freeBuf
主站

分类

漏洞 工具 极客 Web安全 系统安全 网络安全 无线安全 设备/客户端安全 数据安全 安全管理 企业安全 工控安全

特色

头条 人物志 活动 视频 观点 招聘 报告 资讯 区块链安全 标准与合规 容器安全 公开课

官方公众号企业安全新浪微博

FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。

FreeBuf+小程序

FreeBuf+小程序

如何使用ExchangeFinder在给定域中寻找Microsoft Exchange实例
2023-01-05 21:46:55
所属地 广西

关于ExchangeFinder

ExchangeFinder是一款功能强大且使用简单的开源工具,该工具能够在给定域中尝试搜索指定的Microsoft Exchange实例,该工具的搜索机制基于Microsoft Exchange的常见DNS名称实现,并且能够识别指定的Microsoft Exchange版本,支持Microsoft Exchange 4.0到Microsoft Exchange Server 2019。

工具运行机制

ExchangeFinder首先会尝试解析Exchange服务器通常使用的任何子域,然后它将发送两个HTTP请求来解析服务器发送的响应内容,以确定它是否使用了Microsoft Exchange。

当前版本的ExchangeFinder拥有从Microsoft Exchange 4.0到Microsoft Exchange Server 2019的每个版本的签名,并能够根据Exchange发送的X-OWA-version信息来识别指定的Microsoft Exchange版本。

如果该工具发现了一个有效的Microsoft Exchange实例,它将会返回以下结果:

1、域名;

2、Microsoft Exchange版本;

3、登录页面;

4、Web服务器版本;

工具安装

由于该工具基于Python 3开发,因此广大研究人员首先需要在本地设备上安装并配置好Python 3环境。接下来,使用下列命令将该项目最新版本源码克隆至本地:

git clone https://github.com/mhaskar/ExchangeFinder

接下来,使用poetry install命令来安装该工具所需的所有依赖组件:

┌──(kali㉿kali)-[~/Desktop/ExchangeFinder]

└─$ poetry install                                                                                                                   1 ⨯

Installing dependencies from lock file

 

 

Package operations: 15 installs, 0 updates, 0 removals

 

Installing pyparsing (3.0.9)
Installing attrs (22.1.0)
Installing certifi (2022.6.15)
Installing charset-normalizer (2.1.1)
Installing idna (3.3)
Installing more-itertools (8.14.0)
Installing packaging (21.3)
Installing pluggy (0.13.1)
Installing py (1.11.0)
Installing urllib3 (1.26.12)
Installing wcwidth (0.2.5)
Installing dnspython (2.2.1)
Installing pytest (5.4.3)
Installing requests (2.28.1)
Installing termcolor (1.1.0)

 

Installing the current project: ExchangeFinder (0.1.0)

                                                                                                                                         

┌──(kali㉿kali)-[~/Desktop/ExchangeFinder]

然后,我们就可以运行exchangefinder.py文件来使用ExchangeFinder了:

┌──(kali㉿kali)-[~/Desktop/ExchangeFinder]

└─$ python3 exchangefinder.py

 

    

    ______     __                           _______           __         

   / ____/  __/ /_  ____ _____  ____ ____  / ____(_)___  ____/ /__  _____

  / __/ | |/_/ __ \/ __ `/ __ \/ __ `/ _ \/ /_  / / __ \/ __  / _ \/ ___/

 / /____>  </ / / / /_/ / / / / /_/ /  __/ __/ / / / / / /_/ /  __/ /    

/_____/_/|_/_/ /_/\__,_/_/ /_/\__, /\___/_/   /_/_/ /_/\__,_/\___/_/     

                             /____/                                        

                                                

                                                Find that Microsoft Exchange server ..

    

[-] Please use --domain or --domains option

                                                                                                                                         

┌──(kali㉿kali)-[~/Desktop/ExchangeFinder]

└─$

工具使用

我们可以使用-h命令来查看工具帮助信息:

askar•/opt/redteaming/ExchangeFinder(main⚡)» python3 exchangefinder.py -h                                                                                                          

 

    

    ______     __                           _______           __         

   / ____/  __/ /_  ____ _____  ____ ____  / ____(_)___  ____/ /__  _____

  / __/ | |/_/ __ \/ __ `/ __ \/ __ `/ _ \/ /_  / / __ \/ __  / _ \/ ___/

 / /____>  </ / / / /_/ / / / / /_/ /  __/ __/ / / / / / /_/ /  __/ /    

/_____/_/|_/_/ /_/\__,_/_/ /_/\__, /\___/_/   /_/_/ /_/\__,_/\___/_/     

                             /____/                                        

                                                

                                                Find that Microsoft Exchange server ..

    

usage: exchangefinder.py [-h] [--domain DOMAIN] [--domains DOMAINS] [--useragent USERAGENT] [--output OUTPUT] [--verbose]

 

DNSStager main parser

 

optional arguments:

  -h, --help            show this help message and exit

  --domain DOMAIN       The target domain you want to scan (example.com)

  --domains DOMAINS     Path to domains file you want to scan (domains.txt)

  --useragent USERAGENT

                        Useragent to use, the default is "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36."

