Check for LDAP protections regarding the relay of NTLM authentication
Checks whether Domain Controllers enforce LDAP channel binding and LDAP server signing requirements — two key protections against NTLM relay attacks targeting LDAP/S. LDAPS channel binding can be checked unauthenticated; LDAP signing checks require valid domain credentials. Supports Docker deployment and SOCKS proxy for use through C2.
BOF and Python3 implementation of technique to unbind 445/tcp on Windows via SCM interactions
Unbinds and rebinds 445/tcp on Windows without loading a driver, injecting a module into LSASS, or rebooting the host — easing SMB-based NTLM relay operations over C2. Available as both a Python implementation and a Beacon Object File (BOF), using RPC over TCP to interact with the Server Service.
Python and BOF utilities to determine EPA enforcement levels of popular NTLM relay targets
Determines Extended Protection for Authentication (EPA) enforcement levels of popular NTLM relay targets from an offensive perspective. Helps inform relay setup by identifying services where EPA could block relay attacks. Available as both Python and BOF implementations.
Golang search engine scraper intended for identification of published ClickOnce deployments
A web scraper that uses chromedp and HTTP requests to find published ClickOnce applications via Google and Swisscows search engines. Supports AWS API Gateway IP rotation to avoid rate limiting and HTTP proxy for routing traffic.
CVE-2020-0688 PoC
Scans and exploits CVE-2020-0688 on on-premises Exchange servers. Includes three functions: scan (cookie extraction + version check), generate (ysoserial payload creation), and exploit (authenticated remote code execution via deserialization).