利用NTLM Hash读取Exchange邮件

Related tags

Security related resourcesGetMail
Overview

GetMail

利用NTLM Hash读取Exchange邮件:在进行内网渗透时候,我们经常拿到的是账号的Hash凭据而不是明文口令。在这种情况下采用邮件客户端或者WEBMAIL的方式读取邮件就很麻烦,需要进行破解,NTLM的破解主要依靠字典强度,破解概率并不是很大。其实Exchange提供了利用NTLM Hash凭据进行验证的方法,从而可以进行任何操作。本程序支持邮箱目录结构的列举、邮件的阅读、附件的下载、关键字的搜索等功能,支持明文密码和NTLM Hash凭证两种认证方式。

参数介绍

  • -h, --help show this help message and exit
  • -u USER, --user=USER Please Input Username!
  • -H HASH, --hash=HASH Please Input Ntlmhash: xx:xx Or xxxx!
  • -p PSWD, --pswd=PSWD Please Input Password!
  • -e EMAIL, --email=EMAIL Please Input Email Address!
  • -c COUNT, --count=COUNT Please Input How Many Emails You Want To Read!
  • -s SERVER, --server=SERVER Please Input Email Server Address!
  • -k KEYWORD, --keyword=KEYWORD Please Input Keyword To Search!
  • -L, --List List All Email Floders!
  • -D, --download Whether Download Attachment Files Or Not!
  • -d, --display Show All Email Floders!
  • -l, --list List All Email Floders!
  • -f FLODER, --folder=FLODER Please Input Email Floder Name!

使用

列举邮箱目录结构

python3 getmail.py -u [USERNAME] -p [PASSWORD] -e [EMAIL ADDRESS] -L
python3 getmail.py -u [USERNAME] -H [NTLMHASH] -e [EMAIL ADDRESS] -L

阅读邮件

python3 getmail.py -u [USERNAME] -H [NTLMHASH] -e [EMAIL ADDRESS] -f [文件夹,默认是Inbox] -c 阅读邮件数量(按照时间倒序,最近的在最前面)
python3 getmail.py -u [USERNAME] -H [NTLMHASH] -e [EMAIL ADDRESS] -f [文件夹,默认是Inbox] -c 阅读邮件数量(按照时间倒序,最近的在最前面) -k [Keyword](展示包含关键字的邮件)

下载附件

python3 getmail.py -u [USERNAME] -H [NTLMHASH] -e [EMAIL ADDRESS] -f [文件夹,默认是Inbox] -c 阅读邮件数量(按照时间倒序,最近的在最前面)——D

ISSUE修复记录

  • 0x01 默认Inbox收件箱邮件阅读超过20封时候有会问题【已修复】
  • 0x02 同名附件自动下载导致附件覆盖问题【已修复】

Changelog

  • v1.1 20210421
    • 支持展示抄送、密送
    • 优化展示效果
    • 修复一些bug
  • v1.1 20210422 增加GUI版本
    • Mac测试通过 image





























Owner









[email protected]



Information Security Engineer



<a href=[email protected]">




 GitHub Repository










Some Attacks of Exchange SSRF ProxyLogon&ProxyShell


 Some Attacks of Exchange SSRF This project is heavily replicated in ProxyShell, NtlmRelayToEWS https://mp.weixin.qq.com/s/GFcEKA48bPWsezNdVcrWag Get 1





Jumbo
 129  Dec 30, 2022









Python script to tamper with pages to test for Log4J Shell vulnerability.


 log4jShell Scanner This shell script scans a vulnerable web application that is using a version of apache-log4j 2.15.0. This application is a static





GoVanguard
 8  Oct 20, 2022









Reverse engineered Parler API


 Parler's unofficial API with all endpoints present in their iOS app as of 08/12/2020. For the most part undocumented, but the error responses are alre






 393  Nov 26, 2022









proof-of-concept running docker container from omero web


 docker-from-omero-poc proof-of-concept running docker container from omero web How-to Edit test_script.py so that the BaseClient is created pointing t





Erick Martins Ratamero
 2  Jan 22, 2022









Convert a collection of features to a fixed-dimensional matrix using the hashing trick.


