Awesome
Vampire
Vampire is an aggressor script which adds a "Mark Owned" right click option to beacons. This allows you to select either the Computer or User (or Default, which will choose based on your user), along with the domain they belong to. There is an additional optional cna script for marking new credentials as owned. Vampire will communicate with your neo4j REST API on localhost:7474 to mark the node as owned.
<img src="Screen_Shot_2019-04-02_at_3.31.18_PM.png" width="30%" style="float: right"> <img src="Screen_Shot_2019-04-02_at_3.31.54_PM.png" width="30%" style="float: left"> <br style="clear: both">
How to use
- Put
vampire.cna
,vampire_creds.cna
, andowned_utils.py
in the root of your cobaltstrike folder chmod u+x owned_utils.py
- Load
vampire.cna
andvampire_creds.cna
into Cobalt Strike through the Script Manager - Rain shells
- Start neo4j and BloodHound as normal
- Run BloodHound data collection and import data
- Right click your beacon(s) and mark them as owned
- Run logonpasswords
Considerations
- neo4j must be running on localhost, on the standard port - 7474
- Your neo4j database creds should be Kali standard
neo4j:BloodHound
(you can change the base64 inowned_utils.py
otherwise) echo -n 'neo4j:yourpassword' | base64
and then replace the auth in owned_utils.py
Benefits
- Never miss an attack path
- Quickly keep up with other team members' movement
How it works
- Uses
owned_utils.py
to query the list of domains from neo4j - Obtain user selection
- Foreach selected beacon ID:
- Append
@
+ the specified domain to the user/computer name - For
Default
, it will choose based on whether you're a local admin - Uses
owned_utils.py
to query the neo4j REST API'MATCH (n:*) WHERE lower(n.name) = "' + nodelabel.lower() + '" SET n.owned = TRUE'
- Listens for the
on credentials
callback - Loops through all the credentials, keeping an internal state
- Optionally excludes 32 byte passwords (NTLM hashes - see $ignore_hash)
- Reconstructs a valid domain for the user
- Checks the user exists
- Marks new credentials as owned
Extensibility
The cna script handles the Cobalt Strike GUI, while the Python script handles Bloodhound/neo4j interaction. The reason I did it this way is because I couldn't get the HTTP request working nicely through Sleep sockets. The plus side is, you can call/import the Python code into your own project which doesn't use Cobalt Strike. The code in the functions is pretty much ripped from the neo4j syntax examples in the Bloodhound Github wiki.
Author
Patrick Hurd