LDAPFragger is a Command and Control tool that enables attackers to route Cobalt Strike beacon data over LDAP using user attributes.
For background information, read the release blog: http://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes
.NET 4.0, but may work with older and newer .NET frameworks as well_ _ _ | | | | / |
| | | | _ _ _ | | _ _ _ _ _ _ _ _
| |/ |/ _ | ‘ | | ‘/ |/ _ |/ ` |/ \ ‘|
| | (| | (| | |) | | | | | (| | (| | (| | / | ||_,|_,| ./|| || _,|_, |__, |___|| | | / | / | || |/ |/
Fox-IT – Rindert Kramer
Usage:
–cshost: IP address or hostname of the Cobalt Strike instance
–csport: Port of the external C2 interface on the Cobalt Strike server
-u: Username to connect to Active Directory
-p: Password to connect to Active Directory
-d: FQDN of the Active Directory domain
–ldaps: Use LDAPS instead of LDAP
-v: Verbose output
-h: Display this message
If no AD credentials are provided, integrated AD authentication will be used.
From network segment A, run
LDAPFragger –cshost –csport
LDAPFragger –cshost –csport -u -p -d
From network segment B, run
LDAPFragger
LDAPFragger -u -p -d
LDAPS can be used with the --LDAPS flag, however, regular LDAP traffic is encrypted as well. Please do note that the default Cobalt Strike payload will get caught by most AVs.
Introduction In the world of cybersecurity, knowledge is power. One of the most powerful skillsets…
Introduction In the vast ocean of the internet, the most powerful tool you already have…
Pystinger is a Python-based tool that enables SOCKS4 proxying and port mapping through webshells. It…
Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…
Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…
If you are working with Linux or writing bash scripts, one of the most common…