When I was a kid, I was interested in a number of professions that are now either outdated, or have changed completely. One of those dreams involved checking out books and things to patrons, and it was focused primarily on pulling out the little card and adding a date-due stamp.

Of course, if you’ve been to a library in the last 20 years, you know that most of them don’t work that way anymore. Either the librarian scans special barcodes, or you check materials out yourself simply by placing them just so, one at a time. Either way, you end up with a printed receipt with all the materials listed, or an email. I ask you, what’s the fun in that? At least with the old way, you’d usually get a bookmark for each book by way of the due date card.

As I got older and spent the better part of two decades in a job that I didn’t exactly vibe with, I seriously considered becoming a programmer. I took Java, Android, and UNIX classes at the local junior college, met my now-husband, and eventually decided I didn’t have the guts to actually solve problems with computers. And, unlike my husband, I have very little imagination when it comes to making them do things.

Fast forward to last weekend, the one before Thanksgiving here in the US. I had tossed around the idea of making a personal library system just for funsies a day or so before, and I brought it up again. My husband was like, do you want to make it tonight using ChatGPT? And I was like, sure — not knowing what I was getting into except for the driver’s seat, excited for the destination.

Vibing On a Saturday Night

I want to make a book storage system. Can you please write a Python script that uses SQL Alchemy to make a book model that stores these fields: title, author, year of publication, genre, and barcode number?

So basically, I envisioned scanning a book’s barcode, pulling it up in the system, and then clicking a button to check it out or check it back in. I knew going in that some of my books don’t have barcodes at all, and some are obliterated or covered up with college bookstore stickers and what have you. More on that later.

First, I was told to pip install sqlalchemy, which I did not have. I was given a python script called books_db.py to get started. Then I asked for code that looks up all the books and prints them, which I was told to add to the script.

Then things were getting serious. I asked it to write a Flask server and a basic HTML front end for managing the books in the system. I was given the Flask server as app.py, and then some templates: base.html to be used by all pages, and index.html to view all the books, and add_book.html to, you know, add a new book. At that point, I got to see what it had created for the first time, and I thought it was lovely for a black and white table. But it needed color.

Check It Out

I asked the chat-thing for features and implemented them piecemeal, as you do if you’re not a masochist. First up was a cute little trash-can delete-button for every entry. Then it was time to set up the CheckoutEvent. Each of these events records which book it belongs to, whether it’s a check-out or check-in event, and the timestamp of said event. Of course, then it was time to get the checkout history wired to the front-end and accessible by clicking a book’s title.

All I really had to do was add a history route to app.py, update index.html to make the titles clickable, and create the book_history.html it spat out. Then I had it add the buttons for checking in and out on the new checkout history page, which involved adding routes to app.py as well as a helper to compute the current status.

Then it had me modify the history route and update book_history.html with the actual buttons. And they’re super cute, too — there’s a little red book on the checkout button, and a green book on the check-in.

Barcode Blues

On the index.html page, can you add a barcode number-based search box? And when the user searches, redirect them to the book page for that barcode?

Now it was time to get the barcode scanning situation up and running. I was sure at some point that ChatGPT would time me out for the night since I use the free model, but it just kept helping me do whatever I wanted, and even suggesting new features.

I wanted the barcode handling to be twofold: one, it should definitely pull the checkout page if the book exists in the system, and it should also definitely go to the book-entering page if not.

Yes — that’s a great workflow feature.
We’ll add a barcode search box to your index page, and when someone submits a barcode, the app will:

1. Look up the book by barcode

2. Redirect straight to that book’s checkout history page

3. Show a nice error if the barcode doesn’t exist

I did what it told me, adding a barcode search route in app.py and updating the index() route to use it. I then added its barcode search form to index.html. It was at this point that I had to figure out a way to generate barcodes so I could make little stickers for the books that lack them entirely, or have otherwise obliterated ones.

I have a pretty basic 1D barcode scanning gun, and it won’t scan everything. As I soon found out, it prefers fake EAN barcodes to UPCs altogether. I finally found an online barcode generator and got to work, starting with a list of randomly-generated numbers I made with Excel. I decided I wanted all the fake barcodes to start with 988, which is close enough to the ISBN 978 lead-in, and happens to use my favorite number twice.

We took a brief detour as I asked the chat-thing to make the table to have ascending/descending sorting by clicking the headers. The approach it chose was to keep things server-side, and use little arrows to indicate direction. I added sorting logic to app.py and updated index.html to produce the clickable headers, and also decided that the entries should be color-coded based on genre, and implemented that part without help from GPT. Then I got tired and went to bed.

The Long, Dark Night of the Solo Programmer

I’m of a certain age and now sleep in two parts pretty much every night. In fact, I’m writing this part now at 1:22 AM, blasting Rush (2112) and generally having a good time. But I can tell you that I was not having a good time when I got out of bed to continue working on this library system a couple of hours later.

There I was, entering books (BEEP!), when I decided I’d had enough of that and needed to try adding more features. I cracked my knuckles and asked the chat-thing if it could make it so the search works across all fields — title, author, year, genre, or barcode. It said, cool, we can do that with a simple SQLAlchemy or_ query. I was like, whatever, boss; let’s get crazy.

