利用NTLM Hash读取Exchange邮件

Related tags

Security related resourcesGetMail
Overview

GetMail

利用NTLM Hash读取Exchange邮件:在进行内网渗透时候,我们经常拿到的是账号的Hash凭据而不是明文口令。在这种情况下采用邮件客户端或者WEBMAIL的方式读取邮件就很麻烦,需要进行破解,NTLM的破解主要依靠字典强度,破解概率并不是很大。其实Exchange提供了利用NTLM Hash凭据进行验证的方法,从而可以进行任何操作。本程序支持邮箱目录结构的列举、邮件的阅读、附件的下载、关键字的搜索等功能,支持明文密码和NTLM Hash凭证两种认证方式。

参数介绍

  • -h, --help show this help message and exit
  • -u USER, --user=USER Please Input Username!
  • -H HASH, --hash=HASH Please Input Ntlmhash: xx:xx Or xxxx!
  • -p PSWD, --pswd=PSWD Please Input Password!
  • -e EMAIL, --email=EMAIL Please Input Email Address!
  • -c COUNT, --count=COUNT Please Input How Many Emails You Want To Read!
  • -s SERVER, --server=SERVER Please Input Email Server Address!
  • -k KEYWORD, --keyword=KEYWORD Please Input Keyword To Search!
  • -L, --List List All Email Floders!
  • -D, --download Whether Download Attachment Files Or Not!
  • -d, --display Show All Email Floders!
  • -l, --list List All Email Floders!
  • -f FLODER, --folder=FLODER Please Input Email Floder Name!

使用

列举邮箱目录结构

python3 getmail.py -u [USERNAME] -p [PASSWORD] -e [EMAIL ADDRESS] -L
python3 getmail.py -u [USERNAME] -H [NTLMHASH] -e [EMAIL ADDRESS] -L

阅读邮件

python3 getmail.py -u [USERNAME] -H [NTLMHASH] -e [EMAIL ADDRESS] -f [文件夹,默认是Inbox] -c 阅读邮件数量(按照时间倒序,最近的在最前面)
python3 getmail.py -u [USERNAME] -H [NTLMHASH] -e [EMAIL ADDRESS] -f [文件夹,默认是Inbox] -c 阅读邮件数量(按照时间倒序,最近的在最前面) -k [Keyword](展示包含关键字的邮件)

下载附件

python3 getmail.py -u [USERNAME] -H [NTLMHASH] -e [EMAIL ADDRESS] -f [文件夹,默认是Inbox] -c 阅读邮件数量(按照时间倒序,最近的在最前面)——D

ISSUE修复记录

  • 0x01 默认Inbox收件箱邮件阅读超过20封时候有会问题【已修复】
  • 0x02 同名附件自动下载导致附件覆盖问题【已修复】

Changelog

  • v1.1 20210421
    • 支持展示抄送、密送
    • 优化展示效果
    • 修复一些bug
  • v1.1 20210422 增加GUI版本
    • Mac测试通过 image





























Owner









[email protected]



Information Security Engineer



<a href=[email protected]">




 GitHub Repository










CVE-2021-43936 is a critical vulnerability (CVSS3 10.0) leading to Remote Code Execution (RCE) in WebHMI Firmware.


 CVE-2021-43936 CVE-2021-43936 is a critical vulnerability (CVSS3 10.0) leading to Remote Code Execution (RCE) in WebHMI Firmware. This vulnerability w





Jeremiasz Pluta
 8  Jul 05, 2022









 A script based on sqlmap that uses sql injection vulnerabilities to traverse the existence of a file


 A script based on sqlmap that uses sql injection vulnerabilities to traverse the existence o






 2  Nov 09, 2022









Osint-Tool - Information collection tool in python


 Osint-Tool Herramienta para la recolección de información Pronto más opciones In






 3  Apr 09, 2022









Visius Heimdall is a tool that checks for risks on your cloud infrastructure


 Heimdall Cloud Checker 🇧🇷 About Visius is a Brazilian cybersecurity startup that follows the signs of the crimson thunder ;) 🎸 ! As we value open s





visius
 48  Jun 20, 2022









This project is for finding a solution to use Security Onion Elastic data with Jupyter Notebooks.


