Revert "v2.1"

This reverts commit 23edd20.

Author: crosscutsaw

README.md

@@ -1,12 +1,10 @@
 
-
-## about revealhashed-python v0.2.1
+## about revealhashed-python v0.1.4
 revealhashed is a streamlined utility to correlate ntds usernames, nt hashes, and cracked passwords in one view while cutting out time-consuming manual tasks.  
 
 ## dependencies  
 hashcat  
 impacket or python3-impacket  
-neo4j  
 
 ## how to install
 from pypi:  
@@ -16,17 +14,17 @@ from github:
 `pipx install git+https://github.com/crosscutsaw/revealhashed-python`  
 
 from deb package:  
-`wget https://github.com/crosscutsaw/revealhashed-python/releases/latest/download/revealhashed_0.2.1_all.deb; apt install ./revealhashed_0.2.1_all.deb`  
+`wget https://github.com/crosscutsaw/revealhashed-python/releases/latest/download/revealhashed_0.1.4_all.deb; apt install ./revealhashed_0.1.4_all.deb`  
 
 from whl package:  
-`wget https://github.com/crosscutsaw/revealhashed-python/releases/latest/download/revealhashed-0.2.1-py3-none-any.whl; pipx install revealhashed-0.2.1-py3-none-any.whl`  
+`wget https://github.com/crosscutsaw/revealhashed-python/releases/latest/download/revealhashed-0.1.4-py3-none-any.whl; pipx install revealhashed-0.1.4-py3-none-any.whl`  
 
 ## don't want to install?
 grab revealhashed binary from [here](https://github.com/crosscutsaw/revealhashed-python/releases/latest/download/revealhashed).  
 
 ## how to use
 ```
-revealhashed v0.2.1
+revealhashed v0.1.4
 
 usage: revealhashed [-h] [-r] {dump,reveal} ...
 
@@ -44,50 +42,26 @@ just execute `revealhashed -r` to remove contents of ~/.revealhashed
 
 ### revealhashed dump
 ```
-revealhashed v0.2.1
-
-usage: revealhashed dump [-h] [-debug] [-hashes HASHES] [-no-pass] [-k] [-aesKey AESKEY] [-dc-ip DC_IP] [-codec CODEC] -w WORDLIST WORDLIST2 [WORDLIST WORDLIST2 ...] [-e] [-nd] [-csv] [-bh] [--dburi DBURI] [--dbuser DBUSER] [--dbpassword DBPASSWORD] target
-
-positional arguments:
-  target                Target for NTDS dumping (e.g. domain/user:pass@host)
+revealhashed v0.1.4
 
-options:
-  -h, --help            show this help message and exit
-  -debug
-  -hashes HASHES
-  -no-pass
-  -k
-  -aesKey AESKEY
-  -dc-ip DC_IP
-  -codec CODEC
-  -w WORDLIST WORDLIST2 [WORDLIST WORDLIST2 ...], --wordlists WORDLIST WORDLIST2 [WORDLIST WORDLIST2 ...]
-                        Wordlists to use with hashcat
-  -e, --enabled-only    Only show enabled accounts
-  -nd, --no-domain      Don't display domain in usernames
-  -csv                  Save output in CSV format
-  -bh                   Mark cracked users as owned in BloodHound
-  --dburi DBURI         BloodHound Neo4j URI
-  --dbuser DBUSER       BloodHound Neo4j username
-  --dbpassword DBPASSWORD
-                        BloodHound Neo4j password
+usage: revealhashed dump [-h] [-debug] [-hashes HASHES] [-no-pass] [-k] [-aesKey AESKEY] [-dc-ip DC_IP] [-codec CODEC] -w WORDLIST WORDLIST2 [WORDLIST WORDLIST2 ...] [-e] [-nd] [-csv] target
 ```
 
 this command executes [zblurx's ntdsutil.py](https://github.com/zblurx/ntdsutil.py) to dump ntds safely then does classic revealhashed operations.  
 
 -w (wordlist) switch is needed. one or more wordlists can be supplied.    
--e (enabled-only) switch is suggested. it's only shows enabled users.  
+-e (enabled-only) switch is suggested. it's self explanatory; only shows enabled users.  
 -nd (no-domain) switch hides domain names in usernames.  
--bh (bloodhound) switch marks cracked users as owned in bloodhound. if used, `--dburi`, `--dbuser` and `--dbpassword` are also needed to connect neo4j database. it supports both legacy and ce.  
--csv (csv) switch saves output to csv, together with txt.  
+-csv (csv) switch is self explanatory; saves output to csv, together with txt.  
 
 for example:  
-`revealhashed dump '<domain>/<username>:<password>'@<dc_ip> -w wordlist1.txt wordlist2.txt -e -nd -csv -bh --dburi bolt://localhost:7687 --dbuser neo4j --dbpassword 1234`
+`revealhashed dump '<domain>/<username>:<password>'@<dc_ip> -w wordlist1.txt wordlist2.txt -e -nd -csv`
 
 ### revealhashed reveal
 ```
-revealhashed v0.2.1
+revealhashed v0.1.4
 
