Uses Sharphound, Bloodhound and Neo4j to produce an actionable list of attack paths for targeted remediation.

GoodHound

PyPI - Downloads

   ______                ____  __                      __
  / ____/___  ____  ____/ / / / /___  __  ______  ____/ /
 / / __/ __ \/ __ \/ __  / /_/ / __ \/ / / / __ \/ __  / 
/ /_/ / /_/ / /_/ / /_/ / __  / /_/ / /_/ / / / / /_/ /  
\____/\____/\____/\__,_/_/ /_/\____/\__,_/_/ /_/\__,_/   
                                                         

Attackers think in graphs, defenders think in actions, management think in charts.

GoodHound operationalises Bloodhound by determining the busiest paths to high value targets and creating actionable output to prioritise remediation of attack paths.

ko-fi

I'm lucky enough to do this for a living. Any donations will be passed on to my local foodbank, animal sanctuary and animal rescue centres.

Usage

Quick Start

For a very quick start with most of the default options, make sure you have your neo4j server running and loaded with SharpHound data and run:

pip install goodhound
goodhound -p "neo4jpassword"

This will process the data in neo4j and output 3 csv reports in the current working directory.

Demo

Documentation

All documentation can be found in the wiki

Acknowledgments

  • The py2neo project which makes this possible.
  • The PlumHound project which gave me the idea of creating something similar which suited my needs.
  • The aclpwn for the idea around exploit cost.
  • The Bloodhound Gang Slack channel for Cypher help.
  • The BloodHound project for changing the world and for continuing their support for the Open-Source community even when having a commercial offering.
Comments
  • Error with goodhound.py when [0] == None

    Error with goodhound.py when [0] == None

    Location: https://github.com/idnahacks/GoodHound/blob/main/goodhound.py#L185

    When I run this code, I see that I have a few entries where the group is "None". Currently, I am doing this to resolve:

    df = pd.DataFrame(allresults)
    allresults = df[~df[0].isna()].values.tolist()
    

    Error:

    sorted(allresults, key=lambda i: (i[0], -i[5]))
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
    TypeError: '<' not supported between instances of 'NoneType' and 'str'
    

    Testing:

    df = pd.DataFrame(allresults)
    len(df[df[0].isna()])
    4
    
  • Password with & symbol

    Password with & symbol

    Do not use the standard neo4j password and our password contained a & symbol, the password not parsed properly from the parameters and is being seen as a command.

  • Add query to pull users with paths that do not rely on them being in a group

    Add query to pull users with paths that do not rely on them being in a group

    Individual users with a path are not captured by the groups query. While this is kind of by design as the intention is to get the most exposed (busiest) paths, these other paths can exist and should be included.

  • Add check for paths to principals that can perform DCSync

    Add check for paths to principals that can perform DCSync

    As DCSync requires both GetChanges and GetChanges all I think it needs to be a separate query to the main one,

    The script needs to look for these principals, check whether they will already by picked up by the main query and if not run a shortestpath to these principals query..

  • Bloodhound 4.1 issue with highvalue attribute

    Bloodhound 4.1 issue with highvalue attribute

    The latest version of Bloodhound (4.1) currently has a bug where it doesn't set the highvalue property for anywhere where it's not TRUE. This means the queries in GoodHound will not pull results properly.

    I'll work around this by setting it manually.

  • Bloodhound query output

    Bloodhound query output

    If the Bloodhound query output can be adjusted to show the exact path, rather than the start - end nodes this will rapidly speed up using these queries for reporting.

  • Nested group memberships

    Nested group memberships

    sometimes a path shows up twice if one group is a member of another group. An if statement to see if $group ismember of $group then break might work and might even speed up the process

com_media allowed paths that are not intended for image uploads to RCE
com_media allowed paths that are not intended for image uploads to RCE

CVE-2021-23132 com_media allowed paths that are not intended for image uploads to RCE. CVE-2020-24597 Directory traversal in com_media to RCE Two CVEs

May 6, 2022
Open Source Tool - Cybersecurity Graph Database in Neo4j

GraphKer Open Source Tool - Cybersecurity Graph Database in Neo4j |G|r|a|p|h|K|e|r| { open source tool for a cybersecurity graph database in neo4j } W

May 23, 2022
May 20, 2022
This is python script that will extract the functions call in all used DLL in an executable and then provide a mapping of those functions to the attack classes defined and curated malapi.io.