 This project is for finding a solution to use Security Onion Elastic data with Jupyter Notebooks. The goal is to successfully use this notebook project below with Security Onion for beacon detection 






 4  Jun 08, 2022









Exploiting CVE-2021-44228 in VMWare Horizon for remote code execution and more.


 Log4jHorizon Exploiting CVE-2021-44228 in VMWare Horizon for remote code execution and more. BLOG COMING SOON Code and README.md this time around are 






 96  Dec 14, 2022









Complet and easy to run Port Scanner with Python


 Port_Scanner Complet and easy to run Port Scanner with Python Installation 1- git clone https://github.com/s120000/Port_Scanner 2- cd Port_Scanner 3- 






 1  May 19, 2022









A collection of write-ups and solutions for Cyber FastTrack Spring 2021.


 IMPORTANT: Please contact us before you use any styling or content shown here! Cyber FastTrack Spring 2021 / National Cyber Scholarship Competition - 





Alice
 48  Aug 28, 2022









A python based tool that executes various CVEs to gain root privileges as root on various MAC OS platforms.


 MacPer A python based tool that executes various CVEs to gain root privileges as root on various MAC OS platforms. Not all of the exploits directly sp






 20  Nov 30, 2022









Web-eyes - OSINT tools for website research


 WEB-EYES V1.0 web-eyes: OSINT tools for website research, 14 research methods ar






 8  Nov 10, 2022









Python lib to automate basic QFT calculations like Wick-contractions.


 QFTools Python lib to automate basic QFT calculations like Wick-contractions. Features Wick contractions for real scalar fields Wick contractions for 






 2  Aug 21, 2022









HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures.


 HatVenom HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures. Featu





EntySec
 100  Dec 23, 2022









D-810 is an IDA Pro plugin which can be used to deobfuscate code at decompilation time by modifying IDA Pro microcode.


 Introduction fork from https://gitlab.com/eshard/d810 What is D-810 D-810 is an IDA Pro plugin which can be used to deobfuscate code at decompilation 





Banny
 30  Dec 06, 2022









Coerce authentication from Windows hosts via MS-FSRVP (Requires FS-VSS-AGENT service running on host)


 VSSTrigger Coerce authentication from Windows hosts via MS-FSRVP (Requires FS-VS





Filip Dragovic
 6  Jul 24, 2022









MSDorkDump is a Google Dork File Finder that queries a specified domain name and variety of file extensions


 MSDorkDump is a Google Dork File Finder that queries a specified domain name and variety of file extensions (pdf, doc, docx, etc), and downloads them.





Joe Helle
 150  Jan 03, 2023









PoC of proxylogon chain SSRF(CVE-2021-26855) to write file by testanull, censored by github


 CVE-2021-26855 PoC of proxylogon chain SSRF(CVE-2021-26855) to write file by testanull, censored by github Why does github remove this exploit because





The Hacker's Choice
 58  Nov 15, 2022









✨ Powerfull & Universal Link Bypasser ✨


 ✨ Powerfull & Universal Link Bypasser ✨





Vodkarm06
 4  Jun 03, 2022









A fast sub domain brute tool for pentesters


 subDomainsBrute 1.4 A fast sub domain brute tool for pentesters. It works with P





Oliver
 2  Oct 18, 2022









Format SSSD Raw Kerberos Payloads into CCACHE files for use on Windows systems


 KCMTicketFormatter This tools takes the output from https://github.com/fireeye/SSSDKCMExtractor and turns it into properly formatted CCACHE files for 





Black Lantern Security
 35  Oct 25, 2022









Grafana-0Day-Vuln-POC


 Grafana V8.0+版本存在未授权任意文件读取 0Day漏洞 - POC 1 漏洞信息 1.1 基本信息 漏洞厂商:Grafana 厂商官网:https://grafana.com/ 1.2 漏洞描述 Grafana是一个跨平台、开源的数据可视化网络应用程序平台。用户配置连接的数据源之后,Gr





mik1th0n
 3  Dec 13, 2021