Remove docker-compose.test.yml and add access path functionality to BloodHound CLI

ADScanPro · ADScanPro · commit 955c1edbe3ce · 2025-10-09T09:48:47.000+02:00
diff --git a/docker-compose.test.yml b/docker-compose.test.yml
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -0,0 +1,93 @@
+# Copyright 2023 Specter Ops, Inc.
+#
+# Licensed under the Apache License, Version 2.0
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+services:
+  app-db:
+    image: docker.io/library/postgres:16
+    environment:
+      - PGUSER=${POSTGRES_USER:-bloodhound}
+      - POSTGRES_USER=${POSTGRES_USER:-bloodhound}
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-bloodhoundcommunityedition}
+      - POSTGRES_DB=${POSTGRES_DB:-bloodhound}
+    # Database ports are disabled by default. Please change your database password to something secure before uncommenting
+    # ports:
+    #   - 127.0.0.1:${POSTGRES_PORT:-5432}:5432
+    volumes:
+      - postgres-data:/var/lib/postgresql/data
+    healthcheck:
+      test:
+        [
+          "CMD-SHELL",
+          "pg_isready -U ${POSTGRES_USER:-bloodhound} -d ${POSTGRES_DB:-bloodhound} -h 127.0.0.1 -p 5432"
+        ]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 30s
+
+  graph-db:
+    image: docker.io/library/neo4j:4.4.42
+    environment:
+      - NEO4J_AUTH=${NEO4J_USER:-neo4j}/${NEO4J_SECRET:-bloodhoundcommunityedition}
+      - NEO4J_dbms_allow__upgrade=${NEO4J_ALLOW_UPGRADE:-true}
+    # Database ports are disabled by default. Please change your database password to something secure before uncommenting
+    ports:
+      - 127.0.0.1:${NEO4J_DB_PORT:-7687}:7687
+      - 127.0.0.1:${NEO4J_WEB_PORT:-7474}:7474
+    volumes:
+      - ${NEO4J_DATA_MOUNT:-neo4j-data}:/data
+    healthcheck:
+      test:
+        [
+          "CMD-SHELL",
+          "wget -O /dev/null -q http://localhost:7474 || exit 1"
+        ]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 30s
+
+  bloodhound:
+    image: docker.io/specterops/bloodhound:7.4.1
+    environment:
+      - bhe_disable_cypher_complexity_limit=${bhe_disable_cypher_complexity_limit:-false}
+      - bhe_enable_cypher_mutations=${bhe_enable_cypher_mutations:-false}
+      - bhe_graph_query_memory_limit=${bhe_graph_query_memory_limit:-2}
+      - bhe_database_connection=user=${POSTGRES_USER:-bloodhound} password=${POSTGRES_PASSWORD:-bloodhoundcommunityedition} dbname=${POSTGRES_DB:-bloodhound} host=app-db
+      - bhe_neo4j_connection=neo4j://${NEO4J_USER:-neo4j}:${NEO4J_SECRET:-bloodhoundcommunityedition}@graph-db:7687/
+      - bhe_recreate_default_admin=${bhe_recreate_default_admin:-false}
+      - bhe_graph_driver=${GRAPH_DRIVER:-neo4j}
+      ### Add additional environment variables you wish to use here.
+      ### For common configuration options that you might want to use environment variables for, see `.env.example`
+      ### example: bhe_database_connection=${bhe_database_connection}
+      ### The left side is the environment variable you're setting for bloodhound, the variable on the right in `${}`
+      ### is the variable available outside of Docker
+    ports:
+      ### Default to localhost to prevent accidental publishing of the service to your outer networks
+      ### These can be modified by your .env file or by setting the environment variables in your Docker host OS
+      - ${BLOODHOUND_HOST:-127.0.0.1}:${BLOODHOUND_PORT:-8080}:8080
+    ### Uncomment to use your own bloodhound.config.json to configure the application
+    # volumes:
+    #   - ./bloodhound.config.json:/bloodhound.config.json:ro
+    depends_on:
+      app-db:
+        condition: service_healthy
+      graph-db:
+        condition: service_healthy
+
+volumes:
+  neo4j-data:
+  postgres-data:
diff --git a/src/bloodhound_cli/core/ce.py b/src/bloodhound_cli/core/ce.py
@@ -410,32 +410,171 @@ def get_critical_aces(self, source_domain: str, high_value: bool = False,
             return []
     
