CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/scanner/msmail/host_id.go
Views: 1904
//usr/bin/env go run "$0" "$@"; exit "$?"12package main34import (5"metasploit/module"6"msmail"7"net"8"strings"9)1011func main() {12metadata := &module.Metadata{13Name: "Vulnerable domain identification",14Description: "Identifying potentially vulnerable Exchange endpoints",15Authors: []string{"poptart", "jlarose", "Vincent Yiu", "grimhacker", "Nate Power", "Nick Powers", "clee-r7"},16Date: "2018-11-06",17Type: "single_scanner",18Privileged: false,19References: []module.Reference{},20Options: map[string]module.Option{},21}2223module.Init(metadata, run_id)24}2526func run_id(params map[string]interface{}) {27host := params["RHOSTS"].(string)28msmail.HarvestInternalDomain(host, true)29urlEnum(host)30}3132func urlEnum(hostInput string) {33hostSlice := strings.Split(hostInput, ".")34o365Domain := hostSlice[len(hostSlice)-2] + "-" + hostSlice[len(hostSlice)-1] + ".mail.protection.outlook.com"35addr, err := net.LookupIP(o365Domain)36if err != nil {37module.LogError("Domain is not using o365 resources.")38} else if addr == nil {39module.LogError("error")40} else {41module.LogGood("Domain is using o365 resources.")42}43asURI := "https://" + hostInput + "/Microsoft-Server-ActiveSync"44adURI := "https://" + hostInput + "/autodiscover/autodiscover.xml"45ad2URI := "https://autodiscover." + hostInput + "/autodiscover/autodiscover.xml"46owaURI := "https://" + hostInput + "/owa"47timeEndpointsIdentified := false48module.LogInfo("Identifying endpoints vulnerable to time-based enumeration:")49timeEndpoints := []string{asURI, adURI, ad2URI, owaURI}50for _, uri := range timeEndpoints {51responseCode := msmail.WebRequestCodeResponse(uri)52if responseCode == 401 {53module.LogGood(uri)54timeEndpointsIdentified = true55}56if responseCode == 200 {57module.LogGood(uri)58timeEndpointsIdentified = true59}60}61if timeEndpointsIdentified == false {62module.LogInfo("No Exchange endpoints vulnerable to time-based enumeration discovered.")63}64module.LogInfo("Identifying exposed Exchange endpoints for potential spraying:")65passEndpointIdentified := false66rpcURI := "https://" + hostInput + "/rpc"67oabURI := "https://" + hostInput + "/oab"68ewsURI := "https://" + hostInput + "/ews"69mapiURI := "https://" + hostInput + "/mapi"7071passEndpoints401 := []string{oabURI, ewsURI, mapiURI, asURI, adURI, ad2URI, rpcURI}72for _, uri := range passEndpoints401 {73responseCode := msmail.WebRequestCodeResponse(uri)74if responseCode == 401 {75module.LogGood(uri)76passEndpointIdentified = true77}78}79ecpURI := "https://" + hostInput + "/ecp"80endpoints200 := []string{ecpURI, owaURI}81for _, uri := range endpoints200 {82responseCode := msmail.WebRequestCodeResponse(uri)83if responseCode == 200 {84module.LogGood(uri)85passEndpointIdentified = true86}87}88if passEndpointIdentified == false {89module.LogInfo("No onprem Exchange services identified.")90}91}929394