Cypheroth : Automated & Extensible Toolset That Runs Cypher Queries

Cypheroth is a automated, extensible toolset that runs cypher queries against Bloodhound’s Neo4j backend and saves output to spreadsheets.

This is a bash script that automates running cypher queries against Bloodhound data stored in a Neo4j database.

I found myself re-running the same queries through the Neo4j web interface on multiple assessments and figured there must be an easier way.

The list of cypher queries to run is fully extensible. The formatting example below shows how to add your own.

Please share any additional useful queries so I can add them to this project!

Demo

Prereqs

  • The cypher-shell command comes bundled with Neo4j, and is required for this script to function
    • If Neo4j is installed and cypher-shell is not found, you may have an outdated version of Neo4j
    • The latest version can always be found at this location
    • On Kali, upgrade to the latest version using Neo4j’s Debian repository
  • Optional: If the ssconvert command is present, the script will combine all .csv output to sheets within a .xls file
    • Install the gnumeric toolset with apt or brew to gain access to ssconvert

On Windows we recommend using WSL to run this script, while the neo4j database runs on Windows. You will just need to install the cypher-shell package in WSL (Linux).

Usage

Flags:

-u Neo4J Username (Required)
-p Neo4J Password (Required)
-d Fully Qualified Domain Name (Required) (Case Sensitive)
-a Bolt address (Optional) (Default: localhost:7687)
-t Query Timeout (Optional) (Default: 30s)
-v Verbose mode (Optional) (Default:FALSE)
-h Help text and usage example (Optional)

Example with Defaults:

./cypheroth.sh -u neo4j -p BloodHound -d TESTLAB.LOCAL

Example with All Options:

./cypheroth.sh -u neo4j -p hunter2 -d BigTech.corp -a 10.0.0.1:7687 -t 5m -v true

Files are added to a subdirectory named after the FQDN.

Cypher Queries

There are nearly 60 queries in the script currently. This is a sample of the information you’ll receive:

  • Full User Property List
  • Full Computer Property List
  • Full Domain Property List
  • Full OU Property List
  • Full GPO Property List
  • Full Group Property List
  • Computers with Admins
  • Computers without Admins
  • Kerberoastable users and computers where they are admins

To add additional queries, edit the queries array within cypheroth.sh and add a line using the following format:

Description;Cypher Query;Output File

If adding a query that requires the Domain value to be set, save it as $DOMAIN.

  • Example 1:

All Usernames;MATCH (u:User) RETURN u.name;usernames.csv

  • Example 2:

All Domain Admins;MATCH (u:User) MATCH (g:Group {name:’DOMAIN ADMINS@$DOMAIN’}) RETURN u.displayname;domainAdmins.csv

Analyze Several Domains

If you need to analyze several domains, you can run multiple instances of Cypheroth in parallel with each one working on its domain. You can use the following script for example (10 in parallel).

#!/usr/bin/env bash
DOMAINS=(domA.example.net domB.example.net […])
parallel -j10 –lb ./cypheroth.sh -d {} ::: “${DOMAINS[@]}”

Troubleshooting

If you are running an outdated version of cypher-shell you may receive the following error:

DateTime is not supported as a return type in Bolt protocol version
1. Please make sure driver supports at least protocol version
2. Driver upgrade is most likely required.

To fix, update Neo4j to the latest version.

Credit: Chris Farrell (@seajay)

Acknowledgments

R K

Recent Posts

Log Analysis Fundamentals

Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…

19 hours ago

Networking Devices 101: Understanding Routers, Switches, Hubs, and More

What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…

1 day ago

Sock Puppets in OSINT: How to Build and Use Research Accounts

Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…

1 day ago

What is SIEM? Complete Guide to Security Information and Event Management

Introduction As cyber threats grow more sophisticated, organizations need more than just firewalls and antivirus…

2 days ago

Website OSINT: Tools and Techniques for Reconnaissance

Introduction When it comes to cybersecurity and ethical hacking, one of the most effective ways…

2 days ago

Top OSINT Tools to Find Emails, Usernames and Passwords

Introduction In the world of cybersecurity, knowledge is power. One of the most powerful skillsets…

3 days ago