Can you make it so the search works across all fields?

It had me import or_ and update the search route in app.py to replace the existing barcode search route with a generalized search using POST. Then I was to update index.html to rename the input to a general query. Cool.

But no. I messed it up some how and got an error about a missing {% endblock %}. In my GPT history it says, I’m confused about step 2. Where do I add it? And maybe I was just tired. I swear I just threw the code up there at the top like it told me to. But it said:

Ah! I see exactly why it’s confusing — your current index.html starts with the <h1> and then goes straight into the table. The search form should go right under the <h1> and before the table.

Then I was really confused. Didn’t I already have a search box that only handled barcodes? I sure did, over in base.html. So the new search code ended up there. Maybe that’s wrong. I don’t remember the details, but I searched the broader internet about my two-layer error and got the thing back to a working state many agonizing minutes later. Boy, was I proud, and relieved that I didn’t have to ask my husband to fix my mistake(s) in the morning. I threw my arms in the air and looked around for the cats to tell them the good news, but of course, I was the only one awake.

Moar Features!

I wasn’t satisfied. I wanted more. I asked it to add a current count of books in the database and display it toward the top. After that, it offered to add a count of currently-checked-out vs. available books, to which I said yes please. Then I wanted an author page that accepts an author’s name and shows all books by that author. I asked for a new page that shows all the books that are checked out. Most recently, I made it so the search box and the column headers persist on scroll.

I’m still trying to think of features, but for now I’m busy entering books, typing up check-out cards on my IBM Wheelwriter 5, and applying library pockets to the inside back covers of all my books. If you want to make your own personal library system, I put everything on GitHub.

On the Shoulders of Giants (and Robots)

I couldn’t have done any of this without my husband’s prompts and guidance, his ability to call shenanigans on GPT’s code whenever warranted, and ChatGPT itself. Although I have programmed in the past, it’s been a good long time since I even printed “Hello, World” in any language, though I did find myself recalling a good deal about this and that syntax.

If you want to make a similar type of niche system for your eyes only, I’d say this could be one way to do it. Wait, that’s pretty non-committal. I’d say just go for it. You have yourself and the broader Internet to check mistakes along the way, and you just might like some of the choices it makes on your behalf.

The Bomem DA3 is a type of Fourier transform spectrometer used for measuring various spectral data and [Usagi Electric] has one. On his quest to understand it he runs down a number of rabbit holes, including learning about various barcode formats, doing a teardown of the Telxon LS-201 barcode scanner, and exploring how lasers work. That’s right: lasers!

His reason for looking at the Telxon LS-201 barcode scanner is that it has the same type of helium-neon laser as his Bomem DA3 uses. Since he’s learning about barcode scanners he thinks it’s prudent to learn about barcode formats too, and he has a discussion with our very own Adam Fabio about such things, including the UPC-A standard barcodes.

It’s fun seeing the mainboard of the Telxon LS-201 sporting the familiar 555 timer, LM393 comparator, and three op-amps: 5532, LF347, and TL062; no discrete logic in sight! If you’re interested in barcode tech you might like to read Barcodes Enter The Matrix In 2027 and Old Barcode Scanner Motherboards Live Again. The particular Hackaday article mentioned in the video is this one: The Eloquence Of The Barcode.

Also, in the interest of public health and safety, make sure you’re wearing laser protection glasses if you’re working with laser technology. Even low power lasers can do damage to your eyes. Laser emissions can be invisible to the human eye and you don’t have nerves that tell you when your eyeballs are being roasted, so take care out there!

Just about every “getting started with microcontrollers” kit, Arduino or otherwise, includes an ultrasonic distance sensor module. Given the power of microcontrollers these days, it was only a matter of time before someone asked: “Could I do better without the module?” Well, [Martin Pittermann] asked, and his answer, at least with the Pi Pico, is a resounding “Yes”. A micro and a couple of transducers can offer a better view of the world.

The project isn’t really about removing the extra circuitry on the SR-HC0, since there really isn’t that much to start. [Martin] wanted to know just how far he could push ultrasound scanning technology using RADAR signal processing techniques. Instead of bat-like chirps, [Martin] is using something called Frequency-Modulated Continuous Wave, which comes from RADAR and is exactly what it sounds like. The transmitter emits a continuous carrier wave with a varying frequency modulation, and the received wave is compared to see when it must have been sent. That gives you the time of flight, and the usual math gives you a distance.

Since he’s inspired by RADAR, it’s no surprise perhaps that [Martin]’s project reminds us of SDR, and the write-up gets right into the signal-processing code. Does it work better than a chirping module? Well, aside from using fewer parts, [Martin] can generate a full range plot for all objects in the arc of the sensor’s emissions out to 4 meters using just the Pico. [Martin] points out that it wouldn’t take much amplification to get a greater range. He’s not finished yet, though — the real goal here is to measure wind speed, which means he’s going to have to go full Doppler. We look forward to it.

This isn’t the first time we’ve seen the Pico doing fun stuff at these frequencies, and Doppler RADAR is a thing hackers do, so why not ultrasound?

Visually inspect all of the regex matches (and their sexier, more cloak and dagger cousins, the YARA matches) found in binary data and/or text. See what happens when you force various character encodings upon those matched bytes. With colors.

