evilsocket
SMB, Exchange (OWA/EWS), SMTP (NTLM) support
Hello!
I'm loving this project, but given how often I encounter the above protocols, is there a consideration or timeline for authentication via the following protocols?
- [x] SMB (tcp/445), standalone auth and domain
- [x] Exchange (tcp/443), via HTTPS to https://exchange-server/owa
- [x] Exchange (tcp/443), via HTTPS with BASIC auth to https://exchange-server/ews
- [ ] SMTP (tcp/25), to Exchange servers with NTLM authentication (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-smtpntlm/a048c79f-7597-401b-bcb4-521d682de765)
Sorry to make an issue for a wish list, but I think the above protocols could get this project even more traction as well.
Cheers!
Hey! So for the consideration:
SMB - i have a semi finished prototype for SMB, but it's relying on libsmbclient and i'm trying to keep the C/unsafe dependencies to the minimum. I'm not super happy with the current implementation as it makes cross compilation challenging, but i'll probably end up releasing it as it is if I can't find alternative solutions.
Exchange - the main challenge here is creating docker containers or VMs that i can use for testing while I develop the module, as I have almost no experience with MS things. Do you have any suggestion for this? Ideally I'd need a one-command solution that'd bring up an already configured env I can test with.
BTW issues are also for features request, so no problem here! Thanks for the feedback actually
Hmm, there's a few ways to build out Exchange in an automated fashion. I can help you build out your own if you like, or provide a working set of VMs, or point you at resources like https://automatedlab.org/en/latest/ if that's an option for you. Exchange is a bit tricky.
Great to hear about SMB! Thank you :D
@jeffmcjunkin it's not super clear to me if I can use automatedlab tool to create and run VMs on bare metal ... ? Do you have specific quick&dirty guides on how to setup an exchange VM on virtualbox/vmware/qemu? thank you so much for your help, has I said I have very little experience on microsoft envs and was leaving out a lot of protocols due to how difficult it is to bring up a test env :D
@jeffmcjunkin it turns out that the http module can already be used for the OWA endpoint. Here's the command line i used for the VM you provided:
legba http \
-T "https://bahamut.local/owa/auth.owa" \
-U "LEGBA\jeff" \
-P data/wordlist.txt \
--http-method POST \
--http-payload 'destination=https://bahamut.local/&flags=4&username={USERNAME}&password={PASSWORD}' \
--http-success-codes 302 \
--http-success-string 'set-cookie'
Notice that the "destination" POST variable has to be a valid URL containing the Exchange server host. On successful login, the server will respond with a 302 redirect and a Set-Cookie header.
The EWS endpoint is using NTLMv2 negotiation via http basic auth. This is already supported by the HTTP module:
legba http.ntlm2 \
--http-ntlm-domain LEGBA \
-U jeff \
-P data/wordlist.txt \
-T "https://bahamut.local/ews" \
--http-success-codes "200, 500"
Notice how in my setup I had to include a 500 response as success since I get this after logging in:
NOTE: The EWS endpoint, at least in my setup, seems to be a bit unreliable for bruteforcing. I don't know if it's related to the 500 error or there's some rate limiting going on there, but sometimes I get an "401 Unauthorized" response for valid credentials. So I think using OWA is the way to go against MS Exchange :D