BloodCheck enables Red and Blue Teams to manage multiple Neo4j databases and run Cypher queries against a BloodHound dataset.
BloodCheck requires Python 3.7 (and above), and Neo4j 3.5.x to be installed.
The Neo4j binary can be downloaded from the Neo4j website.
Once downloaded, the Neo4j setup can be carried out by running the following command as administrator:
<neo4j_path>\neo4j-community-<neo4j_version>\bin\neo4j.bat install-serviceYou can check the Neo4j installation path using the following command:
<neo4j_path>\neo4j-community-<neo4j_version>\bin\neo4j.bat status -VerboseIf it's pointing to another installation path, change the NEO4J_HOME environment variable:
set NEO4J_HOME=<neo4j_path>\neo4j-community-<neo4j_version>
echo %NEO4J_HOME%To update the Neo4j service, run the update-service command:
<neo4j_path>\neo4j-community-<neo4j_version>\bin\neo4j.bat update-serviceIn order to install the pip requirements, run the following commands:
cd BloodCheck
pip3 install -r requirements.txtIf you have issues installing the Pandas' package, you can use the following command:
pip3 install --trusted-host pypi.python.org pip pandasOnce all dependencies have been installed, the configuration file config.py must be initialized (using the config.py.sample sample file) with the associated program variables.
Finally, uncomment the #dbms.active_database=graph.db line in the neo4j.conf Neo4j configuration file, located in the <neo4j_path>\neo4j-community-<neo4j_version>\conf directory.
In order to run BloodCheck using Docker, you first need to build the Docker image using the following command:
cd BloodCheck
docker build --tag bloodcheck .BloodCheck can then be run as follows:
docker run -ti bloodcheck
|________|___________________|_
| |B|L|O|O|D|C|H|E|C|K| |________________
|________|___________________|_| ,
| | | ,
usage: BloodCheck.py [-h] [-c CONFIGFILE] [-dG] [-dL] [-dP] [-dR] [-dS] [-oI OWNEDINJECTFILE] [-oU OWNEDUNDOFILE] [-oW] [-qA] [-qF QUERYFILE] [-qD QUERYDIRECTORY] [-qS QUERYSUBDIRECTORY] [-o OUTPUTDIRECTORY] [-s] [-v]
optional arguments:
-h, --help show this help message and exit
-c CONFIGFILE, --config CONFIGFILE
define Neo4j configuration file
-dG, --generate generate Neo4j database
-dL, --list list Neo4j database
-dP, --purge purge Neo4j database
-dR, --restart restart Neo4j local service
-dS, --switch switch Neo4j database
-oI OWNEDINJECTFILE, --inject OWNEDINJECTFILE
inject owned principales
-oU OWNEDUNDOFILE, --undo OWNEDUNDOFILE
undo the owned principales injection
-oW, --wipe wipe all owned principales
-qA, --analytics run Neo4j database analytics
-qF QUERYFILE, --query QUERYFILE
run cypher query
-qD QUERYDIRECTORY, --dir QUERYDIRECTORY
run all cypher queries from directory
-qS QUERYSUBDIRECTORY, --subdir QUERYSUBDIRECTORY
run all cypher queries from all subdirectories
-o OUTPUTDIRECTORY, --output OUTPUTDIRECTORY
output results in specified directory
-s, --save save results to files
-v, --verbose increase output verbosityRunning BloodCheck.py -h will print the help message and list all available options:
$ python BloodCheck.py -h
|________|___________________|_
| |B|L|O|O|D|C|H|E|C|K| |________________
|________|___________________|_| ,
| | | ,
usage: BloodCheck.py [-h] [-c CONFIGFILE] [-dG] [-dL] [-dP] [-dR] [-dS] [-oI OWNEDINJECTFILE] [-oU OWNEDUNDOFILE] [-oW] [-qA] [-qF QUERYFILE] [-qD QUERYDIRECTORY] [-qS QUERYSUBDIRECTORY] [-o OUTPUTDIRECTORY] [-s] [-v]
optional arguments:
-h, --help show this help message and exit
-c CONFIGFILE, --config CONFIGFILE
define Neo4j configuration file
-dG, --generate generate Neo4j database
-dL, --list list Neo4j database
-dP, --purge purge Neo4j database
-dR, --restart restart Neo4j local service
-dS, --switch switch Neo4j database
-oI OWNEDINJECTFILE, --inject OWNEDINJECTFILE
inject owned principales
-oU OWNEDUNDOFILE, --undo OWNEDUNDOFILE
undo the owned principales injection
-oW, --wipe wipe all owned principales
-qA, --analytics run Neo4j database analytics
-qF QUERYFILE, --query QUERYFILE
run cypher query
-qD QUERYDIRECTORY, --dir QUERYDIRECTORY
run all cypher queries from directory
-qS QUERYSUBDIRECTORY, --subdir QUERYSUBDIRECTORY
run all cypher queries from all subdirectories
-o OUTPUTDIRECTORY, --output OUTPUTDIRECTORY
output results in specified directory
-s, --save save results to files
-v, --verbose increase output verbosityBloodCheck requires a configuration file config.py to be initialized (see section Installation From Source).
You can also specify an alternate configuration file using the -c parameter:
$ python BloodCheck.py -c configuration_file.pyTo generate a clean Neo4j database (named 'CleanNeo4jDB') that can be used with BloodHound, specify its name using the following command:
$ python BloodCheck.py -dG
|________|___________________|_
| |B|L|O|O|D|C|H|E|C|K| |________________
|________|___________________|_| ,
| | | ,
[!] Access to Neo4j installation path [OK]
Please input the new Database name: CleanNeo4jDB
[!] Creating database 'CleanNeo4jDB'All Neo4j databases can be listed with the -dL parameter:
$ python BloodCheck.py -dLTo switch to a specific Neo4j database (which requires the Neo4j service to be restarted), use the -dS option:
$ python BloodCheck.py -dSTo restart the Neo4j local service, use the -dR parameter:
$ python BloodCheck.py -dRParameters can be stacked. For instance, if you want to switch to another database and restart the Neo4j service, use the following command:
$ python BloodCheck.py -dS -dRTo purge (delete) a specific Neo4j database, use the -dP parameter:
$ python BloodCheck.py -dPOne feature of BloodCheck is the ability to inject owned principales via batch processing, using the following command:
$ python BloodCheck.py -oI owned_file.txtThe content of the specified owned file is as follow:
owned principale;wave
owned principale;wave
To undo the owned principales injection, just run BloodCheck with the -oU option followed with the previously provided owned file:
$ python BloodCheck.py -oU owned_file.txtTo wipe all owned principales attributes, use the -oW parameter:
$ python BloodCheck.py -oWBloodCheck also enables cypher queries to be run against a BloodHound Neo4j database using yaml templates.
To run a specific cypher query against the BloodHound instance, just run the following command:
$ python BloodCheck.py -qF query_file.ymlThe command below can be used to run all cypher queries from a directory:
$ python BloodCheck.py -qD query_directoryUse the -qS parameter to run all cypher queries from all subdirectories:
$ python BloodCheck.py -qS query_directoryOnly the first 10 entries of each query results will be returned to the standard output.
Results can be saved to files using the -s parameter. By default, output results will be saved to the _output directory. This can be overridden by specifying the output directory using the -o option.
The cypher query yaml template consists of the following required sections:
Description: <Description of the cypher query>
Hash: <SHA256 hash of the cypher query>
Headers:
- <First header>
- <Second header>
- ...
Query: '
<Cypher query to run>
'For instance, the following template will returned a table of all users with Name, Description, pwdlastset attribute value and the enabling state:
Description: Users descriptions
Hash: 56DA67064F47AA4C06F68CD3A683462BCF0B93424D3360AEB95C0962549693AC
Headers:
- Name
- Description
- pwdlastset
- Enabled
Query: '
MATCH (u:User)
WHERE u.description is not null
RETURN u.name AS `Name`, u.description AS `Description`, u.pwdlastset AS `pwdlastset`, u.enabled AS `Enabled`
'Note that the cypher query must not contain any additional quotes. Otherwise the following error would occur:
Error while parsing a block mapping
in "yamlfile.yml", line 1, column 1
expected <block end>, but found '<scalar>
Finally, there are some builtins analytics cypher queries that can be run against the BloodHound instance using the following command:
$ python BloodCheck.py -qAThose builtins analytics cypher queries retrieve the nodes distributions, the number and name of available domains, as well as all the principals marked as owned.
If you want to contribute and make BloodCheck better, your help is very welcome.
You can use it and give me feedbacks.
Pull requests are also welcomed! So, if you have some improvements to provide, or a new cypher query to add to the project, please do ;)
This project would not have been possible without the amazing work of @_wald0, @CptJesus, and @harmj0y on the BloodHound project.
A big shout out also for @Haus3c and its amazing BloodHound Cypher Cheatsheet.