Quick Start

pipx install yaralyzer

# Scan against YARA definitions in a file:
yaralyze --yara-rules /secret/vault/sigmunds_malware_rules.yara lacan_buys_the_dip.pdf

# Scan against an arbitrary regular expression:
yaralyze --regex-pattern 'good and evil.*of\s+\w+byte' the_crypto_archipelago.exe

# Scan against an arbitrary YARA hex pattern
yaralyze --hex-pattern 'd0 93 d0 a3 d0 [-] 9b d0 90 d0 93' one_day_in_the_life_of_ivan_cryptosovich.bin

What It Do

1. See the actual bytes your YARA rules are matching. No more digging around copy/pasting the start positions reported by YARA into your favorite hex editor. Displays both the bytes matched by YARA as well as a configurable number of bytes before and after each match in hexadecimal and "raw" python string representation.
2. Do the same for byte patterns and regular expressions without writing a YARA file. If you're too lazy to write a YARA file but are trying to determine, say, whether there's a regular expression hidden somewhere in the file you could scan for the pattern '/.+/' and immediately get a window into all the bytes in the file that live between front slashes. Same story for quotes, BOMs, etc. Any regex YARA can handle is supported so the sky is the limit.
3. Detect the possible encodings of each set of matched bytes. The chardet library is a sophisticated library for guessing character encodings and it is leveraged here.
4. Display the result of forcing various character encodings upon the matched areas. Several default character encodings will be forcibly attempted in the region around the match. chardet will also be leveraged to see if the bytes fit the pattern of any known encoding. If chardet is confident enough (configurable), an attempt at decoding the bytes using that encoding will be displayed.
5. Export the matched regions/decodings to SVG, HTML, and colored text files. Show off your ASCII art.

Why It Do

The Yaralyzer's functionality was extracted from The Pdfalyzer when it became apparent that visualizing and decoding pattern matches in binaries had more utility than just in a PDF analysis tool.

YARA, for those who are unaware¹, is branded as a malware analysis/alerting tool but it's actually both a lot more and a lot less than that. One way to think about it is that YARA is a regular expression matching engine on steroids. It can locate regex matches in binaries like any regex engine but it can also do far wilder things like combine regexes in logical groups, compare regexes against all 256 XORed versions of a binary, check for base64 and other encodings of the pattern, and more. Maybe most importantly of all YARA provides a standard text based format for people to share their 'roided regexes with the world. All these features are particularly useful when analyzing or reverse engineering malware, whose authors tend to invest a great deal of time into making stuff hard to find.

But... that's also all YARA does. Everything else is up to the user. YARA's just a match engine and if you don't know what to match (or even what character encoding you might be able to match in) it only gets you so far. I found myself a bit frustrated trying to use YARA to look at all the matches of a few critical patterns:

1. Bytes between escaped quotes (\".+\" and \'.+\')
2. Bytes between front slashes (/.+/). Front slashes demarcate a regular expression in many implementations and I was trying to see if any of the bytes matching this pattern were actually regexes.

YARA just tells you the byte position and the matched string but it can't tell you whether those bytes are UTF-8, UTF-16, Latin-1, etc. etc. (or none of the above). I also found myself wanting to understand what was going in the region of the matched bytes and not just in the matched bytes. In other words I wanted to scope the bytes immediately before and after whatever got matched.

Enter The Yaralyzer, which lets you quickly scan the regions around matches while also showing you what those regions would look like if they were forced into various character encodings.

It's important to note that The Yaralyzer isn't a full on malware reversing tool. It can't do all the things a tool like CyberChef does and it doesn't try to. It's more intended to give you a quick visual overview of suspect regions in the binary so you can hone in on the areas you might want to inspect with a more serious tool like CyberChef.

Installation

Install it with pipx or pip3. pipx is a marginally better solution as it guarantees any packages installed with it will be isolated from the rest of your local python environment. Of course if you don't really have a local python environment this is a moot point and you can feel free to install with pip/pip3.

pipx install yaralyzer

Usage

Run yaralyze -h to see the command line options (screenshot below).

For info on exporting SVG images, HTML, etc., see Example Output.

Configuration

If you place a filed called .yaralyzer in your home directory or the current working directory then environment variables specified in that .yaralyzer file will be added to the environment each time yaralyzer is invoked. This provides a mechanism for permanently configuring various command line options so you can avoid typing them over and over. See the example file .yaralyzer.example to see which options can be configured this way.

Only one .yaralyzer file will be loaded and the working directory's .yaralyzer takes precedence over the home directory's .yaralyzer.

As A Library

Yaralyzer is the main class. It has a variety of constructors supporting:

1. Precompiled YARA rules
2. Creating a YARA rule from a string
3. Loading YARA rules from files
4. Loading YARA rules from all .yara file in a directory
5. Scanning bytes
6. Scanning a file

Should you want to iterate over the BytesMatch (like a re.Match object for a YARA match) and BytesDecoder (tracks decoding attempt stats) objects returned by The Yaralyzer, you can do so like this:

from yaralyzer.yaralyzer import Yaralyzer

yaralyzer = Yaralyzer.for_rules_files(['/secret/rule.yara'], 'lacan_buys_the_dip.pdf')

for bytes_match, bytes_decoder in yaralyzer.match_iterator():
    do_stuff()

Example Output

The Yaralyzer can export visualizations to HTML, ANSI colored text, and SVG vector images using the file export functionality that comes with Rich. SVGs can be turned into png format images with a tool like Inkscape or cairosvg. In our experience they both work though we've seen some glitchiness with cairosvg.

