mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-11-22 02:21:36 +01:00
Pollishing it up
This commit is contained in:
mb
parent
c4a674ef6f
commit
83ca7c3c77
@ -28,62 +28,69 @@ victim's premises or to aid Password-Spraying efforts against exposed OWA
|
|||||||
interface.
|
interface.
|
||||||
|
|
||||||
Sample run:
|
Sample run:
|
||||||
|
|
||||||
```
|
```
|
||||||
user@host:~/ $ python3 mail.example.com
|
PS D:\> python3 .\exchangeRecon.py 10.10.10.9
|
||||||
|
|
||||||
Hostname: mail.example.com
|
:: Exchange Reconnaisance Toolkit
|
||||||
|
Tries to obtain internal IP address, Domain name and other clues by talking to Exchange
|
||||||
|
Mariusz B. / mgeeky '19, <mb@binary-offensive.com>
|
||||||
|
v0.1
|
||||||
|
|
||||||
|
|
||||||
|
======[ Leaked clues about internal environment ]======
|
||||||
|
|
||||||
|
|
||||||
|
Hostname: 10.10.10.9
|
||||||
|
|
||||||
*) SSL Certificate Subject components:
|
*) SSL Certificate Subject components:
|
||||||
CN = mail.example.com
|
CN = EXCH01
|
||||||
|
|
||||||
*) Outlook Web App version leaked in OWA HTML source:
|
*) Outlook Web App version leaked in OWA HTML source:
|
||||||
14.0.639.21
|
15.0.847
|
||||||
(Exchange Server 2010 RTM; November 9, 2009; 14.0.639.21 14.00.0639.021)
|
(Exchange Server 2013 SP1; February 25, 2014; 15.0.847.32 15.00.0847.032)
|
||||||
|
|
||||||
*) IIS Version:
|
*) IIS Version:
|
||||||
Microsoft-IIS/7.5
|
Microsoft-IIS/8.5
|
||||||
|
|
||||||
*) ASP.Net Version:
|
*) ASP.Net Version:
|
||||||
2.0.50727
|
4.0.30319
|
||||||
|
|
||||||
*) Leaked Internal IP address:
|
*) Leaked Internal IP address:
|
||||||
10.10.13.250
|
10.10.10.9
|
||||||
|
|
||||||
*) Leaked Internal Domain name in NTLM challenge packet:
|
*) Leaked Internal Domain name in NTLM challenge packet:
|
||||||
Target Name: EXAMPLE
|
Target Name: BANK
|
||||||
Context:
|
Context:
|
||||||
Target:
|
Target:
|
||||||
AD domain name : EXAMPLE.LOCAL
|
AD domain name : BANK
|
||||||
Server name : EX05
|
Server name : EXCH01
|
||||||
DNS domain name : example.local
|
DNS domain name : bank.corp
|
||||||
FQDN : ex05.example.local
|
FQDN : EXCH01.bank.corp
|
||||||
Parent DNS domain : example.local
|
Parent DNS domain : bank.corp
|
||||||
Server Timestamp : 19-11-18 Mon 16:06:53 UTC
|
Server Timestamp : 19-11-19 Tue 23:21:46 UTC
|
||||||
OS Ver: ????????
|
OS Ver: ????????
|
||||||
Flags:
|
Flags: - Negotiate Unicode
|
||||||
- Negotiate Unicode
|
- Request Target
|
||||||
- Request Target
|
- Negotiate NTLM
|
||||||
- Negotiate NTLM
|
- Negotiate Always Sign
|
||||||
- Negotiate Always Sign
|
- Target Type Domain
|
||||||
- Target Type Domain
|
- Negotiate NTLM2 Key
|
||||||
- Negotiate NTLM2 Key
|
- Negotiate Target Info
|
||||||
- Negotiate Target Info
|
- unknown
|
||||||
- unknown
|
- Negotiate 128
|
||||||
- Negotiate 128
|
- Negotiate 56
|
||||||
- Negotiate 56
|
|
||||||
|
|
||||||
*) Exchange supports legacy SMTP and returns following unusual capabilities:
|
*) Exchange supports legacy SMTP and returns following unusual capabilities:
|
||||||
mail.example.com Hello [192.168.0.100]
|
EXCH01.bank.corp Hello [10.10.10.1]
|
||||||
- 250-XEXCH50
|
- This server supports the following commands:
|
||||||
- 250-XRDST
|
- AUTH
|
||||||
- XSHADOW
|
|
||||||
|
|
||||||
*) Results for SMTP User Enumeration attempts:
|
*) Results for SMTP User Enumeration attempts:
|
||||||
- [-] MAIL FROM:<test@[192.168.0.100]> returned: (501, "5.1.7 Invalid address")
|
- [-] MAIL FROM:<test@[10.10.10.9]> returned: (501, "5.1.7 Invalid address")
|
||||||
- [-] RCPT TO:<test@[192.168.0.100]> returned: (503, "5.5.2 Need mail command")
|
- [-] RCPT TO:<test@[10.10.10.9]> returned: (503, "5.5.2 Need mail command")
|
||||||
- [+] VRFY root returned: (252, "2.1.5 Cannot VRFY user")
|
- [+] VRFY root returned: (252, "2.1.5 Cannot VRFY user")
|
||||||
- [-] EXPN root returned: (502, "5.3.3 Command not implemented")
|
- [-] EXPN root returned: (502, "5.3.3 Command not implemented")
|
||||||
```
|
```
|
||||||
|
|
||||||
- **`host-scanner-via-udp.py`** - Running Hosts scanner leveraging ICMP Destination Unreachable response upon UDP closed port packet. Requires root/Administrator privileges. ([gist](https://gist.github.com/mgeeky/eae20db2d3dd4704fc6f04ea233bca9c))
|
- **`host-scanner-via-udp.py`** - Running Hosts scanner leveraging ICMP Destination Unreachable response upon UDP closed port packet. Requires root/Administrator privileges. ([gist](https://gist.github.com/mgeeky/eae20db2d3dd4704fc6f04ea233bca9c))
|
||||||
|
|||||||
@ -1068,6 +1068,7 @@ class ExchangeRecon:
|
|||||||
'GSSAPI',
|
'GSSAPI',
|
||||||
'X-EXPS',
|
'X-EXPS',
|
||||||
'X-ANONYMOUSTLS',
|
'X-ANONYMOUSTLS',
|
||||||
|
'This server supports the following commands'
|
||||||
)
|
)
|
||||||
|
|
||||||
unfiltered = set()
|
unfiltered = set()
|
||||||
@ -1082,7 +1083,7 @@ class ExchangeRecon:
|
|||||||
|
|
||||||
|
|
||||||
if len(unfiltered):
|
if len(unfiltered):
|
||||||
self.results["Exchange supports legacy SMTP and returns following unusual capabilities"] = '\n\t- '.join(unfiltered)
|
self.results["Exchange supports legacy SMTP and returns following unusual capabilities"] = '\t- ' + '\n\t- '.join(unfiltered)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
server.quit()
|
server.quit()
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user