-usage: revealhashed reveal [-h] [-ntds NTDS] [-nxc] [-w WORDLIST WORDLIST2 [WORDLIST WORDLIST2 ...]] [-e] [-nd] [-csv] [-bh] [--dburi DBURI] [--dbuser DBUSER] [--dbpassword DBPASSWORD]
+usage: revealhashed reveal [-h] [-ntds NTDS] [-nxc] [-w WORDLIST WORDLIST2 [WORDLIST WORDLIST2 ...]] [-e] [-nd] [-csv]
 
 options:
   -h, --help            show this help message and exit
@@ -98,11 +72,6 @@ options:
   -e, --enabled-only    Only show enabled accounts
   -nd, --no-domain      Don't display domain in usernames
   -csv                  Save output in CSV format
-  -bh                   Mark cracked users as owned in BloodHound
-  --dburi DBURI         BloodHound Neo4j URI
-  --dbuser DBUSER       BloodHound Neo4j username
-  --dbpassword DBPASSWORD
-                        BloodHound Neo4j password
   ```
 
 this command wants to get supplied with ntds file by user or netexec then does classic revealhashed operations.  
@@ -111,10 +80,9 @@ this command wants to get supplied with ntds file by user or netexec then does c
 
 -ntds or -nxc switch is needed. -ntds switch is for a file you own with hashes. -nxc switch is for scanning ~/.nxc/logs/ntds directory then selecting .ntds file.  
 -w (wordlist) switch is needed. one or more wordlists can be supplied.  
--e (enabled-only) switch is suggested. it's only shows enabled users.  
+-e (enabled-only) switch is suggested. it's self explanatory; only shows enabled users.  
 -nd (no-domain) switch hides domain names in usernames.  
--bh (bloodhound) switch marks cracked users as owned in bloodhound. if used, `--dburi`, `--dbuser` and `--dbpassword` are also needed to connect neo4j database. it supports both legacy and ce.  
--csv (csv) switch saves output to csv, together with txt.  
+-csv (csv) switch is self explanatory; saves output to csv, together with txt.  
 
 for example:  
 `revealhashed reveal -ntds <ntds_file>.ntds -w wordlist1.txt -e -nd -csv`  
@@ -128,5 +96,3 @@ for example:
 ![](https://raw.githubusercontent.com/crosscutsaw/revealhashed-python/main/rp3.PNG)
 
 ![](https://raw.githubusercontent.com/crosscutsaw/revealhashed-python/main/rp4.PNG)
-
-![](https://raw.githubusercontent.com/crosscutsaw/revealhashed-python/main/rp5.PNG)

pyproject.toml

@@ -1,12 +1,12 @@
 [project]
 name = "revealhashed"
-version = "0.2.1"
+version = "0.1.4"
 description = "Dump or analyze existing NTDS data, crack NT hashes with hashcat and match them to their corresponding user accounts."
 authors = [{ name = "aslan emre aslan", email = "emre@zurrak.com" }]
 license = { text = "MIT" }
 readme = "README.md"
 requires-python = ">=3.7"
-dependencies = ["impacket","neo4j"]
+dependencies = ["impacket"]
 
 [project.scripts]
 revealhashed = "revealhashed.__main__:main"

revealhashed/__init__.py

@@ -1 +1 @@
-__version__ = "0.2.1"
+__version__ = "0.1.0"

revealhashed/core.py

@@ -22,10 +22,6 @@
 # ntds class
 from impacket.examples.secretsdump import NTDSHashes, LocalOperations
 
-# neo4j
-from neo4j import Auth, GraphDatabase
-from neo4j.exceptions import ServiceUnavailable
-
 # constants
 HOME = Path.home()
 TMP_DIR = HOME / ".revealhashed"
@@ -64,10 +60,6 @@ def parse_args():
     dump_parser.add_argument("-e", "--enabled-only", action="store_true", help="Only show enabled accounts")
     dump_parser.add_argument('-nd', '--no-domain', action='store_true', help="Don't display domain in usernames")
     dump_parser.add_argument('-csv', action='store_true', help="Save output in CSV format")
-    dump_parser.add_argument('-bh', action='store_true', help="Mark cracked users as owned in BloodHound")
-    dump_parser.add_argument('--dburi', help='BloodHound Neo4j URI')
-    dump_parser.add_argument('--dbuser', help='BloodHound Neo4j username')
-    dump_parser.add_argument('--dbpassword', help='BloodHound Neo4j password')
     # do not include -outputdir
 
     # subparser: reveal
@@ -78,10 +70,7 @@ def parse_args():
     reveal_parser.add_argument("-e", "--enabled-only", action="store_true", help="Only show enabled accounts")
     reveal_parser.add_argument('-nd', '--no-domain', action='store_true', help="Don't display domain in usernames")
     reveal_parser.add_argument('-csv', action='store_true', help="Save output in CSV format")
-    reveal_parser.add_argument('-bh', action='store_true', help="Mark cracked users as owned in BloodHound")
-    reveal_parser.add_argument('--dburi', help='BloodHound Neo4j URI')
-    reveal_parser.add_argument('--dbuser', help='BloodHound Neo4j username')
-    reveal_parser.add_argument('--dbpassword', help='BloodHound Neo4j password')
+
     return parser
 
 def reset_tmp_dir():
@@ -98,76 +87,6 @@ def create_session_dir():
     session_path.mkdir(parents=True, exist_ok=True)