     def get_access_paths(self, source: str, connection: str, target: str, domain: str) -> List[Dict]:
-        """Get access paths using CySQL query"""
+        """Get access paths using CySQL query - adapted from old_main.py"""
         try:
-            cypher_query = f"""
-            MATCH path = (s)-[*1..10]->(t)
-            WHERE s.name = '{source}' AND t.name = '{target}'
-            RETURN path
-            """
+            # Determine relationship conditions
+            if connection.lower() == "all":
+                rel_condition = "AND type(r) IN ['AdminTo','CanRDP','CanPSRemote']"
+                rel_pattern = "[r]->"
+            else:
+                rel_condition = ""
+                rel_pattern = f"[r:{connection}]->"
+            
+            # Case 1: source != "all" and target == "all" - find what source can access
+            if source.lower() != "all" and target.lower() == "all":
+                cypher_query = f"""
+                MATCH p = (n)-{rel_pattern}(m)
+                WHERE toLower(n.samaccountname) = toLower('{source}')
+                AND toLower(n.domain) = toLower('{domain}')
+                AND m.enabled = true
+                {rel_condition}
+                RETURN n.samaccountname AS source, m.samaccountname AS target, type(r) AS relation
+                """
+            
+            # Case 2: source == "all" and target == "all" - find all access paths in domain
+            elif source.lower() == "all" and target.lower() == "all":
+                cypher_query = f"""
+                MATCH p = (n)-{rel_pattern}(m)
+                WHERE toLower(n.domain) = toLower('{domain}')
+                AND n.enabled = true
+                AND m.enabled = true
+                {rel_condition}
+                RETURN n.samaccountname AS source, m.samaccountname AS target, type(r) AS relation
+                """
+            
+            # Case 3: source != "all" and target == "dcs" - find users with DC access
+            elif source.lower() != "all" and target.lower() == "dcs":
+                cypher_query = f"""
+                MATCH p = (n)-{rel_pattern}(m)
+                WHERE toLower(n.samaccountname) = toLower('{source}')
+                AND toLower(n.domain) = toLower('{domain}')
+                AND m.enabled = true
+                AND (m.operatingsystem CONTAINS 'Windows Server' OR m.operatingsystem CONTAINS 'Domain Controller')
+                {rel_condition}
+                RETURN n.samaccountname AS source, m.samaccountname AS target, type(r) AS relation
+                """
+            
+            # Case 4: source == "all" and target == "dcs" - find all users with DC access
+            elif source.lower() == "all" and target.lower() == "dcs":
+                cypher_query = f"""
+                MATCH p = (n)-{rel_pattern}(m)
+                WHERE toLower(n.domain) = toLower('{domain}')
+                AND n.enabled = true
+                AND m.enabled = true
+                AND (m.operatingsystem CONTAINS 'Windows Server' OR m.operatingsystem CONTAINS 'Domain Controller')
+                {rel_condition}
+                RETURN n.samaccountname AS source, m.samaccountname AS target, type(r) AS relation
+                """
+            
+            # Case 5: specific source to specific target
+            else:
+                cypher_query = f"""
+                MATCH p = (n)-{rel_pattern}(m)
+                WHERE toLower(n.samaccountname) = toLower('{source}')
+                AND toLower(n.domain) = toLower('{domain}')
+                AND toLower(m.samaccountname) = toLower('{target}')
+                AND m.enabled = true
+                {rel_condition}
+                RETURN n.samaccountname AS source, m.samaccountname AS target, type(r) AS relation
+                """
             
             result = self.execute_query(cypher_query)
             paths = []
             
             if result and isinstance(result, list):
-                for path_data in result:
-                    # Process path data - this might need adjustment based on actual CySQL response format
-                    if isinstance(path_data, dict):
+                for record in result:
+                    source_name = record.get('source', '')
+                    target_name = record.get('target', '')
+                    relation = record.get('relation', '')
+                    
+                    if source_name and target_name:
+                        # Extract just the username part (before @) if it's in UPN format
+                        if "@" in source_name:
+                            source_name = source_name.split("@")[0]
+                        if "@" in target_name:
+                            target_name = target_name.split("@")[0]
+                        
                         paths.append({
-                            "source": source,
-                            "target": target,
-                            "path": path_data
+                            "source": source_name,
+                            "target": target_name,
+                            "relation": relation,
+                            "path": f"{source_name} -> {target_name} ({relation})"
                         })
             
             return paths
 
         except Exception:
             return []
     
