NetExec icon indicating copy to clipboard operation
NetExec copied to clipboard

Published 20 hours ago verified publisher icon Pennyw0rth

BloodhoundCE owned new tag

Open derekkddj opened this issue 7 months ago • 8 comments
trafficstars

Description

The new BloodhoundCE uses a system_tags to add if the user or computer is owned. This tag is used too for "high" value targets.

Type of change

Please delete options that are not relevant.

  • [x] Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

Python 3.10.12 BloodhoundCE 7.1.0v I made test in my local enviroment but with production data. The only problem is that you can not set the node as "not owned" from the WEB interface, but this seems a problem with BloodhoundCE not with NeteExec.

Screenshots (if appropriate):

No scrrenshoot, the data is in producction.

Checklist:

  • [ ] I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
  • [ ] I have added or updated the tests/e2e_commands.txt file if necessary
  • [ ] New and existing e2e tests pass locally with my changes
  • [x] My code follows the style guidelines of this project (should be covered by Ruff above)
  • [x] If reliant on third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
  • [x] I have performed a self-review of my own code
  • [x] I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

derekkddj avatar Mar 26 '25 11:03 derekkddj

Thanks for the PR! Gonna take a look at it soon

NeffIsBack avatar Mar 26 '25 17:03 NeffIsBack

After the PR I opened a Bug in BloodhoundCE, and they told me that this method of updating the owned tag via connection to Neo4J directly is not supported. https://github.com/SpecterOps/BloodHound/issues/1276#issuecomment-2755154706 We should use the API of BloodhoundCE

derekkddj avatar Mar 27 '25 07:03 derekkddj

Hi, thanks for the PR.

I can confirm the inconsistency between the database and the UI: image

And it doesn't surprise me they don't support messing with the database under the hood :D But talking to the bloodhound API is likely much more complex and would require to either log in on every request or to maintain the state between NetExec runs (due to the API token), which is not really feasible. Imo we should take a look at what the api call does under the hood to the database and mimic this behavior. Would probably the easiest solution.

NeffIsBack avatar Mar 30 '25 12:03 NeffIsBack

This is expected as the package we are using doesn't support bloodhound CE, only legacy BH is supported

mpgn avatar Mar 30 '25 13:03 mpgn

Hi, thanks for the PR.

I can confirm the inconsistency between the database and the UI: image

And it doesn't surprise me they don't support messing with the database under the hood :D But talking to the bloodhound API is likely much more complex and would require to either log in on every request or to maintain the state between NetExec runs (due to the API token), which is not really feasible. Imo we should take a look at what the api call does under the hood to the database and mimic this behavior. Would probably the easiest solution.

Yes, looking at the changes in the database made from Bloodhound would be perfect, maybe i will check this when i have time. At least changing the tags in the database directly allows for the queries in BloodHoundCE to works, likes "sohortest path from owned..."

derekkddj avatar Mar 31 '25 07:03 derekkddj

I think accessing the database directly would be rather fragile. One change by the BHCE developers and it breaks apart. The API is exactly intended for the integration between BloodHound and external tools like NetExec. Additional reason: In the long term, they plan to remove Neo4j and instead Postgres (with a Cypher adapter) should be used even as the graph database.

So a clean solution would be to use the API, but yes, this is probably more work. It does not necessarily require you to login on every request or to maintain state. Currently, you already use a config file for BloodHound (or rather Neo4j) access data. This could (in a BHCE mode) take an API token the user puts in the file instead of a password. API tokens can be generated on the BHCE user settings page.

In general, feel free to copy relevant portions of the code from my Python tool bhcli. (or try to use it as a library?) I think you are mostly interested in:

exploide avatar Apr 18 '25 13:04 exploide

@exploide well, in the long run you might be right. Switching to the API is probably the best idea.

@derekkddj Thanks for the work! I will check it out how it works soon!

NeffIsBack avatar Apr 26 '25 16:04 NeffIsBack

@exploide well, in the long run you might be right. Switching to the API is probably the best idea.

@derekkddj Thanks for the work! I will check it out how it works soon!

I just copy-paste the brillian API of @exploide

derekkddj avatar Apr 27 '25 18:04 derekkddj