利用NTLM Hash读取Exchange邮件

Related tags

Security related resourcesGetMail
Overview

GetMail

利用NTLM Hash读取Exchange邮件:在进行内网渗透时候,我们经常拿到的是账号的Hash凭据而不是明文口令。在这种情况下采用邮件客户端或者WEBMAIL的方式读取邮件就很麻烦,需要进行破解,NTLM的破解主要依靠字典强度,破解概率并不是很大。其实Exchange提供了利用NTLM Hash凭据进行验证的方法,从而可以进行任何操作。本程序支持邮箱目录结构的列举、邮件的阅读、附件的下载、关键字的搜索等功能,支持明文密码和NTLM Hash凭证两种认证方式。

参数介绍

  • -h, --help show this help message and exit
  • -u USER, --user=USER Please Input Username!
  • -H HASH, --hash=HASH Please Input Ntlmhash: xx:xx Or xxxx!
  • -p PSWD, --pswd=PSWD Please Input Password!
  • -e EMAIL, --email=EMAIL Please Input Email Address!
  • -c COUNT, --count=COUNT Please Input How Many Emails You Want To Read!
  • -s SERVER, --server=SERVER Please Input Email Server Address!
  • -k KEYWORD, --keyword=KEYWORD Please Input Keyword To Search!
  • -L, --List List All Email Floders!
  • -D, --download Whether Download Attachment Files Or Not!
  • -d, --display Show All Email Floders!
  • -l, --list List All Email Floders!
  • -f FLODER, --folder=FLODER Please Input Email Floder Name!

使用

列举邮箱目录结构

python3 getmail.py -u [USERNAME] -p [PASSWORD] -e [EMAIL ADDRESS] -L
python3 getmail.py -u [USERNAME] -H [NTLMHASH] -e [EMAIL ADDRESS] -L

阅读邮件

python3 getmail.py -u [USERNAME] -H [NTLMHASH] -e [EMAIL ADDRESS] -f [文件夹,默认是Inbox] -c 阅读邮件数量(按照时间倒序,最近的在最前面)
python3 getmail.py -u [USERNAME] -H [NTLMHASH] -e [EMAIL ADDRESS] -f [文件夹,默认是Inbox] -c 阅读邮件数量(按照时间倒序,最近的在最前面) -k [Keyword](展示包含关键字的邮件)

下载附件

python3 getmail.py -u [USERNAME] -H [NTLMHASH] -e [EMAIL ADDRESS] -f [文件夹,默认是Inbox] -c 阅读邮件数量(按照时间倒序,最近的在最前面)——D

ISSUE修复记录

  • 0x01 默认Inbox收件箱邮件阅读超过20封时候有会问题【已修复】
  • 0x02 同名附件自动下载导致附件覆盖问题【已修复】

Changelog

  • v1.1 20210421
    • 支持展示抄送、密送
    • 优化展示效果
    • 修复一些bug
  • v1.1 20210422 增加GUI版本
    • Mac测试通过 image





























Owner









[email protected]



Information Security Engineer



<a href=[email protected]">




 GitHub Repository










Domain abuse scanner covering domainsquatting and phishing keywords.


 🦷 monodon 🐋 Domain abuse scanner covering domainsquatting and phishing keywords. Setup Monodon is a Python 3.7+ programm. To setup on a Linux machin






 2  Mar 15, 2022









Some Attacks of Exchange SSRF ProxyLogon&ProxyShell


 Some Attacks of Exchange SSRF This project is heavily replicated in ProxyShell, NtlmRelayToEWS https://mp.weixin.qq.com/s/GFcEKA48bPWsezNdVcrWag Get 1





Jumbo
 129  Dec 30, 2022









Just another script for automatize boolean-based blind SQL injections.


 SQL Blind Injection Tool A script for automatize boolean-based blind SQL injections. Works with SQLite at least, supports using cookies. It uses bitwi





RIM
 51  Dec 15, 2022









KeyLogger


 By-Emirhan KeyLogger Hangi Sistemlerde Çalışır? | On Which Systems Does It Work? KALİ LİNUX UBUNTU PARDUS MİNT TERMUX ARCH YÜKLEME & ÇALIŞTIRMA KOMUTL






 2  Feb 24, 2022









CVE-2021-22986 & F5 BIG-IP RCE


 Vuln Impact This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management 





Al1ex
 85  Dec 02, 2022









A small utility to deal with malware embedded hashes.