PyPi Users: If you are reading this document on PyPi be aware that it renders a lot better over on GitHub. Pretty pictures, footnotes that work, etc.

Raw YARA match result:

Display hex, raw python string, and various attempted decodings of both the match and the bytes before and after the match (configurable):

Bonus: see what chardet.detect() thinks about the likelihood your bytes are in a given encoding/language:

TODO

• highlight decodes done at chardets behest
• deal with repetitive matches

To get started with BlueHound, check out our introductory video, blog post and Nodes22 conference talk.

BlueHound supports presenting your data as tables, graphs, bar charts, line charts, maps and more. It contains a Cypher editor to directly write the Cypher queries that populate the reports. You can save dashboards to your database, and share them with others.

Main Features

1. Full Automation: The entire cycle of collection, analysis and reporting is basically done with a click of a button.
2. Community Driven: BlueHound configuration can be exported and imported by others. Sharing of knowledge, best practices, collection methodologies and more, built-into the tool itself.
3. Easy Reporting: Creating customized report can be done intuitively, without the need to write any code.
4. Easy Customization: Any custom collection method can be added into BlueHound. Users can even add their own custom parameters or even custom icons for their graphs.

Getting Started

ROST ISO

BlueHound can be used as part of the ROST image, which comes pre-configured with everything you need (BlueHound, Neo4j, BloodHound, and a sample dataset).
To load ROST, create a new virtual machine, and install it from the ISO like you would for a new Windows host.

BlueHound Binary

If you already have a Neo4j instance running, you can download a pre-compiled version of BlueHound from our release page. Just download the zip file suitable to your OS version, extract it, and run the binary.

Using BlueHound

1. Connect to your Neo4j server
2. Download SharpHound, ShotHound and the Vulnerability Scanner report parser
3. Use the Data Import section to collect & import data into your Neo4j database.
4. Once you have data loaded, you can use the Configurations tab to set up the basic information that is used by the queries (e.g. Domain Admins group, crown jewels servers).
5. Finally, the Queries section can be used to prepare the reports.

BlueHound How-To

Data Collection

The Data Import Tools section can be used to collect data in a click of a button. By default, BlueHound comes preconfigured with SharpHound, ShotHound, and the Vulnerability Scanners script. Additional tools can be added for more data collection. To get started:

1. Download the relevant tools using the globe icon
2. Configure the tool path & arguments for each tool
3. Run the tools

The built-in tools can be configured to automatically upload the results to your Neo4j instance.

Running & Viewing Queries

To get results for a chart, either use the Refresh icon to run a specific query, or use the Query Runner section to run queries in batches. The results will be cached even after closing BlueHound, and can be run again to get updated results.
Some charts have an Info icon which explain the query and/or provide links to additional information.

Adding & Editing Queries

You can edit the query for new and/or existing charts by using the Settings icon on the top right section of the chart. Here you can use any parameters configured with a Param Select chart, and any Edge Filtering string (see section below).

Edge Filtering

Using the Edge Filtering section, you can filter out specific relationship types for all queries that use the relevant string in their query. For example, ":FILTERED_EDGES" can be used to filter by all the selection filters.
You can also filter by a specific category (see the Info icon) or even define your own custom edge filters.

Import & Export Config

The Export Config and Import Config sections can be used to save & load your dashboard and configurations as a backup, and even shared between users to collaborate and contribute insightful queries to the security community. Don’t worry, your credentials and data won’t be exported.

Note: any arguments for data import tools are also exported, so make sure you remove any secrets before sharing your configuration.

Settings

The Settings section allows you to set some global limits on query execution – maximum query time and a limit for returned results.

Technical Info

BlueHound is a fork of NeoDash, built with React and use-neo4j. It uses charts to power some of the visualizations. You can also extend NeoDash with your own visualizations. Check out the developer guide in the project repository.

Developer Guide

Run & Build using npm

BlueHound is built with React. You'll need npm installed to run the web app.

Use a recent version of npm and node to build BlueHound. The application has been tested with npm 8.3.1 & node v17.4.0.

To run the application in development mode:

• clone this repository.
• open a terminal and navigate to the directory you just cloned.
• execute npm install to install the necessary dependencies.
• execute npm run dev to run the app in development mode.
• the application should be available at http://localhost:3000.

To build the app for production:

• follow the steps above to clone the repository and install dependencies.
• execute npm run build. This will create a build folder in your project directory.
• deploy the contents of the build folder to a web server. You should then be able to run the web app.

Questions / Suggestions

We are always open to ideas, comments, and suggestions regarding future versions of BlueHound, so if you have ideas, don’t hesitate to reach out to us at support@zeronetworks.com or open an issue/pull request on GitHub.

