search

CravateRouge / autobloody

Tool to automatically exploit Active Directory privilege escalation paths shown by BloodHound
MIT License
389 stars 45 forks source link

Recieving the following error when running autobloody #3

Open hemvashi94 opened 10 months ago

hemvashi94 commented 10 months ago

[] Connection to Neo4j [] No proxy detected Traceback (most recent call last): File "/usr/local/bin/autobloody", line 8, in sys.exit(main()) ^^^^^^ File "/usr/local/lib/python3.11/dist-packages/autobloody/main.py", line 82, in main path_dict = pathgen(args) ^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/dist-packages/autobloody/main.py", line 101, in pathgen db = database.Database(args.dburi, args.dbuser, args.dbpassword) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/dist-packages/autobloody/database.py", line 9, in init self._prepareDb() File "/usr/local/lib/python3.11/dist-packages/autobloody/database.py", line 24, in _prepareDb session.write_transaction(self._createGraph) File "/usr/lib/python3/dist-packages/neo4j/_meta.py", line 81, in inner return f(*args, kwargs) ^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/neo4j/_sync/work/session.py", line 763, in write_transaction return self._run_transaction( ^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/neo4j/_sync/work/session.py", line 491, in _run_transaction result = transaction_function(tx, *args, *kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/dist-packages/autobloody/database.py", line 75, in _createGraph graph_exists = tx.run("RETURN gds.graph.exists('autobloody')").single()[0] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/neo4j/_sync/work/transaction.py", line 152, in run result._tx_ready_run(query, parameters) File "/usr/lib/python3/dist-packages/neo4j/_sync/work/result.py", line 115, in _tx_ready_run self._run(query, parameters, None, None, None, None) File "/usr/lib/python3/dist-packages/neo4j/_sync/work/result.py", line 161, in _run self._attach() File "/usr/lib/python3/dist-packages/neo4j/_sync/work/result.py", line 269, in _attach self._connection.fetch_message() File "/usr/lib/python3/dist-packages/neo4j/_sync/io/_common.py", line 180, in inner func(args, kwargs) File "/usr/lib/python3/dist-packages/neo4j/_sync/io/_bolt.py", line 659, in fetch_message res = self._process_message(tag, fields) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/neo4j/_sync/io/_bolt4.py", line 326, in _process_message response.on_failure(summary_metadata or {}) File "/usr/lib/python3/dist-packages/neo4j/_sync/io/_common.py", line 247, in on_failure raise Neo4jError.hydrate(**metadata) neo4j.exceptions.CypherSyntaxError: {code: Neo.ClientError.Statement.SyntaxError} {message: Unknown function 'gds.graph.exists' (line 1, column 8 (offset: 7)) "RETURN gds.graph.exists(("autobloody")) AS gds.graph.exists('autobloody')" ^}

DrorDvash commented 4 months ago

same for me. any updates @CravateRouge?

CravateRouge commented 4 months ago

Hello DrorDvash, can you type this in your neo4j browser RETURN gds.version(); and give me the output?

shahzaibak96 commented 4 months ago

@CravateRouge I am also having the same error as mentioned above. The output of the command you have asked for is here

image
DrorDvash commented 4 months ago

Hello DrorDvash, can you type this in your neo4j browser RETURN gds.version(); and give me the output?

like @shahzaibak96. so clearly we do not have GDS library installed on neo4j.

Unknown function 'gds.version' (line 1, column 8 (offset: 7))
"RETURN `gds`.`version`() AS `gds.version()`"
        ^

image

CravateRouge commented 4 months ago

It's because the GDS library is not installed in your neo4j setup. Here is the guide to install it, it is also mentioned in the dependencies of the README.

CravateRouge commented 4 months ago

As

@CravateRouge I am also having the same error as mentioned above. The output of the command you have asked for is here

image

As gds.version() does return an error it seems gds is not correctly installed. See https://neo4j.com/docs/graph-data-science/current/installation/#_verifying_the_installation and verify you have correctly made every steps.

DrorDvash commented 4 months ago

so GDS is installed, now i get a different error image

≫ python3 autobloody.py -u adfs_svc -p 'XXXX' --host 192.168.20.10 -du 'neo4j' -dp 'bloodhound' -ds 'MARK@0X0SECURITY.LOCAL' -dt '0X0SECURITY.LOCAL' -d 0x0security.local
[*] Connection to Neo4j
[*] No proxy detected
Traceback (most recent call last):
  File "/root/Tools/autobloody/autobloody.py", line 6, in <module>
    main.main()
  File "/root/Tools/autobloody/autobloody/main.py", line 82, in main
    path_dict = pathgen(args)
                ^^^^^^^^^^^^^
  File "/root/Tools/autobloody/autobloody/main.py", line 103, in pathgen
    path = db.getPrivescPath(args.dbsource, args.dbtarget)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/root/Tools/autobloody/autobloody/database.py", line 13, in getPrivescPath
    relationships = session.read_transaction(
                    ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/neo4j/_meta.py", line 81, in inner
    return f(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/neo4j/_sync/work/session.py", line 664, in read_transaction
    return self._run_transaction(
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/neo4j/_sync/work/session.py", line 491, in _run_transaction
    result = transaction_function(tx, *args, **kwargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/root/Tools/autobloody/autobloody/database.py", line 95, in _findShortestPath
    return result.single()[0].relationships
           ~~~~~~~~~~~~~~~^^^
TypeError: 'NoneType' object is not subscriptable
CravateRouge commented 4 months ago

@DrorDvash it seems you have not path exploitable from MARK@0X0SECURITY.LOCAL to 0X0SECURITY.LOCAL. Can you show me a screenshot of the path between those two edges if you think it's a path exploitable by autobloody?

DrorDvash commented 4 months ago

@DrorDvash it seems you have not path exploitable from MARK@0X0SECURITY.LOCAL to 0X0SECURITY.LOCAL. Can you show me a screenshot of the path between those two edges if you think it's a path exploitable by autobloody?

I was just testing out the tool, currently loaded a small domain from HTB in my BH. so you're saying there is no path exploitable between them -> maybe print a message about it.

I'll check it once again i have more data in my BH. how the tool auto exploit a path? let's say i have writeDACL or something like that. what is going to happen?

CravateRouge commented 4 months ago

so you're saying there is no path exploitable between them -> maybe print a message about it.

So you're saying there is room for improvement -> maybe make a contribution if you want to have a better tool.

I'll check it once again i have more data in my BH.

autobloody is based on data ingested in BH. If you don't have the data in BH, autbloody will have no data to work on.

how the tool auto exploit a path? let's say i have writeDACL or something like that. what is going to happen?

autobloody will perform exploitations described in the "Abuse Info" of each edge documented in the bloodhound documentation. e.g. WriteDACL abuse info