v0.2.1

added bloodhound support

Author: crosscutsaw

README.md

@@ -1,10 +1,12 @@
 
-## about revealhashed-python v0.1.4
+
+## about revealhashed-python v0.2.1
 revealhashed is a streamlined utility to correlate ntds usernames, nt hashes, and cracked passwords in one view while cutting out time-consuming manual tasks.  
 
 ## dependencies  
 hashcat  
 impacket or python3-impacket  
+neo4j  
 
 ## how to install
 from pypi:  
@@ -14,17 +16,17 @@ from github:
 `pipx install git+https://github.com/crosscutsaw/revealhashed-python`  
 
 from deb package:  
-`wget https://github.com/crosscutsaw/revealhashed-python/releases/latest/download/revealhashed_0.1.4_all.deb; apt install ./revealhashed_0.1.4_all.deb`  
+`wget https://github.com/crosscutsaw/revealhashed-python/releases/latest/download/revealhashed_0.2.1_all.deb; apt install ./revealhashed_0.2.1_all.deb`  
 
 from whl package:  
-`wget https://github.com/crosscutsaw/revealhashed-python/releases/latest/download/revealhashed-0.1.4-py3-none-any.whl; pipx install revealhashed-0.1.4-py3-none-any.whl`  
+`wget https://github.com/crosscutsaw/revealhashed-python/releases/latest/download/revealhashed-0.2.1-py3-none-any.whl; pipx install revealhashed-0.2.1-py3-none-any.whl`  
 
 ## don't want to install?
 grab revealhashed binary from [here](https://github.com/crosscutsaw/revealhashed-python/releases/latest/download/revealhashed).  
 
 ## how to use
 ```
-revealhashed v0.1.4
+revealhashed v0.2.1
 
 usage: revealhashed [-h] [-r] {dump,reveal} ...
 
@@ -42,26 +44,50 @@ just execute `revealhashed -r` to remove contents of ~/.revealhashed
 
 ### revealhashed dump
 ```
-revealhashed v0.1.4
+revealhashed v0.2.1
+
+usage: revealhashed dump [-h] [-debug] [-hashes HASHES] [-no-pass] [-k] [-aesKey AESKEY] [-dc-ip DC_IP] [-codec CODEC] -w WORDLIST WORDLIST2 [WORDLIST WORDLIST2 ...] [-e] [-nd] [-csv] [-bh] [--dburi DBURI] [--dbuser DBUSER] [--dbpassword DBPASSWORD] target
+
+positional arguments:
+  target                Target for NTDS dumping (e.g. domain/user:pass@host)
 
-usage: revealhashed dump [-h] [-debug] [-hashes HASHES] [-no-pass] [-k] [-aesKey AESKEY] [-dc-ip DC_IP] [-codec CODEC] -w WORDLIST WORDLIST2 [WORDLIST WORDLIST2 ...] [-e] [-nd] [-csv] target
+options:
+  -h, --help            show this help message and exit
+  -debug
+  -hashes HASHES
+  -no-pass
+  -k
+  -aesKey AESKEY
+  -dc-ip DC_IP
+  -codec CODEC
+  -w WORDLIST WORDLIST2 [WORDLIST WORDLIST2 ...], --wordlists WORDLIST WORDLIST2 [WORDLIST WORDLIST2 ...]
+                        Wordlists to use with hashcat
+  -e, --enabled-only    Only show enabled accounts
+  -nd, --no-domain      Don't display domain in usernames
+  -csv                  Save output in CSV format
+  -bh                   Mark cracked users as owned in BloodHound
+  --dburi DBURI         BloodHound Neo4j URI
+  --dbuser DBUSER       BloodHound Neo4j username
+  --dbpassword DBPASSWORD
+                        BloodHound Neo4j password
 ```
 
 this command executes [zblurx's ntdsutil.py](https://github.com/zblurx/ntdsutil.py) to dump ntds safely then does classic revealhashed operations.  
 
 -w (wordlist) switch is needed. one or more wordlists can be supplied.    
--e (enabled-only) switch is suggested. it's self explanatory; only shows enabled users.  
+-e (enabled-only) switch is suggested. it's only shows enabled users.  
 -nd (no-domain) switch hides domain names in usernames.  
--csv (csv) switch is self explanatory; saves output to csv, together with txt.  
+-bh (bloodhound) switch marks cracked users as owned in bloodhound. if used, `--dburi`, `--dbuser` and `--dbpassword` are also needed to connect neo4j database. it supports both legacy and ce.  
+-csv (csv) switch saves output to csv, together with txt.  
 
 for example:  
-`revealhashed dump '<domain>/<username>:<password>'@<dc_ip> -w wordlist1.txt wordlist2.txt -e -nd -csv`
+`revealhashed dump '<domain>/<username>:<password>'@<dc_ip> -w wordlist1.txt wordlist2.txt -e -nd -csv -bh --dburi bolt://localhost:7687 --dbuser neo4j --dbpassword 1234`
 
 ### revealhashed reveal
 ```
-revealhashed v0.1.4
+revealhashed v0.2.1
 