0 Disclaimer (The author did not participate in the XX action, don't trace it)

• This tool is only for legally authorized enterprise security construction behaviors and personal learning behaviors. If you need to test the usability of this tool, please build a target drone environment by yourself.

• When using this tool for testing, you should ensure that the behavior complies with local laws and regulations and has obtained sufficient authorization. Do not scan unauthorized targets.

We reserve the right to pursue your legal responsibility if the above prohibited behavior is found.

If you have any illegal behavior in the process of using this tool, you shall bear the corresponding consequences by yourself, and we will not bear any legal and joint responsibility.

Before installing and using this tool, please be sure to carefully read and fully understand the terms and conditions.

Unless you have fully read, fully understood and accepted all the terms of this agreement, please do not install and use this tool. Your use behavior or your acceptance of this Agreement in any other express or implied manner shall be deemed that you have read and agreed to be bound by this Agreement.

1 Introduction

 _   __
|#| /#/ Lightweight Asset Mapping Tool by: kv2	
|#|/#/   _____  _____     *     _   _
|#.#/   /Edge/ /Forum|   /#\   |#\ |#|
|##|   |#|___  |#|      /###\  |##\|#|
|#.#\   \#####\|#|     /#/_\#\ |#.#.#|
|#|\#\ /\___|#||#|____/#/###\#\|#|\##|
|#| \#\\#####/ \#####/#/     \#\#| \#|

Kscan is an asset mapping tool that can perform port scanning, TCP fingerprinting and banner capture for specified assets, and obtain as much port information as possible without sending more packets. It can perform automatic brute force cracking on scan results, and is the first open source RDP brute force cracking tool on the go platform.

2 Foreword

At present, there are actually many tools for asset scanning, fingerprint identification, and vulnerability detection, and there are many great tools, but Kscan actually has many different ideas.

• Kscan hopes to accept a variety of input formats, and there is no need to classify the scanned objects before use, such as IP, or URL address, etc. This is undoubtedly an unnecessary workload for users, and all entries can be normal Input and identification. If it is a URL address, the path will be reserved for detection. If it is only IP:PORT, the port will be prioritized for protocol identification. Currently Kscan supports three input methods (-t,--target|-f,--fofa|--spy).

• Kscan does not seek efficiency by comparing port numbers with common protocols to confirm port protocols, nor does it only detect WEB assets. In this regard, Kscan pays more attention to accuracy and comprehensiveness, and only high-accuracy protocol identification , in order to provide good detection conditions for subsequent application layer identification.

• Kscan does not use a modular approach to do pure function stacking, such as a module obtains the title separately, a module obtains SMB information separately, etc., runs independently, and outputs independently, but outputs asset information in units of ports, such as ports If the protocol is HTTP, subsequent fingerprinting and title acquisition will be performed automatically. If the port protocol is RPC, it will try to obtain the host name, etc.

IP address: 114.114.114.114
IP address range: 114.114.114.114-115.115.115.115
URL address: https://www.baidu.com
File address: file:/tmp/target.txt

[Empty]: will detect the IP address of the local machine and detect the B segment where the local IP is located
[all]: All private network addresses (192.168/172.32/10, etc.) will be probed
IP address: will detect the B segment where the specified IP address is located

fofa search keywords: will directly return fofa search results

usage: kscan [-h,--help,--fofa-syntax] (-t,--target,-f,--fofa,--spy) [-p,--port|--top] [-o,--output] [-oJ] [--proxy] [--threads] [--path] [--host] [--timeout] [-Pn] [-Cn] [-sV] [--check] [--encoding] [--hydra] [hydra options] [fofa options]


optional arguments:
  -h , --help     show this help message and exit
  -f , --fofa Get the detection object from fofa, you need to configure the environment variables in advance: FOFA_EMAIL, FOFA_KEY
  -t , --target Specify the detection target:
                  IP address: 114.114.114.114
                  IP address segment: 114.114.114.114/24, subnet mask less than 12 is not recommended
                  IP address range: 114.114.114.114-115.115.115.115
                  URL address: https://www.baidu.com
                  File address: file:/tmp/target.txt
  --spy network segment detection mode, in this mode, the internal network segment reachable by the host will be automatically detected. The acceptable parameters are:
                  (empty), 192, 10, 172, all, specified IP address (the IP address B segment will be detected as the surviving gateway)
  --check Fingerprinting the target address, only port detection will not be performed
  --scan will perform port scanning and fingerprinting on the target objects provided by --fofa and --spy
  -p , --port scan the specified port, TOP400 will be scanned by default, support: 80, 8080, 8088-8090
  -eP, --excluded-port skip scanning specified ports，support：80,8080,8088-8090
  -o , --output save scan results to file
  -oJ save the scan results to a file in json format
  -Pn After using this parameter, intelligent survivability detection will not be performed. Now intelligent survivability detection is enabled by default to improve efficiency.
  -Cn With this parameter, the console output will not be colored.
  -sV After using this parameter, all ports will be probed with full probes. This parameter greatly affects the efficiency, so use it with caution!
  --top Scan the filtered common ports TopX, up to 1000, the default is TOP400
  --proxy set proxy (socks5|socks4|https|http)://IP:Port
  --threads thread parameter, the default thread is 100, the maximum value is 2048
  --path specifies the directory to request access, only a single directory is supported
  --host specifies the header Host value for all requests
  --timeout set timeout
  --encoding Set the terminal output encoding, which can be specified as: gb2312, utf-8
  --match returns the banner to the asset for retrieval. If there is a keyword, it will be displayed, otherwise it will not be displayed
  --hydra automatic blasting support protocol: ssh, rdp, ftp, smb, mysql, mssql, oracle, postgresql, mongodb, redis, all are enabled by default
hydra options:
   --hydra-user custom hydra blasting username: username or user1,user2 or file:username.txt
   --hydra-pass Custom hydra blasting password: password or pass1,pass2 or file:password.txt
                  If there is a comma in the password, use \, to escape, other symbols do not need to be escaped
   --hydra-update Customize the user name and password mode. If this parameter is carried, it is a new mode, and the user name and password will be added to the default dictionary. Otherwise the default dictionary will be replaced.
   --hydra-mod specifies the automatic brute force cracking module: rdp or rdp, ssh, smb
fofa options:
   --fofa-syntax will get fofa search syntax description
   --fofa-size will set the number of entries returned by fofa, the default is 100
   --fofa-fix-keyword Modifies the keyword, and the {} in this parameter will eventually be replaced with the value of the -f parameter

