LDAPFragger - Command And Control Tool That Enables Attackers To Route Cobalt Strike Beacon Data Over LDAP

LDAPFragger is a Command and Control tool that enables attackers to route Cobalt Strike beacon data over LDAP using user attributes. For background information, read the release blog: http://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes Dependencies and installation Compiled with .NET 4.0, but may work with older and newer .NET frameworks as well Usage Active Directory domain --ldaps: Use LDAPS instead of LDAP -v: Verbose output -h: Display this message If no AD credentials are provided, integrated AD authentication will be used."> _ _ __ | | | | / _| | | | | _ _ __ | |_ _ _ __ _ __ _ ___ _ __ | |/ _` |/ _` | '_ \| _| '__/ _` |/ _` |/ _` |/ _ \ '__| | | (_| | (_| | |_) | | | | | (_| | (_| | (_| | __/ | |_|\__,_|\__,_| .__/|_| |_| \__,_|\, |\, |\___|_| | | / | / | |_| |_/ |_/ Fox-IT - Rindert Kramer Usage: --cshost: IP address or hostname of the Cobalt Strike instance --csport: Port of the external C2 interface on the Cobalt Strike server -u: Username to connect to Active Directory -p: Password to connect to Active Directory -d: FQDN of the Active Directory domain --ldaps: Use LDAPS instead of LDAP -v: Verbose output -h: Display this message If no AD credentials are provided, integrated AD authentication will be used. Example usage: From network segment A, run LDAPFragger --cshost --csport LDAPFragger --cshost --csport -u -p -d From network segment B, run LDAPFragger LDAPFragger -u -p -d LDAPS can be used with the --LDAPS flag, however, regular LDAP traffic is encrypted as well. Please do note that the default Cobalt Strike payload will get caught by most AVs. Download LDAPFragger

May 11, 2022 - 09:48

0 4

LDAPFragger - Command And Control Tool That Enables Attackers To Route Cobalt Strike Beacon Data Over LDAP

LDAPFragger is a Command and Control tool that enables attackers to route Cobalt Strike beacon data over LDAP using user attributes.

For background information, read the release blog: http://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes

Dependencies and installation

Compiled with .NET 4.0, but may work with older and newer .NET frameworks as well

Usage

Active Directory domain --ldaps: Use LDAPS instead of LDAP -v: Verbose output -h: Display this message If no AD credentials are provided, integrated AD authentication will be used.">

 _     _              __  | |   | |            / _|  | | __| | __ _ _ __ | |_ _ __ __ _  __ _  __ _  ___ _ __  | |/ _` |/ _` | '_ \|  _| '__/ _` |/ _` |/ _` |/ _ \ '__|  | | (_| | (_| | |_) | | | | | (_| | (_| | (_| |  __/ |  |_|\__,_|\__,_| .__/|_| |_|  \__,_|\__, |\__, |\___|_|                | |                   __/ | __/ |                |_|                  |___/ |___/    Fox-IT - Rindert Kramer    Usage:       --cshost:  IP address or hostname of the Cobalt Strike instance       --csport:  Port of the external C2 interface on the Cobalt Strike server       -u:        Username to connect to Active Directory       -p:        Password to connect to Active Directory       -d:        FQDN of the Active Directory domain       --ldaps:   Use LDAPS instead of LDAP       -v:        Verbose output       -h:        Display  this message    If no AD credentials are provided, integrated AD authentication will be used.

Example usage:

From network segment A, run

LDAPFragger --cshost  --csport     LDAPFragger --cshost  --csport  -u  -p  -d

From network segment B, run

LDAPFragger     LDAPFragger -u  -p  -d

LDAPS can be used with the --LDAPS flag, however, regular LDAP traffic is encrypted as well. Please do note that the default Cobalt Strike payload will get caught by most AVs.

Download LDAPFragger