+    def get_users_with_dc_access(self, domain: str) -> List[Dict]:
+        """Get users who have access to Domain Controllers"""
+        try:
+            # First try to find actual DCs
+            cypher_query = f"""
+            MATCH (u:User)-[r]->(dc:Computer)
+            WHERE u.enabled = true AND toUpper(u.domain) = '{domain.upper()}'
+              AND dc.enabled = true AND toUpper(dc.domain) = '{domain.upper()}'
+              AND (dc.operatingsystem CONTAINS 'Windows Server' OR dc.operatingsystem CONTAINS 'Domain Controller')
+            RETURN u.samaccountname AS user, dc.name AS dc, type(r) AS relation
+            """
+            
+            result = self.execute_query(cypher_query)
+            users_with_access = []
+            
+            if result and isinstance(result, list):
+                for record in result:
+                    user = record.get('user', '')
+                    dc = record.get('dc', '')
+                    relation = record.get('relation', '')
+                    
+                    if user and dc:
+                        # Extract just the username part (before @) if it's in UPN format
+                        if "@" in user:
+                            user = user.split("@")[0]
+                        if "@" in dc:
+                            dc = dc.split("@")[0]
+                        
+                        users_with_access.append({
+                            "source": user,
+                            "target": dc,
+                            "path": f"{user} -> {dc} ({relation})"
+                        })
+            
+            # If no DCs found, try to find any user-computer relationships
+            if not users_with_access:
+                fallback_query = f"""
+                MATCH (u:User)-[r]->(c:Computer)
+                WHERE u.enabled = true AND toUpper(u.domain) = '{domain.upper()}'
+                  AND c.enabled = true AND toUpper(c.domain) = '{domain.upper()}'
+                RETURN u.samaccountname AS user, c.name AS computer, type(r) AS relation
+                """
+                
+                result = self.execute_query(fallback_query)
+                
+                if result and isinstance(result, list):
+                    for record in result:
+                        user = record.get('user', '')
+                        computer = record.get('computer', '')
+                        relation = record.get('relation', '')
+                        
+                        if user and computer:
+                            # Extract just the username part (before @) if it's in UPN format
+                            if "@" in user:
+                                user = user.split("@")[0]
+                            if "@" in computer:
+                                computer = computer.split("@")[0]
+                            
+                            users_with_access.append({
+                                "source": user,
+                                "target": computer,
+                                "path": f"{user} -> {computer} ({relation})"
+                            })
+            
+            return users_with_access
+
+        except Exception:
+            return []
+    
     def get_critical_aces_by_domain(self, domain: str, blacklist: List[str], 
                                    high_value: bool = False) -> List[Dict]:
         """Get critical ACEs by domain using CySQL query"""
diff --git a/src/bloodhound_cli/main.py b/src/bloodhound_cli/main.py
@@ -377,6 +377,65 @@ def cmd_upload(args):
         client.close()
 
 
+def cmd_access(args):
+    """Find access paths between objects"""
+    if args.debug:
+        print(f"Debug: Creating client for edition {args.edition}")
+        print(f"Debug: Source = {args.source}")
+        print(f"Debug: Target = {args.target}")
+        print(f"Debug: Domain = {args.domain}")
+        print(f"Debug: Relation = {args.relation}")
+    
+    client = get_client(
+        args.edition,
+        uri=args.uri,
+        user=args.user,
+        password=args.password,
+        base_url=args.base_url,
+        username=args.username,
+        ce_password=getattr(args, 'ce_password', 'Bloodhound123!'),
+        debug=args.debug,
+        verbose=args.verbose
+    )
+    
+    try:
+        paths = client.get_access_paths(
+            source=args.source,
+            connection=args.relation or "all",
+            target=args.target,
+            domain=args.domain
+        )
+        
+        if args.verbose:
+            print(f"\nAccess paths for source: {args.source}, connection: {args.relation or 'all'}, target: {args.target}, domain: {args.domain}")
+            print("=" * 80)
+        
+        if not paths:
+            if args.verbose:
+                print("No access paths found")
+            else:
+                print("No access paths found")
+            return
+        
+        # Format paths for output
+        results = []
+        for path in paths:
+            if args.verbose:
+                print(f"\nSource: {path['source']}")
+                print(f"Target: {path['target']}")
+                print(f"Relation: {path['relation']}")
+                print(f"Path: {path['path']}")
+                print("-" * 40)
+            else:
+                results.append(path['path'])
+        
+        if not args.verbose:
+            output_results(results, args.output, False, "access paths")
+            
+    finally:
+        client.close()
+
+
 def cmd_auth(args):
     """Authenticate to BloodHound CE and save API token"""
     import getpass
@@ -507,6 +566,14 @@ def main():
     acl_parser.add_argument('--high-value', action='store_true', help='Show only high value targets')
     acl_parser.set_defaults(func=cmd_acl)
     
+    # Access command
+    access_parser = subparsers.add_parser('access', help='Find access paths between objects')
+    access_parser.add_argument('-s', '--source', required=True, help='Source object name')
+    access_parser.add_argument('-r', '--relation', help='Relation type to filter by')
+    access_parser.add_argument('-t', '--target', required=True, help='Target object name')
+    access_parser.add_argument('-d', '--domain', required=True, help='Domain to query')
+    access_parser.set_defaults(func=cmd_access)
+    
     # Upload command
     upload_parser = subparsers.add_parser('upload', help='Upload BloodHound data')
     upload_parser.add_argument('-f', '--file', help='Path to ZIP file to upload')
