Command line tool for analyzing .json files generated by bloodhound.py or sharphound for use in Bloodhound.
Bloodhound itself is an awesome information gathering tool both for security audit and penetration testing purposes; however, it has some heavy-weight dependencies (Java and Neo4J) and requires a GUI. So Elementary was written to provide a light-weight alternative for analyzing the same data. It requires only Python 3.5 or higher and has no additional library dependencies.
Elementary can list and describe domains, users, groups, and computers. It can also trace paths (e.g. from a user to a group) and suggest targets.
First make sure you have Python 3.5 or greater installed, such that typing python --version from the command line yields the
expected results.
Then clone this repo. Really you just need elementary.py and elementary_data.py.
Then from the installation folder you can run:
python ./elementary.py <PATH>
where is the path to the folder containing your Bloodhound json files. If you did everything correctly, the output
should show you what was loaded into memory, e.g.:
Starting Bloodhound Elementary...
Loading computers...
Found 512 computers entries.
Loading domains...
Found 1 domains entries.
Loading groups...
Found 450 groups entries.
Loading users...
Found 445 users entries.
Loading sessions...
Found 312 session entries.
Type 'help' for a list of commands.
elementary>
The normal syntax for commands is VERB TYPE NAME. In most cases the NAME can be a partial, and Elementary will prompt you when more than one match is found. Use quotes when a NAME contains a space. Matching is not case sensitive.
The commands are as follows:
Describe the specified computer, domain, group, user.
Syntax: describe <computer|domain|group|user> <name>
e.g.:
describe group "Domain Admins"
describe user bob
Exits Elementary
Provides command description and syntax help.
List the names of a specified object type.
Syntax: list <computers|domains|groups|users> [max=<n>] [<name>]
e.g.:
list groups Admins
list domains
list computers max=30 NTSERVER
List sessions for the given item. i.e. given a user, list computers on which that user has an active session. Given a computer, list all users with active sessions to that computer.
Syntax: sessions user|computer|group <name>
e.g.:
sessions user bob
sessions computer ntserver123
List top (10) items by active sessions, access, etc... May be useful for finding potential targets during a penetration test but also useful for audit purposes (i.e. why does bob have localadmin on 57 machines?) This command will pull lists of the following:
- High Value Groups (as determined by Bloodhound)
- Users with the most active sessions
- Computers with the most active sessions
- Users with direct (i.e. not via a group) localadmin access to the most computers
Syntax: targets [<limit>]
Trace paths from one object to another. This is useful during penetration tests or analysis, e.g. given a user account, what is the path an attacker may use to gain access to the target group.
Syntax: trace <user|computer> <source> <computer|group> <target>
e.g.:
elementary> trace user bob group "enterprise Admin"
Multiple matches for 'bob'. Please select one:
0 - BOB@PROFESSIONALLYEVIL.COM
1 - BOB2@PROFESSIONALLYEVIL.COM
Which one [type number or 'q' to quit]? 0
Tracing paths from user BOB@PROFESSIONALLYEVIL.COM to group ENTERPRISE ADMINS@PROFESSIONALLYEVIL.COM (this may take a few moments)
* user BOB@PROFESSIONALLYEVIL.COM --> computer NTSERVER123.PROFESSIONALLYEVIL.COM --> user JANEADMIN@PROFESSIONALLYEVIL.COM --> group ENTERPRISE ADMINS@PROFESSIONALLYEVIL.COM