{"id":13649629,"url":"https://github.com/urbanesec/ZackAttack","last_synced_at":"2025-04-22T14:32:13.245Z","repository":{"id":3816681,"uuid":"4896792","full_name":"urbanesec/ZackAttack","owner":"urbanesec","description":"Unveiled at DEF CON 20, NTLM Relaying to ALL THE THINGS!","archived":false,"fork":false,"pushed_at":"2016-08-06T19:22:18.000Z","size":420,"stargazers_count":258,"open_issues_count":55,"forks_count":73,"subscribers_count":48,"default_branch":"master","last_synced_at":"2024-11-10T00:33:11.381Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/urbanesec.png","metadata":{"files":{"readme":"README.md","changelog":"ChangeLog.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2012-07-05T02:51:19.000Z","updated_at":"2024-08-12T19:11:02.000Z","dependencies_parsed_at":"2022-07-07T16:40:17.441Z","dependency_job_id":null,"html_url":"https://github.com/urbanesec/ZackAttack","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/urbanesec%2FZackAttack","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/urbanesec%2FZackAttack/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/urbanesec%2FZackAttack/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/urbanesec%2FZackAttack/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/urbanesec","download_url":"https://codeload.github.com/urbanesec/ZackAttack/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250259131,"owners_count":21401045,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T02:00:21.480Z","updated_at":"2025-04-22T14:32:08.227Z","avatar_url":"https://github.com/urbanesec.png","language":"Ruby","readme":"=====\nZackAttack! - Realying NTLM Like Nobody's Business\n=====\n\n\n=======\nWTF Is This?\n=======\n\ntl;dr version - ZackAttack! is a new Tool Set to do NTLM Authentication relaying unlike any other tool currently out there.\n\n=\nSo how is ZackAttack! different / better? Compared to other tools...\n=\n\n - Supports NTLMv2 :)\n - Brings up external impact for NTLM by relaying to external Exchange Web Services servers ( think mobile phone users :) )\n - Custom Rogue HTTP and SMB Server funneling into a single pooled source and knows who the user is and keeps them authenticating without closing the socket\n - Rule based logic to auto-perform actions upon seing a user belonging to a group. When no rule exists, the rogue server holds on to the auth session as long as possible until a rule or api request comes in.\n - Auto / Guided generation to creating methods to get users to auto-authenticate without interaction\n - New methods for client auto authentication including geting FF/Chrome to auto-auth via UNC SMB shares (similar to IE)\n - Relaying to LDAP (critical for relaying to Domain Controllers), Exchange Web Services, and soon mssql.\n - SOCKS proxy to allow NTLM relay attacks with your favorite tools (proxychains smbclient....etc)\n - Focuses on not just poping the shells that traditional relays do, but leveraging dumb users as well and getting data through them.\n \nSo much for tl;dr ;) The goal? A Firesheep esque tool for relaying NTLM auths\n\n=\nHow do I Get Started\n=\n\n1) ruby zackattack.rb \n\n2) open your favorite browser to http://zf:zf@localhost:4531/ \n\n3) ..... \n\n4) PROFIT! Or not. It's alpha still. \n\nCode is written for ruby1.9 but should work with 1.8. Requires net/http(s) and webrick rubygems\n\n=\nSo What Are the Components\n=\n\nThe Rogue Servers - HTTP and SMB. These get the auth requests and keep recycling them \n\nThe Clients - These connect to target servers and request NTLM creds from the Rogue Servers \n\nThe Rules - Define auto actions to perform upon seeing a user. \n\nThe Payloads - Methods to get users to autoauth with Integrated Windows Auth ergo not prompting the user for auth.\n\n=\nXYZ Doesn't work\n=\n\nI'm sure it doesn't ;) I don't always code in ruby, but when i do, i make sure to introduce as many bugs as possible :)\n\nSubmit as much info as you can (comfortably) to the issues page. Please try to get a wireshark / pcap capture if it's a client issue. If it contains sensitive data (i.e. ntlm creds of a client) let me know and we can work around that if possible.\n\nFeature request? I want to hear it! Check the todo file and see if i already mentioned it in there, otherwise submit!\n\nI'll fill in more details later....","funding_links":[],"categories":["Table of Contents"],"sub_categories":["Penetration Testing Tools"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Furbanesec%2FZackAttack","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Furbanesec%2FZackAttack","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Furbanesec%2FZackAttack/lists"}