利用NTLM Hash读取Exchange邮件

Related tags

Security related resourcesGetMail
Overview

GetMail

利用NTLM Hash读取Exchange邮件:在进行内网渗透时候,我们经常拿到的是账号的Hash凭据而不是明文口令。在这种情况下采用邮件客户端或者WEBMAIL的方式读取邮件就很麻烦,需要进行破解,NTLM的破解主要依靠字典强度,破解概率并不是很大。其实Exchange提供了利用NTLM Hash凭据进行验证的方法,从而可以进行任何操作。本程序支持邮箱目录结构的列举、邮件的阅读、附件的下载、关键字的搜索等功能,支持明文密码和NTLM Hash凭证两种认证方式。

参数介绍

  • -h, --help show this help message and exit
  • -u USER, --user=USER Please Input Username!
  • -H HASH, --hash=HASH Please Input Ntlmhash: xx:xx Or xxxx!
  • -p PSWD, --pswd=PSWD Please Input Password!
  • -e EMAIL, --email=EMAIL Please Input Email Address!
  • -c COUNT, --count=COUNT Please Input How Many Emails You Want To Read!
  • -s SERVER, --server=SERVER Please Input Email Server Address!
  • -k KEYWORD, --keyword=KEYWORD Please Input Keyword To Search!
  • -L, --List List All Email Floders!
  • -D, --download Whether Download Attachment Files Or Not!
  • -d, --display Show All Email Floders!
  • -l, --list List All Email Floders!
  • -f FLODER, --folder=FLODER Please Input Email Floder Name!

使用

列举邮箱目录结构

python3 getmail.py -u [USERNAME] -p [PASSWORD] -e [EMAIL ADDRESS] -L
python3 getmail.py -u [USERNAME] -H [NTLMHASH] -e [EMAIL ADDRESS] -L

阅读邮件

python3 getmail.py -u [USERNAME] -H [NTLMHASH] -e [EMAIL ADDRESS] -f [文件夹,默认是Inbox] -c 阅读邮件数量(按照时间倒序,最近的在最前面)
python3 getmail.py -u [USERNAME] -H [NTLMHASH] -e [EMAIL ADDRESS] -f [文件夹,默认是Inbox] -c 阅读邮件数量(按照时间倒序,最近的在最前面) -k [Keyword](展示包含关键字的邮件)

下载附件

python3 getmail.py -u [USERNAME] -H [NTLMHASH] -e [EMAIL ADDRESS] -f [文件夹,默认是Inbox] -c 阅读邮件数量(按照时间倒序,最近的在最前面)——D

ISSUE修复记录

  • 0x01 默认Inbox收件箱邮件阅读超过20封时候有会问题【已修复】
  • 0x02 同名附件自动下载导致附件覆盖问题【已修复】

Changelog

  • v1.1 20210421
    • 支持展示抄送、密送
    • 优化展示效果
    • 修复一些bug
  • v1.1 20210422 增加GUI版本
    • Mac测试通过 image





























Owner









[email protected]



Information Security Engineer



<a href=[email protected]">




 GitHub Repository










WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities


 WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities Which is a great tool for web pentesters. Coded in python3, CLI. WebScan is capable of scanni





AnonyminHack5
 12  Dec 02, 2022









 DNSSEQ: PowerDNS with FALCON Signature Scheme


 PowerDNS-based proof-of-concept implementation of DNSSEC using the post-quantum FALCON signature scheme.