6.2 Survival network segment detection

6.3 Fofa result retrieval

6.4 Brute-force cracking

6.5 CDN identification

A position-independent reflective loader for Cobalt Strike. Zero results from Hunt-Sleeping-Beacons, BeaconHunter, BeaconEye, Patriot, Moneta, PE-sieve, or MalMemDetect. 

Features

Easy to Use

Import a single CNA script before generating shellcode.

Dynamic Memory Encryption

Creates a new heap for any allocations from Beacon and encrypts entries before sleep.

Code Obfuscation and Encryption

Changes the memory containing CS executable code to non-executable and encrypts it (FOLIAGE).

Return Address Spoofing at Execution

Certain WinAPI calls are executed with a spoofed return address (InternetConnectA, NtWaitForSingleObject, RtlAllocateHeap).

Sleep Without Sleep

Delayed execution using WaitForSingleObjectEx.

RC4 Encryption

All encryption performed with SystemFunction032.

Known Issues

• Not compatible with loaders that rely on the shellcode thread staying alive.

References

This project would not have been possible without the following:

• FOLIAGE
• x64 return address spoofing (source + explanation)

Other features and inspiration were taken from the following:

• https://www.arashparsa.com/bypassing-pesieve-and-moneta-the-easiest-way-i-could-find/
• https://github.com/secidiot/TitanLdr
• https://github.com/JLospinoso/gargoyle
• https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-ii-insights-from-moneta
• https://www.arashparsa.com/hook-heaps-and-live-free/
• https://blog.f-secure.com/hunting-for-gargoyle-memory-scanning-evasion/
• https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures

To get started with BlueHound, check out our introductory video, blog post and Nodes22 conference talk.

BlueHound supports presenting your data as tables, graphs, bar charts, line charts, maps and more. It contains a Cypher editor to directly write the Cypher queries that populate the reports. You can save dashboards to your database, and share them with others.

Main Features

1. Full Automation: The entire cycle of collection, analysis and reporting is basically done with a click of a button.
2. Community Driven: BlueHound configuration can be exported and imported by others. Sharing of knowledge, best practices, collection methodologies and more, built-into the tool itself.
3. Easy Reporting: Creating customized report can be done intuitively, without the need to write any code.
4. Easy Customization: Any custom collection method can be added into BlueHound. Users can even add their own custom parameters or even custom icons for their graphs.

Getting Started

ROST ISO

BlueHound can be used as part of the ROST image, which comes pre-configured with everything you need (BlueHound, Neo4j, BloodHound, and a sample dataset).
To load ROST, create a new virtual machine, and install it from the ISO like you would for a new Windows host.

BlueHound Binary

If you already have a Neo4j instance running, you can download a pre-compiled version of BlueHound from our release page. Just download the zip file suitable to your OS version, extract it, and run the binary.

Using BlueHound

1. Connect to your Neo4j server
2. Download SharpHound, ShotHound and the Vulnerability Scanner report parser
3. Use the Data Import section to collect & import data into your Neo4j database.
4. Once you have data loaded, you can use the Configurations tab to set up the basic information that is used by the queries (e.g. Domain Admins group, crown jewels servers).
5. Finally, the Queries section can be used to prepare the reports.

BlueHound How-To

Data Collection

The Data Import Tools section can be used to collect data in a click of a button. By default, BlueHound comes preconfigured with SharpHound, ShotHound, and the Vulnerability Scanners script. Additional tools can be added for more data collection. To get started:

1. Download the relevant tools using the globe icon
2. Configure the tool path & arguments for each tool
3. Run the tools

The built-in tools can be configured to automatically upload the results to your Neo4j instance.

Running & Viewing Queries

To get results for a chart, either use the Refresh icon to run a specific query, or use the Query Runner section to run queries in batches. The results will be cached even after closing BlueHound, and can be run again to get updated results.
Some charts have an Info icon which explain the query and/or provide links to additional information.

