利用NTLM Hash读取Exchange邮件

Related tags

Security related resourcesGetMail
Overview

GetMail

利用NTLM Hash读取Exchange邮件:在进行内网渗透时候,我们经常拿到的是账号的Hash凭据而不是明文口令。在这种情况下采用邮件客户端或者WEBMAIL的方式读取邮件就很麻烦,需要进行破解,NTLM的破解主要依靠字典强度,破解概率并不是很大。其实Exchange提供了利用NTLM Hash凭据进行验证的方法,从而可以进行任何操作。本程序支持邮箱目录结构的列举、邮件的阅读、附件的下载、关键字的搜索等功能,支持明文密码和NTLM Hash凭证两种认证方式。

参数介绍

  • -h, --help show this help message and exit
  • -u USER, --user=USER Please Input Username!
  • -H HASH, --hash=HASH Please Input Ntlmhash: xx:xx Or xxxx!
  • -p PSWD, --pswd=PSWD Please Input Password!
  • -e EMAIL, --email=EMAIL Please Input Email Address!
  • -c COUNT, --count=COUNT Please Input How Many Emails You Want To Read!
  • -s SERVER, --server=SERVER Please Input Email Server Address!
  • -k KEYWORD, --keyword=KEYWORD Please Input Keyword To Search!
  • -L, --List List All Email Floders!
  • -D, --download Whether Download Attachment Files Or Not!
  • -d, --display Show All Email Floders!
  • -l, --list List All Email Floders!
  • -f FLODER, --folder=FLODER Please Input Email Floder Name!

使用

列举邮箱目录结构

python3 getmail.py -u [USERNAME] -p [PASSWORD] -e [EMAIL ADDRESS] -L
python3 getmail.py -u [USERNAME] -H [NTLMHASH] -e [EMAIL ADDRESS] -L

阅读邮件

python3 getmail.py -u [USERNAME] -H [NTLMHASH] -e [EMAIL ADDRESS] -f [文件夹,默认是Inbox] -c 阅读邮件数量(按照时间倒序,最近的在最前面)
python3 getmail.py -u [USERNAME] -H [NTLMHASH] -e [EMAIL ADDRESS] -f [文件夹,默认是Inbox] -c 阅读邮件数量(按照时间倒序,最近的在最前面) -k [Keyword](展示包含关键字的邮件)

下载附件

python3 getmail.py -u [USERNAME] -H [NTLMHASH] -e [EMAIL ADDRESS] -f [文件夹,默认是Inbox] -c 阅读邮件数量(按照时间倒序,最近的在最前面)——D

ISSUE修复记录

  • 0x01 默认Inbox收件箱邮件阅读超过20封时候有会问题【已修复】
  • 0x02 同名附件自动下载导致附件覆盖问题【已修复】

Changelog

  • v1.1 20210421
    • 支持展示抄送、密送
    • 优化展示效果
    • 修复一些bug
  • v1.1 20210422 增加GUI版本
    • Mac测试通过 image





























Owner









[email protected]



Information Security Engineer



<a href=[email protected]">




 GitHub Repository










CVE-2021-21972


 CVE-2021-21972 % python3 /tmp/CVE_2021_21972.py -i /tmp/urls.txt -n 8 -e
[*] Creating tmp.tar containing ../../../../../home/vsphere-ui/.ssh/authoriz





Keith Lee
 30  Nov 19, 2022









exchange-ssrf-rce


 Usage python3 .\exchange-exp.py
--------------------------------------------------------------------------------
| 





Jen
 76  Nov 09, 2022









A simple Burp Suite extension to extract datas from source code


 DataExtractor A simple Burp Suite extension to extract datas from source code. Features in scope parsing file extensions to ignore files exclusion bas





Gwendal Le Coguic
 86  Dec 31, 2022









Python HDFS client


 Python HDFS client Because the world needs yet another way to talk to HDFS from Python. Usage This library provides a Python client for WebHDFS. NameN





Jing Wang
 82  Dec 28, 2022









 APKLeaks - Scanning APK file for URIs, endpoints & secrets.


 APKLeaks - Scanning APK file for URIs, endpoints & secrets.





dw1
 3.5k  Jan 09, 2023









Open Source Intelligence gathering tool aimed at reducing the time spent harvesting information from open sources.


 The Recon-ng Framework Recon-ng content now available on Pluralsight! Recon-ng is a full-featured reconnaissance framework designed with the goal of p






 2.4k  Jan 07, 2023









HTTP Protocol Stack Remote Code Execution Vulnerability CVE-2022-21907


 CVE-2022-21907 Description POC for CVE-2022-21907: HTTP Protocol Stack Remote Code Execution Vulnerability. create by antx at 2022-01-17. Detail HTTP 





赛欧思网络安全研究实验室
 365  Nov 30, 2022









Chapter 1 of the AWS Cookbook


 Chapter 1 - Security Set and export your default region: export AWS_REGION=us-east-1 Set your AWS ACCOUNT ID:: AWS_ACCOUNT_ID=$(aws sts get-caller-ide





AWS Cookbook
 30  Nov 27, 2022









Webpack自动化信息收集


 Webpack-信息收集工具 郑重声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担。 0x01 介绍 作者:小洲 团队:横戈安全团队,未来一段时间将陆续开源工具,欢迎关注微信公众号: 定位:协助红队人员快速的信息收集,测绘目





小洲
 214  Dec 19, 2022









A proxy for asyncio.AbstractEventLoop for testing purposes


 aioloop-proxy A proxy for asyncio.AbstractEventLoop for testing purposes. When tests writing for asyncio based code, there are controversial requireme





aio-libs
 12  Dec 12, 2022









This is a Python program that implements a vacuum cleaner as an Artificial Intelligence.


 Vacuum-Cleaner Python3 This is a Python3 agent that implements a simulator for a vacuum cleaner and it is introduction to Artificial Intelligence. A s





Abdultawwab Safarji
 6  Nov 14, 2022









Tor Relay availability checker, for using it as a bridge in countries with censorship


 Tor Relay Availability Checker This small script downloads all Tor Relay IP addresses from onionoo.torproject.org and checks whether random Relays are





ValdikSS
 161  Dec 30, 2022









A forensic collection tool written in Python. 


 CHIRP A forensic collection tool written in Python. Watch the video overview 📝 Table of Contents 📝 Table of Contents 🧐 About 🏁 Getting Started Pre





Cybersecurity and Infrastructure Security Agency
 1k  Dec 09, 2022









 Open-source jailbreaking tool for many iOS devices


 Open-source jailbreaking tool for many iOS devices *Read disclaimer before using this software. checkm8 permanent unpatchable bootrom exploit for hund






 6.7k  Jan 05, 2023









This is a Crypto asset tracker that I built to aid my personal journey in cryptocurrencies.


 Wallet Tracker This is a Crypto asset tracker that I built to aid my personal journey in cryptocurrencies. build docker build -t wallet-tracker .
run






 2  Mar 21, 2022









A web-app helping to create strong passwords that are easy to remember.


 This is a simple Web-App that demonstrates a method of creating strong passwords that are still easy to remember. It also provides time estimates how long it would take an attacker to crack a passwor






 2  Jun 04, 2021









Tools Crack Fb Terbaru 


 Tools Crack Fb Terbaru 





Jeeck
 12  Jan 06, 2022









Searches through git repositories for high entropy strings and secrets, digging deep into commit history


 truffleHog Searches through git repositories for secrets, digging deep into commit history and branches. This is effective at finding secrets accident





Truffle Security
 10.1k  Jan 09, 2023









A python module for retrieving and parsing WHOIS data


 pythonwhois A WHOIS retrieval and parsing library for Python. Dependencies None! All you need is the Python standard library. Instructions The manual 





Sven Slootweg
 384  Dec 23, 2022









Python exploit for vsftpd 2.3.4 - Backdoor Command Execution


 CVE-2011-2523 - vsftpd 2.3.4 Exploit Discription vsftpd, which stands for Very Secure FTP Daemon,is an FTP server for Unix-like systems, including Lin





Padsala Tushal
 5  Nov 08, 2022