Nils Wisiol
 4  Feb 03, 2022









BurpSuite Extension: Log4j2 RCE Scanner


 Log4j2 RCE Scanner 作者:[email protected]元亨实验室 声明:由于传播、利用本项目所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,项目作者不为此承担任何责





ᴋᴇʏ
 87  Dec 29, 2021









Cve-2021-22005-exp


 cve-2021-22005-exp 0x01 漏洞简介 2021年9月21日,VMware发布安全公告,公开披露了vCenter Server中的19个安全漏洞,这些漏洞的CVSSv3评分范围为4.3-9.8。 其中,最为严重的漏洞为vCenter Server 中的任意文件上传漏洞(CVE-20





Jing Ling
 146  Dec 31, 2022









Python tool for exploiting CVE-2021-35616 


 OracleOTM Python tool for exploiting CVE-2021-35616 The script works in modules, which I implemented in the following order: ► Username enumeration ► 






 11  Dec 06, 2022









Execution After Redirect (EAR) / Long Response Redirection Vulnerability Scanner written in python3


 Execution After Redirect (EAR) / Long Response Redirection Vulnerability Scanner written in python3, It Fuzzes All URLs of target website & then scan them for EAR





Pushpender Singh
 9  Dec 12, 2022









Exploit grafana Pre-Auth LFI


 Grafana-LFI-8.x Exploit grafana Pre-Auth LFI How to use python3 






 2  Jul 25, 2022









exchange-ssrf-rce


 Usage python3 .\exchange-exp.py
--------------------------------------------------------------------------------
| 





Jen
 76  Nov 09, 2022









 DoSer.py - Simple DoSer in Python


 DoSer.py - Simple DoSer in Python What is DoSer? DoSer is basically an HTTP Denial of Service attack that affects threaded servers. It works like this






 1  Oct 12, 2021









A Python script that can be used to check if a SAP system is affected by CVE-2022-22536


 Vulnerability assessment for CVE-2022-22536 This repository contains a Python script that can be used to check if a SAP system is affected by CVE-2022





Onapsis Inc.
 42  Dec 01, 2022









Xteam All in one Instagram,Android,phishing osint and wifi hacking tool available 


 Xteam All in one Instagram,Android,phishing osint and wifi hacking tool available 





xploits tech
 283  Dec 29, 2022









Brute-forcing (or not!) deck builder for Pokemon Trading Card Game.


 PokeBot Deck Builder Brute-forcing (or not!) deck builder for Pokemon Trading Card Game. Warning: intensely not optimized and spaghetti coded Credits 





Hocky Harijanto
 0  Jan 10, 2022









Advanced subdomain scanner, any domain hidden subdomains


 little advanced subdomain scanner made in python, works very quick and has options to change the port u want it to connect for





Nano
 5  Nov 23, 2021









Bypass ReCaptcha: A Python script for dealing with recaptcha


 Bypass ReCaptcha Bypass ReCaptcha is a Python script for dealing with recaptcha.





Marcos Camargo
 1  Jan 11, 2022









Uncover the full name of a target on Linkedin.


 Revealin Uncover the full name of a target on Linkedin. It's just a little PoC exploiting a design flaw. Useful for OSINT. Screenshot Usage $ git clon





mxrch
 129  Dec 21, 2022









Undetectable Keylogger that reports to Discord


 FUD Keylogger That Reports To Discord This python script will capture all of the keystrokes within a given time frame and report them to a Discord Ser





Dimitris Kalopisis
 36  Dec 20, 2022









Shell hunter for AF


 AF-ShellHunter AF-ShellHunter: Auto shell lookup AF-ShellHunter its a script designed to automate the search of WebShell's in AF Team How to
pip3 ins





Eduardo
 34  May 13, 2022









ProxyShell POC Exploit : Exchange Server RCE (ACL Bypass + EoP + Arbitrary File Write)


 ProxyShell Install git clone https://github.com/ktecv2000/ProxyShell
cd ProxyShell
virtualenv -p $(which python3) venv
source venv/bin/activate
pip3 i





Poming huang
 312  Dec 09, 2022









NexScanner is a tool which allows you to scan a website and find the admin login panel and sub-domains


 NexScanner NexScanner is a tool which helps you scan a website for sub-domains and also to find login pages in the website like the admin login panel 






 8  Sep 03, 2022









TightVNC Vulnerability.


 CVE-2022-23967 In TightVNC 1.3.10, there is an integer signedness error and resultant heap-based buffer overflow in InitialiseRFBConnection in rfbprot





MaherAzzouzi
 15  Jul 11, 2022