Adding & Editing Queries

You can edit the query for new and/or existing charts by using the Settings icon on the top right section of the chart. Here you can use any parameters configured with a Param Select chart, and any Edge Filtering string (see section below).

Edge Filtering

Using the Edge Filtering section, you can filter out specific relationship types for all queries that use the relevant string in their query. For example, ":FILTERED_EDGES" can be used to filter by all the selection filters.
You can also filter by a specific category (see the Info icon) or even define your own custom edge filters.

Import & Export Config

The Export Config and Import Config sections can be used to save & load your dashboard and configurations as a backup, and even shared between users to collaborate and contribute insightful queries to the security community. Don’t worry, your credentials and data won’t be exported.

Note: any arguments for data import tools are also exported, so make sure you remove any secrets before sharing your configuration.

Settings

The Settings section allows you to set some global limits on query execution – maximum query time and a limit for returned results.

Technical Info

BlueHound is a fork of NeoDash, built with React and use-neo4j. It uses charts to power some of the visualizations. You can also extend NeoDash with your own visualizations. Check out the developer guide in the project repository.

Developer Guide

Run & Build using npm

BlueHound is built with React. You'll need npm installed to run the web app.

Use a recent version of npm and node to build BlueHound. The application has been tested with npm 8.3.1 & node v17.4.0.

To run the application in development mode:

• clone this repository.
• open a terminal and navigate to the directory you just cloned.
• execute npm install to install the necessary dependencies.
• execute npm run dev to run the app in development mode.
• the application should be available at http://localhost:3000.

To build the app for production:

• follow the steps above to clone the repository and install dependencies.
• execute npm run build. This will create a build folder in your project directory.
• deploy the contents of the build folder to a web server. You should then be able to run the web app.

Questions / Suggestions

We are always open to ideas, comments, and suggestions regarding future versions of BlueHound, so if you have ideas, don’t hesitate to reach out to us at support@zeronetworks.com or open an issue/pull request on GitHub.

CMS (Content Management System) is very popular, easy to install and mostly setup once and forget by “admins”.

In general, there are quite serious vulnerabilities in popular CMS, as is the case with any software. Bugs are patched fairly quickly. Responsible companies

0 Disclaimer (The author did not participate in the XX action, don't trace it)

• This tool is only for legally authorized enterprise security construction behaviors and personal learning behaviors. If you need to test the usability of this tool, please build a target drone environment by yourself.

• When using this tool for testing, you should ensure that the behavior complies with local laws and regulations and has obtained sufficient authorization. Do not scan unauthorized targets.

We reserve the right to pursue your legal responsibility if the above prohibited behavior is found.

If you have any illegal behavior in the process of using this tool, you shall bear the corresponding consequences by yourself, and we will not bear any legal and joint responsibility.

Before installing and using this tool, please be sure to carefully read and fully understand the terms and conditions.

Unless you have fully read, fully understood and accepted all the terms of this agreement, please do not install and use this tool. Your use behavior or your acceptance of this Agreement in any other express or implied manner shall be deemed that you have read and agreed to be bound by this Agreement.

1 Introduction

 _   __
|#| /#/ Lightweight Asset Mapping Tool by: kv2	
|#|/#/   _____  _____     *     _   _
|#.#/   /Edge/ /Forum|   /#\   |#\ |#|
|##|   |#|___  |#|      /###\  |##\|#|
|#.#\   \#####\|#|     /#/_\#\ |#.#.#|
|#|\#\ /\___|#||#|____/#/###\#\|#|\##|
|#| \#\\#####/ \#####/#/     \#\#| \#|

Kscan is an asset mapping tool that can perform port scanning, TCP fingerprinting and banner capture for specified assets, and obtain as much port information as possible without sending more packets. It can perform automatic brute force cracking on scan results, and is the first open source RDP brute force cracking tool on the go platform.

2 Foreword

At present, there are actually many tools for asset scanning, fingerprint identification, and vulnerability detection, and there are many great tools, but Kscan actually has many different ideas.

• Kscan hopes to accept a variety of input formats, and there is no need to classify the scanned objects before use, such as IP, or URL address, etc. This is undoubtedly an unnecessary workload for users, and all entries can be normal Input and identification. If it is a URL address, the path will be reserved for detection. If it is only IP:PORT, the port will be prioritized for protocol identification. Currently Kscan supports three input methods (-t,--target|-f,--fofa|--spy).

• Kscan does not seek efficiency by comparing port numbers with common protocols to confirm port protocols, nor does it only detect WEB assets. In this regard, Kscan pays more attention to accuracy and comprehensiveness, and only high-accuracy protocol identification , in order to provide good detection conditions for subsequent application layer identification.

• Kscan does not use a modular approach to do pure function stacking, such as a module obtains the title separately, a module obtains SMB information separately, etc., runs independently, and outputs independently, but outputs asset information in units of ports, such as ports If the protocol is HTTP, subsequent fingerprinting and title acquisition will be performed automatically. If the port protocol is RPC, it will try to obtain the host name, etc.

