Cypheroth : Automated & Extensible Toolset That Runs Cypher Queries

Cypheroth is a automated, extensible toolset that runs cypher queries against Bloodhound’s Neo4j backend and saves output to spreadsheets.

This is a bash script that automates running cypher queries against Bloodhound data stored in a Neo4j database.

I found myself re-running the same queries through the Neo4j web interface on multiple assessments and figured there must be an easier way.

The list of cypher queries to run is fully extensible. The formatting example below shows how to add your own.

Please share any additional useful queries so I can add them to this project!

Demo

Prereqs

  • The cypher-shell command comes bundled with Neo4j, and is required for this script to function
    • If Neo4j is installed and cypher-shell is not found, you may have an outdated version of Neo4j
    • The latest version can always be found at this location
    • On Kali, upgrade to the latest version using Neo4j’s Debian repository
  • Optional: If the ssconvert command is present, the script will combine all .csv output to sheets within a .xls file
    • Install the gnumeric toolset with apt or brew to gain access to ssconvert

On Windows we recommend using WSL to run this script, while the neo4j database runs on Windows. You will just need to install the cypher-shell package in WSL (Linux).

Usage

Flags:

-u Neo4J Username (Required)
-p Neo4J Password (Required)
-d Fully Qualified Domain Name (Required) (Case Sensitive)
-a Bolt address (Optional) (Default: localhost:7687)
-t Query Timeout (Optional) (Default: 30s)
-v Verbose mode (Optional) (Default:FALSE)
-h Help text and usage example (Optional)

Example with Defaults:

./cypheroth.sh -u neo4j -p BloodHound -d TESTLAB.LOCAL

Example with All Options:

./cypheroth.sh -u neo4j -p hunter2 -d BigTech.corp -a 10.0.0.1:7687 -t 5m -v true

Files are added to a subdirectory named after the FQDN.

Cypher Queries

There are nearly 60 queries in the script currently. This is a sample of the information you’ll receive:

  • Full User Property List
  • Full Computer Property List
  • Full Domain Property List
  • Full OU Property List
  • Full GPO Property List
  • Full Group Property List
  • Computers with Admins
  • Computers without Admins
  • Kerberoastable users and computers where they are admins

To add additional queries, edit the queries array within cypheroth.sh and add a line using the following format:

Description;Cypher Query;Output File

If adding a query that requires the Domain value to be set, save it as $DOMAIN.

  • Example 1:

All Usernames;MATCH (u:User) RETURN u.name;usernames.csv

  • Example 2:

All Domain Admins;MATCH (u:User) MATCH (g:Group {name:’DOMAIN ADMINS@$DOMAIN’}) RETURN u.displayname;domainAdmins.csv

Analyze Several Domains

If you need to analyze several domains, you can run multiple instances of Cypheroth in parallel with each one working on its domain. You can use the following script for example (10 in parallel).

#!/usr/bin/env bash
DOMAINS=(domA.example.net domB.example.net […])
parallel -j10 –lb ./cypheroth.sh -d {} ::: “${DOMAINS[@]}”

Troubleshooting

If you are running an outdated version of cypher-shell you may receive the following error:

DateTime is not supported as a return type in Bolt protocol version
1. Please make sure driver supports at least protocol version
2. Driver upgrade is most likely required.

To fix, update Neo4j to the latest version.

Credit: Chris Farrell (@seajay)

Acknowledgments

R K

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

21 hours ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

21 hours ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

3 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

5 days ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago