LDAPFragger is a Command and Control tool that enables attackers to route Cobalt Strike beacon data over LDAP using user attributes.
For background information, read the release blog: http://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes
.NET 4.0, but may work with older and newer .NET frameworks as well_ _ _ | | | | / |
| | | | _ _ _ | | _ _ _ _ _ _ _ _
| |/ |/ _ | ‘ | | ‘/ |/ _ |/ ` |/ \ ‘|
| | (| | (| | |) | | | | | (| | (| | (| | / | ||_,|_,| ./|| || _,|_, |__, |___|| | | / | / | || |/ |/
Fox-IT – Rindert Kramer
Usage:
–cshost: IP address or hostname of the Cobalt Strike instance
–csport: Port of the external C2 interface on the Cobalt Strike server
-u: Username to connect to Active Directory
-p: Password to connect to Active Directory
-d: FQDN of the Active Directory domain
–ldaps: Use LDAPS instead of LDAP
-v: Verbose output
-h: Display this message
If no AD credentials are provided, integrated AD authentication will be used.
From network segment A, run
LDAPFragger –cshost –csport
LDAPFragger –cshost –csport -u -p -d
From network segment B, run
LDAPFragger
LDAPFragger -u -p -d
LDAPS can be used with the --LDAPS flag, however, regular LDAP traffic is encrypted as well. Please do note that the default Cobalt Strike payload will get caught by most AVs.
Imagine if you had a super-powered assistant who could automatically handle all the boring, repetitive…
Managing files efficiently is a core skill for anyone working in Linux, whether you're a…
Open ports act as communication endpoints between your Linux system and the outside world. Every…
Introduction In today’s cyber threat landscape, protecting endpoints such as computers, smartphones, and tablets from…
Introduction In today's fast-paced cybersecurity landscape, incident response is critical to protecting businesses from cyberattacks.…
Artificial Intelligence (AI) is changing how industries operate, automating processes, and driving new innovations. However,…