Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
//usr/bin/env go run "$0" "$@"; exit "$?"
2

3
package main
4

5
import (
6
	"metasploit/module"
7
	"msmail"
8
	"net"
9
	"strings"
10
)
11

12
func main() {
13
	metadata := &module.Metadata{
14
		Name:        "Vulnerable domain identification",
15
		Description: "Identifying potentially vulnerable Exchange endpoints",
16
		Authors:     []string{"poptart", "jlarose", "Vincent Yiu", "grimhacker", "Nate Power", "Nick Powers", "clee-r7"},
17
		Date:        "2018-11-06",
18
		Type:        "single_scanner",
19
		Privileged:  false,
20
		References:  []module.Reference{},
21
		Options:     map[string]module.Option{},
22
	}
23

24
	module.Init(metadata, run_id)
25
}
26

27
func run_id(params map[string]interface{}) {
28
	host := params["RHOSTS"].(string)
29
	msmail.HarvestInternalDomain(host, true)
30
	urlEnum(host)
31
}
32

33
func urlEnum(hostInput string) {
34
	hostSlice := strings.Split(hostInput, ".")
35
	o365Domain := hostSlice[len(hostSlice)-2] + "-" + hostSlice[len(hostSlice)-1] + ".mail.protection.outlook.com"
36
	addr, err := net.LookupIP(o365Domain)
37
	if err != nil {
38
		module.LogError("Domain is not using o365 resources.")
39
	} else if addr == nil {
40
		module.LogError("error")
41
	} else {
42
		module.LogGood("Domain is using o365 resources.")
43
	}
44
	asURI := "https://" + hostInput + "/Microsoft-Server-ActiveSync"
45
	adURI := "https://" + hostInput + "/autodiscover/autodiscover.xml"
46
	ad2URI := "https://autodiscover." + hostInput + "/autodiscover/autodiscover.xml"
47
	owaURI := "https://" + hostInput + "/owa"
48
	timeEndpointsIdentified := false
49
	module.LogInfo("Identifying endpoints vulnerable to time-based enumeration:")
50
	timeEndpoints := []string{asURI, adURI, ad2URI, owaURI}
51
	for _, uri := range timeEndpoints {
52
		responseCode := msmail.WebRequestCodeResponse(uri)
53
		if responseCode == 401 {
54
			module.LogGood(uri)
55
			timeEndpointsIdentified = true
56
		}
57
		if responseCode == 200 {
58
			module.LogGood(uri)
59
			timeEndpointsIdentified = true
60
		}
61
	}
62
	if timeEndpointsIdentified == false {
63
		module.LogInfo("No Exchange endpoints vulnerable to time-based enumeration discovered.")
64
	}
65
	module.LogInfo("Identifying exposed Exchange endpoints for potential spraying:")
66
	passEndpointIdentified := false
67
	rpcURI := "https://" + hostInput + "/rpc"
68
	oabURI := "https://" + hostInput + "/oab"
69
	ewsURI := "https://" + hostInput + "/ews"
70
	mapiURI := "https://" + hostInput + "/mapi"
71

72
	passEndpoints401 := []string{oabURI, ewsURI, mapiURI, asURI, adURI, ad2URI, rpcURI}
73
	for _, uri := range passEndpoints401 {
74
		responseCode := msmail.WebRequestCodeResponse(uri)
75
		if responseCode == 401 {
76
			module.LogGood(uri)
77
			passEndpointIdentified = true
78
		}
79
	}
80
	ecpURI := "https://" + hostInput + "/ecp"
81
	endpoints200 := []string{ecpURI, owaURI}
82
	for _, uri := range endpoints200 {
83
		responseCode := msmail.WebRequestCodeResponse(uri)
84
		if responseCode == 200 {
85
			module.LogGood(uri)
86
			passEndpointIdentified = true
87
		}
88
	}
89
	if passEndpointIdentified == false {
90
		module.LogInfo("No onprem Exchange services identified.")
91
	}
92
}
93

94