F2Amapper This is python script that will extract the functions call in all used DLL in an executable and then provide a mapping of those functions to

Nov 27, 2021
DirBruter is a Python based CLI tool. It looks for hidden or existing directories/files using brute force method. It basically works by launching a dictionary based attack against a webserver and analyse its response.

DirBruter DirBruter is a Python based CLI tool. It looks for hidden or existing directories/files using brute force method. It basically works by laun

Apr 11, 2022
A repository to detect the ARP spoofing in any devices and prevent Man in the Middle(MITM) attack using Python3

arp_spoof_detector A repository to detect the ARP spoofing in any devices and prevent Man in the Middle(MITM) attack using Python3 Usage: git clone ht

Oct 30, 2021
SARA - Simple Android Ransomware Attack
SARA - Simple Android Ransomware Attack

SARA - Simple Android Ransomware Attack Disclaimer The author is not responsible for any issues or damage caused by this program. Features User can cu

May 11, 2022
May 14, 2022
Generate malicious files using recently published homoglyphic-attack (CVE-2021-42694)

CVE-2021-42694 Generate malicious files using recently published homoglyph-attack vulnerability, which was discovered at least in C, C++, C#, Go, Pyth

Feb 20, 2022
A (completely native) python3 wifi brute-force attack using the 100k most common passwords (2021)
A (completely native) python3 wifi brute-force attack using the 100k most common passwords (2021)

wifi-bf [LINUX ONLY] A (completely native) python3 wifi brute-force attack using the 100k most common passwords (2021) This script is purely for educa

Apr 16, 2022
Generate malicious files using recently published bidi-attack (CVE-2021-42574)
Generate malicious files using recently published bidi-attack (CVE-2021-42574)

CVE-2021-42574 - Code generator Generate malicious files using recently published bidi-attack vulnerability, which was discovered in Unicode Specifica

Dec 15, 2021
python script for hack gmail account using brute force attack
python script for hack gmail account using brute force attack

#Creator: johnry #coded by john ry GBrute python script for hack gmail account using brute force attack Commands apt update && apt upgrade git clone h

Dec 24, 2021
Facebook account cloning/hacking advanced tool + dictionary attack added | Facebook automation tool
Facebook account cloning/hacking advanced tool + dictionary attack added | Facebook automation tool

loggef Facebook automation tool, Facebook account hacking and cloning advanced tool + dictionary attack added Warning Use this tool for educational pu

May 17, 2022
Abusing Microsoft 365 OAuth Authorization Flow for Phishing Attack
Abusing Microsoft 365 OAuth Authorization Flow for Phishing Attack

O365DevicePhish Microsoft365_devicePhish Abusing Microsoft 365 OAuth Authorization Flow for Phishing Attack This is a simple proof-of-concept script t

Mar 5, 2022
Attack SQL Server through gopher protocol
Attack SQL Server through gopher protocol

Attack SQL Server through gopher protocol

Apr 28, 2022
Buff A simple BOF library I wrote under an hour to help me automate with BOF attack
Buff A simple BOF library I wrote under an hour to help me automate with BOF attack

What is Buff? A simple BOF library I wrote under an hour to help me automate with BOF attack. It comes with fuzzer and a generic method to generate ex

Mar 6, 2022
Implementation of an attack on a tropical algebra discrete logarithm based protocol

Implementation of an attack on a tropical algebra discrete logarithm based protocol This code implements the attack detailed in the paper: On the trop

Dec 30, 2021
Simple script for looping a Denial Of Service (DoS) attack over one single mac address in range

Bluetooth Simple Denial Of Service (DoS) Legal Note This project is made only for educational purposes and for helping in Proofs of Concept. The autho

Jan 9, 2022