Doing it Server-Side with CypherDog 4.0

Arrroooo… Bloodhound Crew!! Heard the news? CypherDog 4.0 is out and it’s full of new features…

Now a couple of you might be thinking “Hey there, wait a minute… didn’t CypherDog 3.0 come out not that long ago..??”, and I am happy to see some of you are paying attention…
Indeed, when Bloodhound 3 came out, I quickly updated CypherDog 2 to CypherDog 3 to be compatible with it.
But Bloodhound 3 is compatible with neo4j 3 and 4, however the neo4j REST API has been deprecated in neo4j 4 and CypherDog 3 relied on it.
Long story short, CypherDog 4.0 is a full rewrite compatible with the new neo4j 4 HTTP API, and since I was refactoring the whole thing, I added some cool new features to the tool.
The idea was to be able to do more with less keystrokes, and to do it server-side…
And so I made a meme.

In this post I will share some basic commands to get you started with the toolset, and I will highlight some of the new features I baked into it.


Retrieving Nodes

The Basic command to manipulate nodes is Get-BloodHoundNode and it’s alias Node

# Retrieve all nodes by type
Node User

# Retrieve node by name

# Retrieve multiple names

Here is what the output looks like

Retrieving user by name

Retrieving multiple users / Comparing props

Nodes can also be retrieved by properties

# Single Prop
Node User -Props @{enabled=$true}

# Multiple Props
Node User -Props @{enabled=$true;highvalue=$true}

Retrieving nodes by properties

but my favorite new feature has to be the -Where parameter.
You can pass a Cypher string to it… server-side filtering possibilities become endless…

# Where + Operator
Node User -Where " STARTS WITH 'ALICE'"

# Where + Path condition
Node User -Where "(x)-[:MemberOf*1..]->(:Group {name:'DOMAIN ADMINS@COFFEE.CUP'})"

Node + Where + Operator

Node + Where + Path condition

And that’s not it for Cypher…
To further fine tune your queries, you can also input Cypher syntax after the -With / -Return / -OrderBy / -Limit parameters…


Retrieving Edges

If you want to visualize single-edge type relationships between objects, you can use the Get-BloodHoundEdge cmdlet (aka Edge).
Basic usage goes as follows (and everything should tab-complete):

Edge <SourceType> <EdgeType> <TargetType> [<SourceName>] [<TargetName>] [+OtherOptions...]

so you can do something like that… (* means ‘Any’)

Any user direct member of DA

Computers where Administrator is direct admin

and because you’re in PowerShell, you could use the Group-Object cmdlet and do something like that…

Count of sessions per user / user with most session

or what about that..?

Edge + Path Condition: User has session on computer where he is admin

and maybe even something like that…

Edge: Wheres everywhere!!


Retrieving Paths

Most of the time, you will want to be looking at chains of several edges. For this, you will be using the Get-BloodhoundPath cmdlet (aka Path). With this cmdlet you can build complex paths queries with minimal effort.

Here again, the -SourceWhere / -TargetWhere / -PathWhere parameters should allow you to retrieve just what you are looking for with efficient server-side filtering.
You can use -FilterEdge / -IncludeEdge / -ExcludeEdge / -MaxHop to generate desired edge constraints,
and  -With / -Return / -OrderBy / -Limit are also available to further fine-tuning your query…

Might be a bit too much for this blogpost, so i’ll share example for the basic usage, but make sure to check out all the switches when you play with it…

Basic construct goes as follow:

Path <SourceType> <TargetType> <SourceName> <TargetName> [+OtherOption...]

and a simple path query looks like that… (* means ‘Any’)

Basic path query: any user to DA

simply add the -Cypher to your command and pipe it into | Set-Clipboard to view matching graph in the BloodHound UI…


Calculating NodeWeight

Now if you followed my BloodHound adventures so far, you might remember something about NodeWeight (from here).
If that’s the case, you might be happy to hear that there is now a Get-BloodHoundPathNodeWeight cmdlet (aka NodeWeight)
You can simply pipe any CypherDog Path command into it, to get the weight of all the nodes on the resulting graph.

NodeWeight Calculation


Moar Stuff…

As  in previous versions, all cmdlets have a -Cypher switch to output the resulting cypher query without sending it to the server.
This is a great way to learn some Cypher syntax as you go. Make sure to check it out…
If you are already a Cypher ninja and simply want to send some advanced query of yours to the server, you can use Invoke-Neo4jCypher cmdlet (aka cypher or neo) followed by your cypher query to do just that…
(and never want to go back to the neo4j browser experience imo)

Whatever Cypher query you want…

Did I also mention I added authentication? Loads of little utilities for DIY and further tweaking??
And of course, there are also Cmdlets to Create / Modify / Delete stuff if you want to.
All I will say is be careful with these, and don’t blame me if you break something…
Maybe backup your DB beforehand… just in case you “didn’t want to delete ALL that…”

Anyways… enough for today I guess.
I hope you will enjoy this new version of the tool…
Code can be found here.
Hit me on BloodHound Slack if you have any questions, issues or feedback.

Hack the Planet.

Catch you later…


Leave a Reply

Your email address will not be published. Required fields are marked *