CrackHound - introduce plain text passwords to da hound.

This tool has a corresponding blogpost which can be found here: https://www.trustedsec.com/blog/expanding-the-hound-introducing-plaintext-field-to-compromised-accounts/

CrackHound is a way to introduce plain-text passwords into BloodHound. This allows you to upload all your cracked hashes to the Neo4j database and use it for reporting purposes (csv exports) or path finding in BloodHound using custom queries. In this repository you will find two items:

  • customqueries.json - These are example cypherqueries that you can use in your BloodHound GUI, feel free to expand upon these.
  • crackhound.py - The core of this repository. This script allows you to make the necessary edits to the Neo4j database

Usage

MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWN0xl:,'.........',,:oOXWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWN0dl:;,,,,;;;::::::;;;,''',:okKWMMMMMWWWNWWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNXWMMMMMMMMMMWXkl;,,;::ccccccccccccccccccc;.   .,collcccc:ccldOXWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWNOl:dXMMMMMMMMW0o;',:cc;..':cccccccccccccccccc:.    ..',;::::::;,,;o0WMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNOl' .lNMMMMMMMMXo'';:ccc:.   ':cccccccccccccccccc:'.',:cccc::ccccccc:,,oXMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMKc.  .oNMMMMMMWXx;';:ccccc:,.   ..';:cccccccc:ccccccccccc:;'...;cccccccc;':0MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMX:   .oNMMMMWKxc'.':ccccccccc;.      ..',,'..';:ccccccccc:,     .;cccccccc:';OWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMx. .cONMNKkl;.   .:ccccccccccc;.            .,::cccccccccc;.     .;cccccccc:',kWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMx. 'dkdc,.       .:ccccccc:;,,,.           .,cccccccccccccc'      .,::cccccc:''dNMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMXo.     .''.  .';:cccccc:,.               .;ccccccccccccc:,.        ...':cccc:,'cxkk0NMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWKxdodk0Oc'';:cccccccc:,.       .ox;    .;ccccc:::c:;'...              .....';;'....:ONMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM0;.;cccccccccc:,.       'kWMXo. .:ccccc:,....                       .','......';xWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWK:.;cccccccccc:'        ;0WMMM0, ..''',,,;;;,'...     'lc.        .,;:;''',,'... .oXMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWKkl' .;:ccc:;;,,'.       .oXMMMMWo   .......,::::::;,'...dWWO,      ':ccc;,,;;...''...;OWMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNd.     .,:c;',:.       .:kXWMMMMMW0l;,,;;;.............,;.'kWW0;    ':cc:'. .;:;,'......oNMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNo.  .....'''.;0WKx:.     .:xKWMMMMMMMWWNNXd.       .;o; .::.;KMMK: .,:ccc,. ';,..    .. ;KMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMNo.     ':loodkXMMMMWXOo;.    .:OWMMMMMMMMWk.     .;d00kc. .,.:KMMXc.,:ccc:. .;:,,'.  ';,..;0WMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMKc     ,xXWMMMMMMMMMMMMMMNOl.    '0MMMMMMMWk.     ;ONMK:      ,OMMNl.,:cccc,   ..,;cc,..:c:,.,dKWMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMWO,    .oXMMMMMMMMMMMMMMMMNo'.     cXMMMMMMNx.    .lXMMX:      :0MMXl.,ccccc;.      .;c:;;:cc::,''oNMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMKc.    .xWMMMMMMMMMMMMMMMMKc.     .lXMMMMMWKc.   .,dNMMMNx;.',ckNMWK:.;ccccc:'        .';:ccc:,... ;XMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMWo.     .coxKMMMMMMMMMMMMMMk.     'xNMMMMMMX:     ckONMMMMMWNNWWMWXd'.;cccccc;..;.      ..';:,','. .dWMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMX:       ...;0MMMMMMMMMMMMMW0doloxKWMMMMMMNo.       .:KMMMMMMMWXkl'..;cccccc:'.oN0,    ..';;,,',. .dWMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMWKc.   .'.',.;0MMMMMMMMMMMMMMMMMMMMMMMMMMMXc          ;0MMMMMXo,.',,;::::::;,.;KNk,  ....,:;,;'....kMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMXl....'..'.,kWMMMMMMMMMMMMMMMMMMMMMMMMMMMXl.........'dWMMMM0:.',,,,,,,,,,'':OWXc..,,;;,;,,;,':O00NMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMWXKKXKKKKKNWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWXXXXXXXXXXWMMMMMMNXXXXXXXXXXXXXXWMMMNXXXXXXXXXXXXXWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM

                                                            CRACKHOUND - jfmaes
usage: crackhound.py [-h] -f FILE [-url URL] [-u USERNAME] [-p PASSWORD] [-plaintext] [-addpw] [-v] [-d DOMAIN] [-s]

Update bloodhound database with pwned users

optional arguments:
  -h, --help            show this help message and exit
  -f FILE, --file FILE  File with list of all users you have compromised. Supports DOMAIN.COM\USER:NTHASH:PASS or DOMAIN.COM\USER
  -url URL, --url URL   The neo4j url to auth to (defaults to bolt://localhost:7687)
  -u USERNAME, --username USERNAME
                        Username to login to neo4j (defaults to neo4j)
  -p PASSWORD, --password PASSWORD
                        Password to login to neo4j (defaults to bloodhound)
  -plaintext, --plain-text
                        Adds plaintext property to compromised user to help with custom queries
  -addpw, --add-password
                        Adds the actual plain text password to the bloodhound data as well
  -v, --verbose         verbose
  -d DOMAIN, --domain DOMAIN, -fqdn DOMAIN
                        The domain name of client in case its different than netbiosname. It very likely will be different. Check your
                        secretsdump for more info.
  -s, --silent          Don't show ascii art