 Uchihash is a small utility that can save malware analysts the time of dealing with embedded hash values used for various things such as: Dyn





Abdallah Elshinbary
 48  Dec 19, 2022









Find exposed API keys based on RegEx and get exploitation methods for some of keys that are found


 dora Features Blazing fast as we are using ripgrep in backend Exploit/PoC steps for many of the API key, allowing to write a good report for bug bount





Siddharth Dushantha
 243  Dec 27, 2022









Internationalized Domain Names for Python (IDNA 2008 and UTS #46)


 Internationalized Domain Names in Applications (IDNA) Support for the Internationalised Domain Names in Applications (IDNA) protocol as specified in R





Kim Davies
 204  Dec 13, 2022









Unsafe Twig processing of static pages leading to RCE in Grav CMS 1.7.10


 CVE-2021-29440 Unsafe Twig processing of static pages leading to RCE in Grav CMS 1.7.10 Grav is a file based Web-platform. Twig processing of static p





Enox
 6  Oct 10, 2022









On-demand scanning for container registries


 Lacework registry scanner Install & configure Lacework CLI Integrate a Container Registry Go to Lacework Resources Containers Container Image In





Will Robinson
 1  Dec 14, 2021









xray多线程批量扫描工具


 Auto_xray xray多线程批量扫描工具 简介 xray社区版貌似没有批量扫描,这就让安服仔使用起来很不方便,扫站得一个个手动添加,非常难受 Auto_xray目录下记得放xray,就跟平时一样的。 选项1:oneforall+xray 输入一个主域名,自动采集子域名然后添加到xray任务列表





1frame
 13  Nov 09, 2022









A collection of intelligence about Log4Shell and its exploitation activity


 Log4Shell-IOCs Members of the Curated Intelligence Trust Group have compiled a list of IOC feeds and threat reports focused on the recent Log4Shell ex





Curated Intel
 172  Nov 17, 2022









CVE-2022-22965 - CVE-2010-1622 redux


 CVE-2022-22965 - vulnerable app and PoC Trial & error $ docker rm -f rce; docker build -t rce:latest . && docker run -d -p 8080:8080 --name rce rce:la





Duarte Duarte
 20  Aug 25, 2022









TCP/UDP port scanner on python, usong scapy and multiprocessin


 Port Scanner TCP/UDP port scanner on python, usong scapy and multiprocessing. Usage python3 scanner.py [OPTIONS] IP_ADDRESS [{tcp|udp}[/[PORT|PORT-POR





Egor Krokhin
 1  Dec 05, 2021









This is a repository filled with scripts that were made with Python, and designed to exploit computer systems.


 PYTHON-EXPLOITATION This is a repository filled with scripts that were made with Python, and designed to exploit computer systems. Networking tcp_clin





Nathan Galindo
 1  Oct 30, 2021









A brute force tool for password-protected zip file


 Bzip A brute force tool for password-protected zip file/folder(s). Note that this tool can only crack .zip files. Please DO not misuse. Installation g






 3  Nov 13, 2021









M.E.A.T. - Mobile Evidence Acquisition Toolkit


 M.E.A.T. - Mobile Evidence Acquisition Toolkit Meet M.E.A.T! From Jack Farley - BlackStone Discovery This toolkit aims to help forensicators perform d






 1  Nov 11, 2021









SSRF search vulnerabilities exploitation extended.


 This tool search for SSRF using predefined settings in different parts of a request (path, host, headers, post and get parameters).





Andri Wahyudi
 13  Jul 04, 2021









Js File Scanner This is Js File Scanner 


 Js File Scanner This is Js File Scanner . Which are scan in js file and find juicy information Toke,Password Etc.






 122  Dec 12, 2022









PassLock is a medium-security password manager that encrypts passwords using Advanced Encryption Standards (AES)


 A medium security python password manager that encrypt passwords using Advanced Encryption Standard (AES) PassLock is a password manager and password 





Akshay Vs
 44  Nov 18, 2022