Coalfire-Research/Vampire: Vampire is an aggressor script which adds a "Mark Owned" right click option to beacons.
2019-04-20 22:51:18 Author: github.com(查看原文) 阅读量:276 收藏

Join GitHub today

GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.

Sign up

Vampire is an aggressor script which adds a "Mark Owned" right click option to beacons.

Vampire is an aggressor script which adds a "Mark Owned" right click option to beacons. This allows you to select either the Computer or User (or Default, which will choose based on your user), along with the domain they belong to. Vampire will communicate with your neo4j REST API on localhost:7474 to mark the node as owned.


How to use

  1. Put vampire.cna and owned_utils.py in the root of your cobaltstrike folder
  2. chmod u+x owned_utils.py
  3. Load vampire.cna into Cobalt Strike
  4. Rain shells
  5. Start neo4j and BloodHound as normal
  6. Run BloodHound data collection and import data
  7. Right click your beacon(s) and mark them as owned
  8. ???
  9. Profit

Considerations

  • neo4j must be running on localhost, on the standard port - 7474
  • Your neo4j database creds should be Kali standard neo4j:BloodHound (you can change the base64 in owned_utils.py otherwise)

Benefits

  • Never miss an attack path
  • Quickly keep up with other team members' movement

Future Plans

  • Mark users as owned using the credentials callback

How it works

  1. Use owned_utils.py to query the list of domains from neo4j
  2. Obtain user selection
  3. Foreach selected beacon ID:
  4. Append @ + the specified domain to the user/computer name
  5. For Default, it will choose based on whether you're a local admin
  6. Use owned_utils.py to query the neo4j REST API
    • "MATCH (n:" + nodetype + " {name:'" + nodelabel + "'}) SET n.owned=TRUE"

Author

Patrick Hurd


文章来源: https://github.com/Coalfire-Research/Vampire
如有侵权请联系:admin#unsafe.sh