  --output OUTPUT       Export results to given .csv file

  --verbose             Show detailed output

askar•/opt/redteaming/ExchangeFinder(main⚡)»


扫描单个域

我们可以使用--domain来扫描单个域:

askar•/opt/redteaming/ExchangeFinder(main⚡)» python3 exchangefinder.py --domain dummyexchangetarget.com                                                                                           

 

    

    ______     __                           _______           __         

   / ____/  __/ /_  ____ _____  ____ ____  / ____(_)___  ____/ /__  _____

  / __/ | |/_/ __ \/ __ `/ __ \/ __ `/ _ \/ /_  / / __ \/ __  / _ \/ ___/

 / /____>  </ / / / /_/ / / / / /_/ /  __/ __/ / / / / / /_/ /  __/ /    

/_____/_/|_/_/ /_/\__,_/_/ /_/\__, /\___/_/   /_/_/ /_/\__,_/\___/_/     

                             /____/                                        

                                                

                                                Find that Microsoft Exchange server ..

    

[!] Scanning domain dummyexchangetarget.com

[+] The following MX records found for the main domain

10 mx01.dummyexchangetarget.com.

 

[!] Scanning host (mail.dummyexchangetarget.com)

[+] IIS server detected (https://mail.dummyexchangetarget.com)

[!] Potential Microsoft Exchange Identified

[+] Microsoft Exchange identified with the following details:

 

Domain Found : https://mail.dummyexchangetarget.com

Exchange version : Exchange Server 2016 CU22 Nov21SU

Login page : https://mail.dummyexchangetarget.com/owa/auth/logon.aspx?url=https%3a%2f%2fmail.dummyexchangetarget.com%2fowa%2f&reason=0

IIS/Webserver version: Microsoft-IIS/10.0

 

[!] Scanning host (autodiscover.dummyexchangetarget.com)

[+] IIS server detected (https://autodiscover.dummyexchangetarget.com)

[!] Potential Microsoft Exchange Identified

[+] Microsoft Exchange identified with the following details:

 

Domain Found : https://autodiscover.dummyexchangetarget.com

Exchange version : Exchange Server 2016 CU22 Nov21SU

Login page : https://autodiscover.dummyexchangetarget.com/owa/auth/logon.aspx?url=https%3a%2f%2fautodiscover.dummyexchangetarget.com%2fowa%2f&reason=0

IIS/Webserver version: Microsoft-IIS/10.0

 

askar•/opt/redteaming/ExchangeFinder(main⚡)»       

扫描多个域

我们可以使用--domains命令来扫描多个目标域,或选择一个域列表文件:

askar•/opt/redteaming/ExchangeFinder(main⚡)» python3 exchangefinder.py --domains domains.txt                                                                                                          

 

    

    ______     __                           _______           __         

   / ____/  __/ /_  ____ _____  ____ ____  / ____(_)___  ____/ /__  _____

  / __/ | |/_/ __ \/ __ `/ __ \/ __ `/ _ \/ /_  / / __ \/ __  / _ \/ ___/

 / /____>  </ / / / /_/ / / / / /_/ /  __/ __/ / / / / / /_/ /  __/ /    

/_____/_/|_/_/ /_/\__,_/_/ /_/\__, /\___/_/   /_/_/ /_/\__,_/\___/_/     

                             /____/                                        

                                                

                                                Find that Microsoft Exchange server ..

    

[+] Total domains to scan are 2 domains

[!] Scanning domain externalcompany.com

[+] The following MX records found for the main domain

20 mx4.linfosyshosting.nl.

10 mx3.linfosyshosting.nl.

 

[!] Scanning host (mail.externalcompany.com)

[+] IIS server detected (https://mail.externalcompany.com)

[!] Potential Microsoft Exchange Identified

[+] Microsoft Exchange identified with the following details:

 

Domain Found : https://mail.externalcompany.com

Exchange version : Exchange Server 2016 CU22 Nov21SU

Login page : https://mail.externalcompany.com/owa/auth/logon.aspx?url=https%3a%2f%2fmail.externalcompany.com%2fowa%2f&reason=0

IIS/Webserver version: Microsoft-IIS/10.0

 

[!] Scanning domain o365.cloud

[+] The following MX records found for the main domain

10 mailstore1.secureserver.net.

0 smtp.secureserver.net.

 

[!] Scanning host (mail.o365.cloud)

[+] IIS server detected (https://mail.o365.cloud)

[!] Potential Microsoft Exchange Identified

[+] Microsoft Exchange identified with the following details:

 

Domain Found : https://mail.o365.cloud

Exchange version : Exchange Server 2013 CU23 May22SU

Login page : https://mail.o365.cloud/owa/auth/logon.aspx?url=https%3a%2f%2fmail.o365.cloud%2fowa%2f&reason=0

IIS/Webserver version: Microsoft-IIS/8.5

 

askar•/opt/redteaming/ExchangeFinder(main⚡)»

许可证协议

本项目的开发与发布遵循GPL-3.0开源许可证协议。

项目地址

ExchangeFinder:【GitHub传送门

# Exchange # 内网安全,渗透测试,Exchange Server # Microsoft Exchange
本文为 独立观点,未经允许不得转载,授权请联系FreeBuf客服小蜜蜂,微信:freebee2022
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
  • 0 文章数
  • 0 关注者
文章目录