Unsafe usage of high priviliged accounts#

Authenticating with a high privileged account

Background#

Pre-requisites#

Risks#

How to check for#

To collect sessions we can run Sharphound in a loop to gather new sessions.

Collect new sessions every 10 minutes for 5 hours.
invoke-bloodhound -CollectionMethod session -Loop -LoopInterval 00:10:00 -LoopDuration 05:00:00

After importing the Sharphound results to bloodhound we can run the following cypher-queryto see where admin-users have sessions. 

MATCH p=(c:Computer)-[r:HasSession]->(n:User {admincount : true}) RETURN p
MATCH (c:Computer)-[r:HasSession]->(n:User {admincount : true}) RETURN n

The result can be returned as a CSV-file.

echo "MATCH p=(c:Computer)-[r:HasSession]->(n:User {admincount : true}) RETURN n.name,c.name;" | /usr/share/neo4j/bin/cypher-shell -u neo4j -p <NEO4jPASSWORD> --format plain > res.txt

If you don't want to single out which users have used their admin-accounts in an insecure way you can just remove that.

echo "MATCH p=(c:Computer)-[r:HasSession]->(n:User {admincount : true}) RETURN n.name,c.name;" | /usr/share/neo4j/bin/cypher-shell -u neo4j -p <NEO4jPASSWORD> --format plain > res.txt

If you are using latex-utils you can do the following:

echo "MATCH p=(c:Computer)-[r:HasSession]->(n:User {admincount : true}) RETURN n.name,c.name;" | /usr/share/neo4j/bin/cypher-shell -u neo4j -p <NEO4jPASSWORD> --format plain | latex-convert-csv

How to exploit#

Recommendation#

References#