = $1;
$body = '{ "query" : "MATCH (n:User) WHERE n.name STARTS WITH \'' . $username . '\' SET n.owned= TRUE RETURN n.name"}';
sendhttp("POST", $bloodhoundurl, $body);
}
on beacon_initial {
if (-isadmin $1){
$computer = binfo($1, "computer");
$body = '{ "query" : "MATCH (n:Computer) WHERE n.name STARTS WITH \'' . $computer . '\' SET n.owned= TRUE RETURN n.name"}';
println("Marking " . $computer . " as owned");
sendhttp("POST", $bloodhoundurl, $body);
}
}
on heartbeat_1m {
foreach $cred (credentials())
{
$username = uc("$cred['user']\@$cred['realm']") ;
if ( $username in @OwnedUsers )
{
#println("Skipping because we've already marked " . $username . " as owned");
}
else
{
println("Marking " . $username . " as owned");
mark_owned($username);
add(@OwnedUsers, $username);
}
}
}