fox-it/LDAPFragger

Stars
181
Rank 212,110 (Top 5 %)
Language
C#
License
MIT License
Created over 4 years ago
Updated over 4 years ago

fox-it/LDAPFragger

fox-it

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

LDAPFragger

LDAPFragger is a Command and Control tool that enables attackers to route Cobalt Strike beacon data over LDAP using user attributes.

For background information, read the release blog: http://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes

Dependencies and installation

Compiled with .NET 4.0, but may work with older and newer .NET frameworks as well

Usage

 _     _              __
| |   | |            / _|
| | __| | __ _ _ __ | |_ _ __ __ _  __ _  __ _  ___ _ __
| |/ _` |/ _` | '_ \|  _| '__/ _` |/ _` |/ _` |/ _ \ '__|
| | (_| | (_| | |_) | | | | | (_| | (_| | (_| |  __/ |
|_|\__,_|\__,_| .__/|_| |_|  \__,_|\__, |\__, |\___|_|
              | |                   __/ | __/ |
              |_|                  |___/ |___/

Fox-IT - Rindert Kramer

Usage:
     --cshost:  IP address or hostname of the Cobalt Strike instance
     --csport:  Port of the external C2 interface on the Cobalt Strike server
     -u:        Username to connect to Active Directory
     -p:        Password to connect to Active Directory
     -d:        FQDN of the Active Directory domain
     --ldaps:   Use LDAPS instead of LDAP
     -v:        Verbose output
     -h:        Display  this message

If no AD credentials are provided, integrated AD authentication will be used.

Example usage:

From network segment A, run

LDAPFragger --cshost <Cobalt Strike IP> --csport <External listener port>

LDAPFragger --cshost <Cobalt Strike IP> --csport <External listener port> -u <username> -p <password> -d <domain FQDN>

From network segment B, run

LDAPFragger 

LDAPFragger -u <username> -p <password> -d <domain FQDN>

LDAPS can be used with the --LDAPS flag, however, regular LDAP traffic is encrypted as well. Please do note that the default Cobalt Strike payload will get caught by most AVs.

dissect

Dissect is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part of NCC Group).

aclpwn.py

Active Directory ACL exploitation with BloodHound

log4j-finder

Find vulnerable Log4j2 versions on disk and also inside Java Archive Files (Log4Shell CVE-2021-44228, CVE-2021-45046, CVE-2021-45105)

cve-2019-1040-scanner

dissect.cstruct_legacy

A no-nonsense c-like structure parsing library for Python

quantuminsert

mkYARA

Generating YARA rules based on binary code

linux-luks-tpm-boot

A guide for setting up LUKS boot with a key from TPM in Linux

Invoke-CredentialPhisher

bloodhound-import

Python based BloodHound data importer

dissect.cobaltstrike

Python library for dissecting and parsing Cobalt Strike related data such as Beacon payloads and Malleable C2 Profiles

danderspritz-evtx

Parse evtx files and detect use of the DanderSpritz eventlogedit module

cryptophp

CryptoPHP Indicators of Compromise

cobaltstrike-extraneous-space

Historical list of {Cobalt Strike,NanoHTTPD} servers

cobaltstrike-beacon-data

Open Dataset of Cobalt Strike Beacon metadata (2018-2022)

Jupyter Notebook

OpenSSH-Session-Key-Recovery

Project containing several tools/ scripts to recover the OpenSSH session keys used to encrypt/ decrypt SSH traffic.

acquire

acquire is a tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container.

OpenSSH-Network-Parser

Project to decrypt and parse SSH traffic

bro-scripts

Bro-IDS scripts

cisco-ios-xe-implant-detection

Cisco IOS XE implant scanning & detection (CVE-2023-20198, CVE-2023-20273)

dissect.cstruct

A Dissect module implementing a parser for C-like structures.

operation-wocao

Operation Wocao - Indicators of Compromise

dissect.target

The Dissect module tying all other Dissect modules together. It provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets).

dll-hijacking-poc

A quick POC on how to embed a meterpreter in Firefox via DLL hijacking

citrix-netscaler-triage

Dissect triage script for Citrix NetScaler devices

Decrypt-TFSSecretVariables

ponmocup

Ponmocup Indicators of Compromise

signed-phishing-email

pcap-broker

PCAP-over-IP server written in Golang

mofang

Mofang Indicators of Compromise

spookyssl-pcaps

SpookySSL PCAPS and Network Coverage

dissect.esedb

A Dissect module implementing a parser for Microsofts Extensible Storage Engine Database (ESEDB), used for example in Active Directory, Exchange and Windows Update.

dissect-docs

Dissect documentation project

log4shell-pcaps

Log4Shell PCAPS and Network Coverage

dissect.evidence

A Dissect module implementing a parsers for various forensic evidence file containers, currently: AD1, ASDF and EWF.

dissect.ntfs

A Dissect module implementing a parser for the NTFS file system, used by the Windows operating system.

dissect.eventlog

A Dissect module implementing parsers for the Windows EVT, EVTX and WEVT log file formats.

saitama-server

Server-side implementation for the Saitama implant, useful for detection engineering purposes

flow.record

Recordization library

django-auth-policy

Django Authentication Policy

psixbot

PsiXBot Indicators of Compromise

reasm

Extract parts of the malware and re-compile it on linux for decrypting stuff using same malware algorithms.

aws-lambda-kinesis-windowseventlog

AWS lambda to transform the json from AWS kinesis agent to useful json documents for elasticsearch

dissect.cim

A Dissect module implementing a parser for the Windows Common Information Model (CIM) database, used in the Windows operating system.

dissect.hypervisor

A Dissect module implementing parsers for various hypervisor disk, backup and configuration files.

Decrypt-OrchestratorSecretVariables

dissect.sql

A Dissect module implementing a parsers for the SQLite database file format, commonly used by applications to store configuration data.

blister-research

Scripts, YARA and IOCs from our research on the Blister malware 🩹

dissect.clfs

A Dissect module implementing a parser for the CLFS (Common Log File System) file system of Windows.

dissect.volume

A Dissect module implementing a parser for different disk volume and partition systems, for example LVM2, GPT and MBR.

dissect.ole

A Dissect module implementing a parser for the Object Linking & Embedding (OLE) format, commonly used by document editors on Windows operating systems.

dissect.vmfs

Dissect module implementing a parser for the VMFS file system, used by VMware virtualization software.

dissect.regf

A Dissect module implementing a parser for Windows registry file format, used to store application and OS configuration on Windows operating systems.

Invoke-BadPwdCountSprayer

dissect.fat

A Dissect module implementing parsers for the FAT and exFAT file systems, commonly used on flash memory based storage devices and UEFI partitions.

dissect.shellitem

A Dissect module implementing a parser for the Shellitem structures, commonly used by Microsoft Windows.

dissect.util

A Dissect module implementing various utility functions for the other Dissect modules.

dissect.ffs

A Dissect module implementing a parser for the FFS file system, commonly used by BSD operating systems.

dissect.xfs

A Dissect module implementing a parser for the XFS file system, commonly used by RedHat Linux distributions.

dissect-workflow-templates

Workflow templates for the dissect projects

dissect_legacy

Namespace and collection package for all dissect projects

dissect.extfs

A Dissect module implementing a parser for the ExtFS file system, the native filesystem for Linux operating systems.

dissect.btrfs

A Dissect module implementing a parser for the btrfs file system.

dissect.etl

A Dissect module implementing a parser for Event Trace Log (ETL) files, used by the Windows operating system to log kernel events.