Skip to content

Command line tool for analyzing .json files generated by bloodhound.py or sharphound for use in Bloodhound.

Notifications You must be signed in to change notification settings

ProfessionallyEvil/bloodhound-elementary

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Bloodhound Elementary

Command line tool for analyzing .json files generated by bloodhound.py or sharphound for use in Bloodhound.

Why?

Bloodhound itself is an awesome information gathering tool both for security audit and penetration testing purposes; however, it has some heavy-weight dependencies (Java and Neo4J) and requires a GUI. So Elementary was written to provide a light-weight alternative for analyzing the same data. It requires only Python 3.5 or higher and has no additional library dependencies.

Elementary can list and describe domains, users, groups, and computers. It can also trace paths (e.g. from a user to a group) and suggest targets.

Getting Started

First make sure you have Python 3.5 or greater installed, such that typing python --version from the command line yields the expected results.

Then clone this repo. Really you just need elementary.py and elementary_data.py.

Then from the installation folder you can run: python ./elementary.py <PATH> where is the path to the folder containing your Bloodhound json files. If you did everything correctly, the output should show you what was loaded into memory, e.g.:

Starting Bloodhound Elementary...
Loading computers...
  Found 512 computers entries.
Loading domains...
  Found 1 domains entries.
Loading groups...
  Found 450 groups entries.
Loading users...
  Found 445 users entries.
Loading sessions...
  Found 312 session entries.
Type 'help' for a list of commands.
elementary>

Commands

The normal syntax for commands is VERB TYPE NAME. In most cases the NAME can be a partial, and Elementary will prompt you when more than one match is found. Use quotes when a NAME contains a space. Matching is not case sensitive.

The commands are as follows:

describe

Describe the specified computer, domain, group, user.

Syntax: describe <computer|domain|group|user> <name>

e.g.:

describe group "Domain Admins"
describe user bob

exit

Exits Elementary

help

Provides command description and syntax help.

list

List the names of a specified object type.

Syntax: list <computers|domains|groups|users> [max=<n>] [<name>]

e.g.:

list groups Admins
list domains
list computers max=30 NTSERVER

sessions

List sessions for the given item. i.e. given a user, list computers on which that user has an active session. Given a computer, list all users with active sessions to that computer.

Syntax: sessions user|computer|group <name>

e.g.:

sessions user bob
sessions computer ntserver123

targets

List top (10) items by active sessions, access, etc... May be useful for finding potential targets during a penetration test but also useful for audit purposes (i.e. why does bob have localadmin on 57 machines?) This command will pull lists of the following:

  • High Value Groups (as determined by Bloodhound)
  • Users with the most active sessions
  • Computers with the most active sessions
  • Users with direct (i.e. not via a group) localadmin access to the most computers

Syntax: targets [<limit>]

trace

Trace paths from one object to another. This is useful during penetration tests or analysis, e.g. given a user account, what is the path an attacker may use to gain access to the target group.

Syntax: trace <user|computer> <source> <computer|group> <target>

e.g.:

elementary> trace user bob group "enterprise Admin"
Multiple matches for 'bob'.  Please select one:
0 - BOB@PROFESSIONALLYEVIL.COM
1 - BOB2@PROFESSIONALLYEVIL.COM
Which one [type number or 'q' to quit]? 0
Tracing paths from user BOB@PROFESSIONALLYEVIL.COM to group ENTERPRISE ADMINS@PROFESSIONALLYEVIL.COM (this may take a few moments)
* user BOB@PROFESSIONALLYEVIL.COM --> computer NTSERVER123.PROFESSIONALLYEVIL.COM --> user JANEADMIN@PROFESSIONALLYEVIL.COM --> group ENTERPRISE ADMINS@PROFESSIONALLYEVIL.COM

About

Command line tool for analyzing .json files generated by bloodhound.py or sharphound for use in Bloodhound.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages