Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/fox-it/LDAPFragger
https://github.com/fox-it/LDAPFragger
Last synced: 21 days ago
JSON representation
- Host: GitHub
- URL: https://github.com/fox-it/LDAPFragger
- Owner: fox-it
- License: mit
- Created: 2020-03-19T08:32:38.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2020-03-19T10:13:44.000Z (over 4 years ago)
- Last Synced: 2024-08-05T17:26:00.295Z (4 months ago)
- Language: C#
- Size: 73.2 KB
- Stars: 190
- Watchers: 11
- Forks: 28
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - fox-it/LDAPFragger - (C# #)
README
# LDAPFragger
LDAPFragger is a Command and Control tool that enables attackers to route Cobalt Strike beacon data over LDAP using user attributes.
For background information, read the release blog: http://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes
## Dependencies and installation
* Compiled with `.NET 4.0`, but may work with older and newer .NET frameworks as well## Usage
```
_ _ __
| | | | / _|
| | __| | __ _ _ __ | |_ _ __ __ _ __ _ __ _ ___ _ __
| |/ _` |/ _` | '_ \| _| '__/ _` |/ _` |/ _` |/ _ \ '__|
| | (_| | (_| | |_) | | | | | (_| | (_| | (_| | __/ |
|_|\__,_|\__,_| .__/|_| |_| \__,_|\__, |\__, |\___|_|
| | __/ | __/ |
|_| |___/ |___/Fox-IT - Rindert Kramer
Usage:
--cshost: IP address or hostname of the Cobalt Strike instance
--csport: Port of the external C2 interface on the Cobalt Strike server
-u: Username to connect to Active Directory
-p: Password to connect to Active Directory
-d: FQDN of the Active Directory domain
--ldaps: Use LDAPS instead of LDAP
-v: Verbose output
-h: Display this messageIf no AD credentials are provided, integrated AD authentication will be used.
```Example usage:
![](https://foxitsecurity.files.wordpress.com/2020/03/9.png?w=607)
From network segment A, run
```
LDAPFragger --cshost --csportLDAPFragger --cshost --csport -u -p -d
```From network segment B, run
```
LDAPFraggerLDAPFragger -u -p -d
```LDAPS can be used with the `--LDAPS` flag, however, regular LDAP traffic is encrypted as well. Please do note that the default Cobalt Strike payload will get caught by most AVs.