IP address: 114.114.114.114
IP address range: 114.114.114.114-115.115.115.115
URL address: https://www.baidu.com
File address: file:/tmp/target.txt

[Empty]: will detect the IP address of the local machine and detect the B segment where the local IP is located
[all]: All private network addresses (192.168/172.32/10, etc.) will be probed
IP address: will detect the B segment where the specified IP address is located

fofa search keywords: will directly return fofa search results

usage: kscan [-h,--help,--fofa-syntax] (-t,--target,-f,--fofa,--spy) [-p,--port|--top] [-o,--output] [-oJ] [--proxy] [--threads] [--path] [--host] [--timeout] [-Pn] [-Cn] [-sV] [--check] [--encoding] [--hydra] [hydra options] [fofa options]


optional arguments:
  -h , --help     show this help message and exit
  -f , --fofa Get the detection object from fofa, you need to configure the environment variables in advance: FOFA_EMAIL, FOFA_KEY
  -t , --target Specify the detection target:
                  IP address: 114.114.114.114
                  IP address segment: 114.114.114.114/24, subnet mask less than 12 is not recommended
                  IP address range: 114.114.114.114-115.115.115.115
                  URL address: https://www.baidu.com
                  File address: file:/tmp/target.txt
  --spy network segment detection mode, in this mode, the internal network segment reachable by the host will be automatically detected. The acceptable parameters are:
                  (empty), 192, 10, 172, all, specified IP address (the IP address B segment will be detected as the surviving gateway)
  --check Fingerprinting the target address, only port detection will not be performed
  --scan will perform port scanning and fingerprinting on the target objects provided by --fofa and --spy
  -p , --port scan the specified port, TOP400 will be scanned by default, support: 80, 8080, 8088-8090
  -eP, --excluded-port skip scanning specified ports，support：80,8080,8088-8090
  -o , --output save scan results to file
  -oJ save the scan results to a file in json format
  -Pn After using this parameter, intelligent survivability detection will not be performed. Now intelligent survivability detection is enabled by default to improve efficiency.
  -Cn With this parameter, the console output will not be colored.
  -sV After using this parameter, all ports will be probed with full probes. This parameter greatly affects the efficiency, so use it with caution!
  --top Scan the filtered common ports TopX, up to 1000, the default is TOP400
  --proxy set proxy (socks5|socks4|https|http)://IP:Port
  --threads thread parameter, the default thread is 100, the maximum value is 2048
  --path specifies the directory to request access, only a single directory is supported
  --host specifies the header Host value for all requests
  --timeout set timeout
  --encoding Set the terminal output encoding, which can be specified as: gb2312, utf-8
  --match returns the banner to the asset for retrieval. If there is a keyword, it will be displayed, otherwise it will not be displayed
  --hydra automatic blasting support protocol: ssh, rdp, ftp, smb, mysql, mssql, oracle, postgresql, mongodb, redis, all are enabled by default
hydra options:
   --hydra-user custom hydra blasting username: username or user1,user2 or file:username.txt
   --hydra-pass Custom hydra blasting password: password or pass1,pass2 or file:password.txt
                  If there is a comma in the password, use \, to escape, other symbols do not need to be escaped
   --hydra-update Customize the user name and password mode. If this parameter is carried, it is a new mode, and the user name and password will be added to the default dictionary. Otherwise the default dictionary will be replaced.
   --hydra-mod specifies the automatic brute force cracking module: rdp or rdp, ssh, smb
fofa options:
   --fofa-syntax will get fofa search syntax description
   --fofa-size will set the number of entries returned by fofa, the default is 100
   --fofa-fix-keyword Modifies the keyword, and the {} in this parameter will eventually be replaced with the value of the -f parameter

6.2 Survival network segment detection

6.3 Fofa result retrieval

6.4 Brute-force cracking

6.5 CDN identification

A position-independent reflective loader for Cobalt Strike. Zero results from Hunt-Sleeping-Beacons, BeaconHunter, BeaconEye, Patriot, Moneta, PE-sieve, or MalMemDetect. 

Features

Easy to Use

Import a single CNA script before generating shellcode.

Dynamic Memory Encryption

Creates a new heap for any allocations from Beacon and encrypts entries before sleep.

Code Obfuscation and Encryption

Changes the memory containing CS executable code to non-executable and encrypts it (FOLIAGE).

Return Address Spoofing at Execution

Certain WinAPI calls are executed with a spoofed return address (InternetConnectA, NtWaitForSingleObject, RtlAllocateHeap).

Sleep Without Sleep

Delayed execution using WaitForSingleObjectEx.

RC4 Encryption

All encryption performed with SystemFunction032.

Known Issues

• Not compatible with loaders that rely on the shellcode thread staying alive.

References

This project would not have been possible without the following:

• FOLIAGE
• x64 return address spoofing (source + explanation)

Other features and inspiration were taken from the following:

• https://www.arashparsa.com/bypassing-pesieve-and-moneta-the-easiest-way-i-could-find/
• https://github.com/secidiot/TitanLdr
• https://github.com/JLospinoso/gargoyle
• https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-ii-insights-from-moneta
• https://www.arashparsa.com/hook-heaps-and-live-free/
• https://blog.f-secure.com/hunting-for-gargoyle-memory-scanning-evasion/
• https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures