Pollishing it up

This commit is contained in:
mb 2019-11-20 00:32:33 +01:00
parent c4a674ef6f
commit 83ca7c3c77
2 changed files with 47 additions and 39 deletions

View File

@ -28,41 +28,48 @@ victim's premises or to aid Password-Spraying efforts against exposed OWA
interface. interface.
Sample run: Sample run:
``` ```
user@host:~/ $ python3 mail.example.com PS D:\> python3 .\exchangeRecon.py 10.10.10.9
Hostname: mail.example.com :: Exchange Reconnaisance Toolkit
Tries to obtain internal IP address, Domain name and other clues by talking to Exchange
Mariusz B. / mgeeky '19, <mb@binary-offensive.com>
v0.1
======[ Leaked clues about internal environment ]======
Hostname: 10.10.10.9
*) SSL Certificate Subject components: *) SSL Certificate Subject components:
CN = mail.example.com CN = EXCH01
*) Outlook Web App version leaked in OWA HTML source: *) Outlook Web App version leaked in OWA HTML source:
14.0.639.21 15.0.847
(Exchange Server 2010 RTM; November 9, 2009; 14.0.639.21 14.00.0639.021) (Exchange Server 2013 SP1; February 25, 2014; 15.0.847.32 15.00.0847.032)
*) IIS Version: *) IIS Version:
Microsoft-IIS/7.5 Microsoft-IIS/8.5
*) ASP.Net Version: *) ASP.Net Version:
2.0.50727 4.0.30319
*) Leaked Internal IP address: *) Leaked Internal IP address:
10.10.13.250 10.10.10.9
*) Leaked Internal Domain name in NTLM challenge packet: *) Leaked Internal Domain name in NTLM challenge packet:
Target Name: EXAMPLE Target Name: BANK
Context: Context:
Target: Target:
AD domain name : EXAMPLE.LOCAL AD domain name : BANK
Server name : EX05 Server name : EXCH01
DNS domain name : example.local DNS domain name : bank.corp
FQDN : ex05.example.local FQDN : EXCH01.bank.corp
Parent DNS domain : example.local Parent DNS domain : bank.corp
Server Timestamp : 19-11-18 Mon 16:06:53 UTC Server Timestamp : 19-11-19 Tue 23:21:46 UTC
OS Ver: ???????? OS Ver: ????????
Flags: Flags: - Negotiate Unicode
- Negotiate Unicode
- Request Target - Request Target
- Negotiate NTLM - Negotiate NTLM
- Negotiate Always Sign - Negotiate Always Sign
@ -73,15 +80,15 @@ Hostname: mail.example.com
- Negotiate 128 - Negotiate 128
- Negotiate 56 - Negotiate 56
*) Exchange supports legacy SMTP and returns following unusual capabilities: *) Exchange supports legacy SMTP and returns following unusual capabilities:
mail.example.com Hello [192.168.0.100] EXCH01.bank.corp Hello [10.10.10.1]
- 250-XEXCH50 - This server supports the following commands:
- 250-XRDST - AUTH
- XSHADOW
*) Results for SMTP User Enumeration attempts: *) Results for SMTP User Enumeration attempts:
- [-] MAIL FROM:<test@[192.168.0.100]> returned: (501, "5.1.7 Invalid address") - [-] MAIL FROM:<test@[10.10.10.9]> returned: (501, "5.1.7 Invalid address")
- [-] RCPT TO:<test@[192.168.0.100]> returned: (503, "5.5.2 Need mail command") - [-] RCPT TO:<test@[10.10.10.9]> returned: (503, "5.5.2 Need mail command")
- [+] VRFY root returned: (252, "2.1.5 Cannot VRFY user") - [+] VRFY root returned: (252, "2.1.5 Cannot VRFY user")
- [-] EXPN root returned: (502, "5.3.3 Command not implemented") - [-] EXPN root returned: (502, "5.3.3 Command not implemented")
``` ```

View File

@ -1068,6 +1068,7 @@ class ExchangeRecon:
'GSSAPI', 'GSSAPI',
'X-EXPS', 'X-EXPS',
'X-ANONYMOUSTLS', 'X-ANONYMOUSTLS',
'This server supports the following commands'
) )
unfiltered = set() unfiltered = set()
@ -1082,7 +1083,7 @@ class ExchangeRecon:
if len(unfiltered): if len(unfiltered):
self.results["Exchange supports legacy SMTP and returns following unusual capabilities"] = '\n\t- '.join(unfiltered) self.results["Exchange supports legacy SMTP and returns following unusual capabilities"] = '\t- ' + '\n\t- '.join(unfiltered)
try: try:
server.quit() server.quit()