     return session_path
 
-def mark_bloodhound_owned(txt_file_path, dburi, dbuser, dbpassword):
-    try:
-        driver = GraphDatabase.driver(dburi, auth=Auth(scheme="basic", principal=dbuser, credentials=dbpassword))
-        driver.verify_connectivity()
-        print(f"\n{BOLD_GREEN}[+]{RESET} Connected to BloodHound Neo4j database at {dburi} as {dbuser}\n")
-
-        # infer domain from first valid user line
-        inferred_domain = None
-        with open(txt_file_path) as f:
-            for line in f:
-                if "<no password>" in line:
-                    continue
-                parts = line.strip().split()
-                if not parts:
-                    continue
-                user_field = parts[0]
-                if "\\" in user_field:
-                    inferred_domain = user_field.split("\\", 1)[0].upper()
-                    break
-
-        with driver.session() as session:
-            with open(txt_file_path) as f:
-                for line in f:
-                    if "<no password>" in line:
-                        continue
-                    parts = line.strip().split()
-                    if not parts:
-                        continue
-
-                    user_field = parts[0]
-                    if "\\" in user_field:
-                        domain, user = user_field.split("\\", 1)
-                    else:
-                        user = user_field
-                        domain = inferred_domain or ""
-
-                    is_computer = user.endswith("$")
-                    if is_computer:
-                        user = user.rstrip("$")
-                        full_name = f"{user}.{domain}".upper()
-                        label = "Computer"
-                    else:
-                        full_name = f"{user}@{domain}".upper()
-                        label = "User"
-
-                    # try marking as owned
-                    query = f"MATCH (c:{label} {{name:'{full_name}'}}) RETURN c.owned AS owned"
-                    result = session.run(query).data()
-
-                    if not result:
-                        print(f"{BOLD_RED}[-]{RESET} Node {full_name} not found in BloodHound")
-                        continue
-
-                    if result[0]["owned"] is True:
-                        print(f"{BOLD_GREEN}[+]{RESET} {full_name} already marked as owned")
-                        continue
-
-                    update_query = f"MATCH (c:{label} {{name:'{full_name}'}}) SET c.owned=true RETURN c.name AS name"
-                    update_result = session.run(update_query).data()
-
-                    if update_result:
-                        print(f"{BOLD_GREEN}[+]{RESET} Marked {full_name} as owned in BloodHound")
-                    else:
-                        print(f"{BOLD_RED}[-]{RESET} Failed to mark {full_name} as owned in BloodHound")
-
-    except ServiceUnavailable:
-        print(f"{BOLD_RED}[-]{RESET} BloodHound DB unreachable at {dburi}")
-    except Exception as e:
-        print(f"{BOLD_RED}[-]{RESET} Error while marking BloodHound: {e}")
-
 def extract_unique_hashes(ntds_path, output_path, full_output_path, write_full_output=True):
     print(f"{BOLD_GREEN}[+]{RESET} Extracting unique NT hashes from: {ntds_path}")
     seen_hashes = set()
@@ -280,7 +199,7 @@ def reveal_credentials(individual_ntds_path, cracked_hashes, session_dir, enable
         print(f"{BOLD_GREEN}[+]{RESET} Output saved to {output_file_csv}")
 
 def main():
-    print(f"\n{BOLD_BLUE}revealhashed v0.2.1{RESET}\n")
+    print(f"\n{BOLD_BLUE}revealhashed v0.1.4{RESET}\n")
 
     parser = parse_args()
     args = parser.parse_args()
@@ -370,8 +289,6 @@ def main():
             shutil.copy(HASHCAT_POT, session_dir)
         cracked = parse_potfile(HASHCAT_POT)
         reveal_credentials(ind_path, cracked, session_dir, enabled_only=args.enabled_only, no_domain=args.no_domain, to_csv=args.csv)
-        if getattr(args, "bh", False):
-            mark_bloodhound_owned(session_dir / "revealhashed.txt", args.dburi, args.dbuser, args.dbpassword)
 
     elif args.command == "reveal":
         if args.nxc:
@@ -423,13 +340,11 @@ def main():
             shutil.copy(HASHCAT_POT, session_dir)
         cracked = parse_potfile(HASHCAT_POT)
         reveal_credentials(ind_path, cracked, session_dir, enabled_only=args.enabled_only, no_domain=args.no_domain, to_csv=args.csv)
-        if getattr(args, "bh", False):
-            mark_bloodhound_owned(session_dir / "revealhashed.txt", args.dburi, args.dbuser, args.dbpassword)
 
 if __name__ == "__main__":
     main()
 
-# revealhashed v0.2.1
+# revealhashed v0.1.4
 # 
 # contact options
 # mail: https://blog.zurrak.com/contact.html