-usage: revealhashed reveal [-h] [-ntds NTDS] [-nxc] [-w WORDLIST WORDLIST2 [WORDLIST WORDLIST2 ...]] [-e] [-nd] [-csv]
+usage: revealhashed reveal [-h] [-ntds NTDS] [-nxc] [-w WORDLIST WORDLIST2 [WORDLIST WORDLIST2 ...]] [-e] [-nd] [-csv] [-bh] [--dburi DBURI] [--dbuser DBUSER] [--dbpassword DBPASSWORD]
 
 options:
   -h, --help            show this help message and exit
@@ -72,6 +98,11 @@ options:
   -e, --enabled-only    Only show enabled accounts
   -nd, --no-domain      Don't display domain in usernames
   -csv                  Save output in CSV format
+  -bh                   Mark cracked users as owned in BloodHound
+  --dburi DBURI         BloodHound Neo4j URI
+  --dbuser DBUSER       BloodHound Neo4j username
+  --dbpassword DBPASSWORD
+                        BloodHound Neo4j password
   ```
 
 this command wants to get supplied with ntds file by user or netexec then does classic revealhashed operations.  
@@ -80,9 +111,10 @@ this command wants to get supplied with ntds file by user or netexec then does c
 
 -ntds or -nxc switch is needed. -ntds switch is for a file you own with hashes. -nxc switch is for scanning ~/.nxc/logs/ntds directory then selecting .ntds file.  
 -w (wordlist) switch is needed. one or more wordlists can be supplied.  
--e (enabled-only) switch is suggested. it's self explanatory; only shows enabled users.  
+-e (enabled-only) switch is suggested. it's only shows enabled users.  
 -nd (no-domain) switch hides domain names in usernames.  
--csv (csv) switch is self explanatory; saves output to csv, together with txt.  
+-bh (bloodhound) switch marks cracked users as owned in bloodhound. if used, `--dburi`, `--dbuser` and `--dbpassword` are also needed to connect neo4j database. it supports both legacy and ce.  
+-csv (csv) switch saves output to csv, together with txt.  
 
 for example:  
 `revealhashed reveal -ntds <ntds_file>.ntds -w wordlist1.txt -e -nd -csv`  
@@ -96,3 +128,5 @@ for example:
 ![](https://raw.githubusercontent.com/crosscutsaw/revealhashed-python/main/rp3.PNG)
 
 ![](https://raw.githubusercontent.com/crosscutsaw/revealhashed-python/main/rp4.PNG)
+
+![](https://raw.githubusercontent.com/crosscutsaw/revealhashed-python/main/rp5.PNG)

pyproject.toml

@@ -1,12 +1,12 @@
 [project]
 name = "revealhashed"
-version = "0.1.4"
+version = "0.2.1"
 description = "Dump or analyze existing NTDS data, crack NT hashes with hashcat and match them to their corresponding user accounts."
 authors = [{ name = "aslan emre aslan", email = "emre@zurrak.com" }]
 license = { text = "MIT" }
 readme = "README.md"
 requires-python = ">=3.7"
-dependencies = ["impacket"]
+dependencies = ["impacket","neo4j"]
 
 [project.scripts]
 revealhashed = "revealhashed.__main__:main"

revealhashed/__init__.py

@@ -1 +1 @@
-__version__ = "0.1.0"
+__version__ = "0.2.1"

revealhashed/core.py

@@ -22,6 +22,10 @@
 # ntds class
 from impacket.examples.secretsdump import NTDSHashes, LocalOperations
 
+# neo4j
+from neo4j import Auth, GraphDatabase
+from neo4j.exceptions import ServiceUnavailable
+
 # constants
 HOME = Path.home()
 TMP_DIR = HOME / ".revealhashed"
@@ -60,6 +64,10 @@ def parse_args():
     dump_parser.add_argument("-e", "--enabled-only", action="store_true", help="Only show enabled accounts")
     dump_parser.add_argument('-nd', '--no-domain', action='store_true', help="Don't display domain in usernames")
     dump_parser.add_argument('-csv', action='store_true', help="Save output in CSV format")
+    dump_parser.add_argument('-bh', action='store_true', help="Mark cracked users as owned in BloodHound")
+    dump_parser.add_argument('--dburi', help='BloodHound Neo4j URI')
+    dump_parser.add_argument('--dbuser', help='BloodHound Neo4j username')
+    dump_parser.add_argument('--dbpassword', help='BloodHound Neo4j password')
     # do not include -outputdir
 
     # subparser: reveal
@@ -70,7 +78,10 @@ def parse_args():
     reveal_parser.add_argument("-e", "--enabled-only", action="store_true", help="Only show enabled accounts")
     reveal_parser.add_argument('-nd', '--no-domain', action='store_true', help="Don't display domain in usernames")
     reveal_parser.add_argument('-csv', action='store_true', help="Save output in CSV format")
-
+    reveal_parser.add_argument('-bh', action='store_true', help="Mark cracked users as owned in BloodHound")
+    reveal_parser.add_argument('--dburi', help='BloodHound Neo4j URI')
+    reveal_parser.add_argument('--dbuser', help='BloodHound Neo4j username')
+    reveal_parser.add_argument('--dbpassword', help='BloodHound Neo4j password')
     return parser
 
 def reset_tmp_dir():
@@ -87,6 +98,76 @@ def create_session_dir():
     session_path.mkdir(parents=True, exist_ok=True)
