Update computer/user nodes

Add author info to SQLAdmin Bump version
SpecterOps · Jul 3, 2019 · 1b450ef · 1b450ef
1 parent ff3fdaa
commit 1b450ef
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 4 deletions.
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "bloodhound",
-  "version": "2.1.1",
+  "version": "2.2.0",
   "description": "Graph Theory for Active Directory",
   "prettier": {
     "tabWidth": 4,

diff --git a/src/components/Modals/HelpModal.jsx b/src/components/Modals/HelpModal.jsx
@@ -230,7 +230,9 @@ export default class HelpModal extends Component {
 
             There is at least one MSSQL instance running on ${targetName} where the user ${sourceName} is the account configured to run the SQL Server instance. The typical configuration for MSSQL is to have the local Windows account or Active Directory domain account that is configured to run the SQL Server service (the primary database engine for SQL Server) have sysadmin privileges in the SQL Server application. As a result, the SQL Server service account can be used to log into the SQL Server instance remotely, read all of the databases (including those protected with transparent encryption), and run operating systems command through SQL Server (as the service account) using a variety of techniques.
 
-            For Windows systems that have been joined to an Active Directory domain, the SQL Server instances and the associated service account can be identified by executing a LDAP query for a list of "MSSQLSvc" Service Principal Names (SPN) as a domain user. In short, when the Database Engine service starts, it attempts to register the SPN, and the SPN is then used to help facilitate Kerberos authentication.`;
+            For Windows systems that have been joined to an Active Directory domain, the SQL Server instances and the associated service account can be identified by executing a LDAP query for a list of "MSSQLSvc" Service Principal Names (SPN) as a domain user. In short, when the Database Engine service starts, it attempts to register the SPN, and the SPN is then used to help facilitate Kerberos authentication.
+            
+            Author: Scott Sutherland`;
 
         }
 
@@ -1619,7 +1621,9 @@ export default class HelpModal extends Component {
                 <code>Get-SQLQuery -Verbose -Query "xp_test" -Instance sqlserver\instance</code>
                 
                 4. Remove extended stored procedure.
-                <code>Get-SQLQuery -Verbose -Query "sp_dropextendedproc 'xp_test'" -Instance sqlserver\instance</code>`;
+                <code>Get-SQLQuery -Verbose -Query "sp_dropextendedproc 'xp_test'" -Instance sqlserver\instance</code>
+                
+                Author: Scott Sutherland`;
         }
 
         this.setState({ abuseTabContent: { __html: formatted } });
@@ -1764,7 +1768,9 @@ export default class HelpModal extends Component {
             If database audit specifications are configured on the SQL Server, event ID 33205 logs may be created in the Windows Application log when Agent and database level configuration changes are made.
             
             A summary of the what will show up in the logs, along with the TSQL queries for viewing and configuring audit configurations can be found at 
-            <a>https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/Audit%20Command%20Execution%20Template.sql</a>.`;
+            <a>https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/Audit%20Command%20Execution%20Template.sql</a>.
+            
+            Author: Scott Sutherland`;
         }
 
         this.setState({ opsecTabContent: { __html: formatted } });

diff --git a/src/components/SearchContainer/Tabs/ComputerNodeData.jsx b/src/components/SearchContainer/Tabs/ComputerNodeData.jsx
@@ -469,6 +469,17 @@ class ComputerNodeData extends Component {
                         distinct
                     />
 
+                    <h4>Inbound Execution Privileges</h4>
+                    <NodeCypherLink
+                        property='SQL Admins'
+                        target={this.state.label}
+                        baseQuery={
+                            'MATCH p=(n:User)-[r:SQLAdmin]->(m:Computer {name:{name}})'
+                        }
+                        start={this.state.label}
+                        distinct
+                    />
+
                     <h4>Outbound Execution Privileges</h4>
                     <NodeCypherLink
                         property='First Degree RDP Privileges'

diff --git a/src/components/SearchContainer/Tabs/UserNodeData.jsx b/src/components/SearchContainer/Tabs/UserNodeData.jsx
@@ -433,6 +433,16 @@ class UserNodeData extends Component {
                         distinct
                     />
 
+                    <NodeCypherLink
+                        property='SQL Admin Rights'
+                        target={this.state.label}
+                        baseQuery={
+                            'MATCH p=(m:User {name:{name}})-[r:SQLAdmin]->(n:Computer)'
+                        }
+                        start={this.state.label}
+                        distinct
+                    />
+
                     <NodeCypherLink
                         property='Constrained Delegation Privileges'
                         target={this.state.label}