The code at line 1104 is causing max.py to fail if I am using the dpat option.
num_pass_hashes_list.append([entry['row'][0], entry['row'][1], length, entry['row'][2], datetime.datetime.fromtimestamp(entry['row'][3])], )

The datetime conversion here fails, and causes the script to exit if a user's password is expired/marked to be changed at next logon. In AD, this flag being set will set the password's last change date to a blank entry and it appears to be what's throwing the script off

I double checked that this is the case by moving each of those variables and outputting them one at a time, and it only fails once it hits an an account where that flag was set. I need to test a change or two, but I think this could quickly be fixed by checking if entry['row'][3] is blank and,if so, setting the output to a different string rather than trying to convert the timestamp.

Here's a screen capture of the output (after adding two lines to also print usernames and the timestamp without conversion)

It seems like expired passwords in the .ntds / .dit file are maked with a timestamp of "-1" which is fails when passed to datetime. The following change resolves it, though I'm not sure if it's the best code-wise

try:

    num_pass_hashes_list.append([entry['row'][0], entry['row'][1], length, entry['row'][2], datetime.datetime.fromtimestamp(entry['row'][3])], )

except:

    num_pass_hashes_list.append([entry['row'][0], entry['row'][1], length, entry['row'][2], ''], )

In Windows having a > in a file name is not allowed resulting in it being )%.

The two cases where this is:
Inactive_Accounts_(Last_Used_)%_6mos_Ago)Cracked.html
Accounts_With_Passwords_Set)%_1yr_Ago_Cracked.html

The Report.html file links to the file name with > resulting in broken links.

Disclaimer - I by no means want to be that guy that makes a bunch of tool complaints. I have some time this month to help make these improvements.
This tool deserves recognition for how brilliant it is. Great job @knavesec !

1. Password_Length_Stats - This has the list of the number of users with a specific number character of password. So if 10 people have a password that is 9 characters. Problem is it does not filter out the disabled users.
   Request - Filter the amount of affected users by being enabled users. Right now it combines enabled and disabled users.

Using the query option to run the command directly, we get nothing back if you run the full original command. If you split the command into sub-sections, they run fine. The end result of this in live usage is no users getting mapped for DPAT.

https://github.com/knavesec/Max/blob/master/max.py#L736

┌──(venv)─(notroot㉿devbox)-[~/git/Max]
└─$ python3 max.py query -q "MATCH (u:User) WHERE u.name='[email protected]' OR (u.name STARTS WITH 'USERNAME@' AND u.objectid ENDS WITH '-25935')  RETURN u.name,u.objectid" 
/home/notroot/git/Max/max.py:16: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
  from distutils.util import strtobool
                                                                                                                                                                                                                                            
┌──(venv)─(notroot㉿devbox)-[~/git/Max]
└─$ python3 max.py query -q "MATCH (u:User) WHERE u.name='[email protected]'  RETURN u.name,u.objectid" 
/home/notroot/git/Max/max.py:16: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
  from distutils.util import strtobool
[email protected] - S-1-5-21-1214440339-1035525444-XXXXXXXXXX-25935
                                                                                                                                                                                                                                            
┌──(venv)─(notroot㉿devbox)-[~/git/Max]
└─$ python3 max.py query -q "MATCH (u:User) WHERE u.name STARTS WITH 'USERNAME@' AND u.objectid ENDS WITH '-25935'  RETURN u.name,u.objectid" 
/home/notroot/git/Max/max.py:16: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
  from distutils.util import strtobool
[email protected] - S-1-5-21-1214440339-1035525444-XXXXXXXXXX-25935

I'm running on neo4j 5.1 and had to adjust a few things for Max to work again:

• neo4j URI is now /db/neo4j/tx/commit instead of /db/data/transaction/commit
• EXISTS(u.cracked) is not supported anymore, instead u.cracked IS NOT NULL must be used

Unfortunately I don't have time for a proper PR right now, hope this helps though

Problem: The following command:

python3 max.py -u neo4j -p pass --url http://127.0.0.1:7474 get-info --group-members "REMOTE DESKTOP USERS"

Returns the following error:

Traceback (most recent call last): File "max.py", line 650, in <module> main() File "max.py", line 622, in main get_info(args) File "max.py", line 235, in get_info query = query.format(enabled="") KeyError: 'name'

This happens regardless of the groups I try, all of which I have confirmed exist.

Thanks!

Current Version:

C:\Tools\Max\max.py:1474: SyntaxWarning: invalid escape sequence '\ ' max = """

Seems like ASCII art is throwing a warning.

Not an immediate fix, but I just wanted to give you a heads-up.

Thank you!

Just like a real pupper, Max gets disappointed if he brings you something and you ignore it. Unlike a pupper, Max immediately dies.

[+] Writing HTML files
[+] Report has been written to the "Report.html" file in the "/client/REDACTED/dpat/" directory
[+] Would you like to open the report now? [Y/n]
n
Traceback (most recent call last):
  File "/home/notroot/git/Max/max.py", line 1666, in <module>
    main()
  File "/home/notroot/git/Max/max.py", line 1658, in main
    dpat_func(args)
  File "/home/notroot/git/Max/max.py", line 1417, in dpat_func
    elif ((reponse == 'n') or (response == "no")):
NameError: name 'reponse' is not defined. Did you mean: 'response'?

Would it be possible to add a column that contains the password last changed field?

Hi,

when I run python3 max.py get-info --kerb I get a list of kerberoastable users.
However, running the pre-built BloodHound query "List all Kerberoastable Accounts" with python3 max.py query "MATCH (n:User) WHERE n.hasspn=true RETURN n" shows no results. The same holds true for all other Cypher queries I tried.

Do you have any idea why this happens?
Is there an easy way to troubleshoot this issue (error logs, etc.)?

It would be nice to have a breakout of the most common reused passwords like the original DPAT tool has.

title

max.py get-info --unsupported seems to omit some machines from the list of unsupported OS versus Bloodhound.

I had a case where bloodhound repported a machine with Windows XP Professional Service Pack 3 while max did not.

It would be nice to be able to stream data straight from a tool into Max to have it marked as owned, without having to write a file to disk.

Or maybe roll azure into existing queries? For some, this is already the case (like --hvt), but for some (like --users) Azure AD objects aren't included. Looking at the queries, this inconsistency seems to be more happenstance than an intentional decision.

Happy to write some queries for it, but not sure which approach is better here.