-
Notifications
You must be signed in to change notification settings - Fork 19
/
Copy pathvampire.cna
68 lines (62 loc) · 2.04 KB
/
vampire.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# Author: Patrick Hurd, Penetration Tester, Coalfire Federal 2019
popup beacon_bottom {
item "Mark Owned" {
dialog_show(create_owned_dialog($1));
}
}
sub create_owned_dialog {
$beacon = $1;
$owned_dialog = dialog("Mark Owned", %(), lambda({owned_dialog_callback($beacon, $2, $3)}));
dialog_description($owned_dialog, "Mark node(s) as owned in BloodHound. Neo4j must be up and running on localhost:7474.");
drow_combobox($owned_dialog, "node_type", "Node Type:", @('Default', 'User', 'Computer'));
$proc = exec("./owned_utils.py -r domains");
$d_line = readln($proc);
@domains = split(",", $d_line);
closef($proc);
drow_combobox($owned_dialog, "domain", "Domain:", @domains);
dbutton_action($owned_dialog, "Go");
return $owned_dialog;
}
sub owned_dialog_callback {
foreach $id ($1) {
$username = "";
$computer = "";
foreach $b (beacons()) {
if ($b["id"] == int($id)) {
$username = $b["user"];
$computer = $b["computer"];
}
}
# Cobalt Strike shows local admins as "CompUser *"
$is_admin = 0;
if ($username ismatch '.* \*') {
$is_admin = 1;
}
$is_system = 0;
if ($username ismatch 'SYSTEM \*') {
$is_system = 1;
} else if ($username ismatch 'Administrator \*') {
$is_system = 1;
}
$username = matches($username, "([^ ]*)")[0];
# Append @domain.tld
$username = $username . "@" . $3["domain"];
$computer = $computer . "." . $3["domain"];
if ($3["node_type"] eq "Default") {
if ($is_system) {
exec(@("./owned_utils.py", "-r", "owned", "-t", "Computer", "-l", $computer));
} else if ($is_admin) {
exec(@("./owned_utils.py", "-r", "owned", "-t", "User", "-l", $username));
exec(@("./owned_utils.py", "-r", "owned", "-t", "Computer", "-l", $computer));
} else {
exec(@("./owned_utils.py", "-r", "owned", "-t", "User", "-l", $username));
}
}
if ($3["node_type"] eq "User") {
exec(@("./owned_utils.py", "-r", "owned", "-t", "User", "-l", $username));
}
if ($3["node_type"] eq "Computer") {
exec(@("./owned_utils.py", "-r", "owned", "-t", "Computer", "-l", $computer));
}
}
}