     return session_path
 
+def mark_bloodhound_owned(txt_file_path, dburi, dbuser, dbpassword):
+    try:
+        driver = GraphDatabase.driver(dburi, auth=Auth(scheme="basic", principal=dbuser, credentials=dbpassword))
+        driver.verify_connectivity()
+        print(f"\n{BOLD_GREEN}[+]{RESET} Connected to BloodHound Neo4j database at {dburi} as {dbuser}\n")
+
+        # infer domain from first valid user line
+        inferred_domain = None
+        with open(txt_file_path) as f:
+            for line in f:
+                if "<no password>" in line:
+                    continue
+                parts = line.strip().split()
+                if not parts:
+                    continue
+                user_field = parts[0]
+                if "\\" in user_field:
+                    inferred_domain = user_field.split("\\", 1)[0].upper()
+                    break
+
+        with driver.session() as session:
+            with open(txt_file_path) as f:
+                for line in f:
+                    if "<no password>" in line:
+                        continue
+                    parts = line.strip().split()
+                    if not parts:
+                        continue
+
+                    user_field = parts[0]
+                    if "\\" in user_field:
+                        domain, user = user_field.split("\\", 1)
+                    else:
+                        user = user_field
+                        domain = inferred_domain or ""
+
+                    is_computer = user.endswith("$")
+                    if is_computer:
+                        user = user.rstrip("$")
+                        full_name = f"{user}.{domain}".upper()
+                        label = "Computer"
+                    else:
+                        full_name = f"{user}@{domain}".upper()
+                        label = "User"
+
+                    # try marking as owned
+                    query = f"MATCH (c:{label} {{name:'{full_name}'}}) RETURN c.owned AS owned"
+                    result = session.run(query).data()
+
+                    if not result:
+                        print(f"{BOLD_RED}[-]{RESET} Node {full_name} not found in BloodHound")
+                        continue
+
+                    if result[0]["owned"] is True:
+                        print(f"{BOLD_GREEN}[+]{RESET} {full_name} already marked as owned")
+                        continue
+
+                    update_query = f"MATCH (c:{label} {{name:'{full_name}'}}) SET c.owned=true RETURN c.name AS name"
+                    update_result = session.run(update_query).data()
+
+                    if update_result:
+                        print(f"{BOLD_GREEN}[+]{RESET} Marked {full_name} as owned in BloodHound")
+                    else:
+                        print(f"{BOLD_RED}[-]{RESET} Failed to mark {full_name} as owned in BloodHound")
+
+    except ServiceUnavailable:
+        print(f"{BOLD_RED}[-]{RESET} BloodHound DB unreachable at {dburi}")
+    except Exception as e:
+        print(f"{BOLD_RED}[-]{RESET} Error while marking BloodHound: {e}")
+
 def extract_unique_hashes(ntds_path, output_path, full_output_path, write_full_output=True):
     print(f"{BOLD_GREEN}[+]{RESET} Extracting unique NT hashes from: {ntds_path}")
     seen_hashes = set()
@@ -199,7 +280,7 @@ def reveal_credentials(individual_ntds_path, cracked_hashes, session_dir, enable
         print(f"{BOLD_GREEN}[+]{RESET} Output saved to {output_file_csv}")
 
 def main():
-    print(f"\n{BOLD_BLUE}revealhashed v0.1.4{RESET}\n")
+    print(f"\n{BOLD_BLUE}revealhashed v0.2.1{RESET}\n")
 
     parser = parse_args()
     args = parser.parse_args()
@@ -289,6 +370,8 @@ def main():
             shutil.copy(HASHCAT_POT, session_dir)
         cracked = parse_potfile(HASHCAT_POT)
         reveal_credentials(ind_path, cracked, session_dir, enabled_only=args.enabled_only, no_domain=args.no_domain, to_csv=args.csv)
+        if getattr(args, "bh", False):
+            mark_bloodhound_owned(session_dir / "revealhashed.txt", args.dburi, args.dbuser, args.dbpassword)
 
     elif args.command == "reveal":
         if args.nxc:
@@ -340,11 +423,13 @@ def main():
             shutil.copy(HASHCAT_POT, session_dir)
         cracked = parse_potfile(HASHCAT_POT)
         reveal_credentials(ind_path, cracked, session_dir, enabled_only=args.enabled_only, no_domain=args.no_domain, to_csv=args.csv)
+        if getattr(args, "bh", False):
+            mark_bloodhound_owned(session_dir / "revealhashed.txt", args.dburi, args.dbuser, args.dbpassword)
 
 if __name__ == "__main__":
     main()
 
-# revealhashed v0.1.4
+# revealhashed v0.2.1
 # 
 # contact options
 # mail: https://blog.zurrak.com/contact.html