 FeatureHasher Convert a collection of features to a fixed-dimensional matrix using the hashing trick. Note, this requires Jina=2.2.4. Example Here I 





Jina AI
 5  Mar 15, 2022









Script Crack Facebook Premium 🚶‍♂


 premium Script Crack Facebook Premium 🚶‍♂ In Script Install Script $ pkg update && pkg upgrade $ termux-setup-storage $ pkg install python $ pkg inst





Yumasaa
 2  Dec 19, 2021









Brute force attack tool for Azure AD Autologon/Seamless SSO


 Brute force attack tool for Azure AD Autologon





nyxgeek
 89  Jan 02, 2023









Malware Configuration And Payload Extraction


 CAPEv2 (Python3) has now been released CAPEv2 With the imminent end-of-life for Python 2 (January 1 2020), CAPEv1 will be phased out. Please upgrade t





Context Information Security
 701  Dec 27, 2022









GitLab CE/EE Preauth RCE using ExifTool


 CVE-2021-22205 GitLab CE/EE Preauth RCE using ExifTool This project is for learning only, if someone's rights have been violated, please contact me to





3ND
 164  Dec 10, 2022









Sentinel-1 SAR time series analysis for OSINT use


 SARveillance Sentinel-1 SAR time series analysis for OSINT use. Description Generates a time lapse GIF of the Sentinel-1 satellite images for the loca






 21  Dec 09, 2022









WpDisect is a wordpress hacking tool that finds vulnerabilities in wordpress.


 wpdisect WpDisect is a wordpress hacking tool that finds misconfigurations in wordpress. Prerequisites You need to download wordpress in the wpdisect 






 3  Feb 20, 2022









Tool To generate Stable Undetected Payload


 windowsPayload Tool To generate Stable Undetected Payload Don t Upload to Virus Total :) Follow on Social Media Platforms ScreenShots How to install +





youhacker55
 117  Dec 30, 2022









JS Deobfuscation is a Python script that deobfuscate JS code and it's time saver for you.


 JS Deobfuscation is a Python script that deobfuscate JS code and it's time saver for you. Although it may not work with high degrees of obfuscation, it's a pretty nice tool to help you even if it's j





Quatrecentquatre
 3  May 01, 2022









2022-bridge - Example code belonging to the Bridge pattern video


 Let's Take The Bridge Pattern To The Next Level This video covers how the bridge






 11  Jun 14, 2022









MongoDB-Injection - This challenge-script is custom-made for web-server running MongoDB which is vulnerable to No-SQL injection


 MongoDB-Injection Cheesy Multi-threaded script for NoSQL Injection This challeng





Caretaker
 2  Jun 06, 2022









Yuyu Scanner is a Web Reconnaissance & Web Analysis Scanner to find assets and information about targets.


 Yuyu Scanner Yuyu Scanner is a Web Reconnaissance & Web Analysis Scanner to find assets and information about targets. installation ! run as root






Justakazh
 20  Nov 24, 2022









orfipy is a tool written in python/cython to extract ORFs in an extremely and fast and flexible manner


 Introduction orfipy is a tool written in python/cython to extract ORFs in an extremely and fast and flexible manner. Other popular ORF searching tools





Urminder Singh
 34  Nov 21, 2022









NExfil is an OSINT tool written in python for finding profiles by username.


 NExfil is an OSINT tool written in python for finding profiles by username. The provided usernames are checked on over 350 websites within few seconds. 





thewhiteh4t
 1.4k  Jan 01, 2023









VPN Overall Reconnaissance, Testing, Enumeration and eXploitation Toolkit


 Vortex VPN Overall Reconnaissance, Testing, Enumeration and Exploitation Toolkit Overview A very simple Python framework, inspired by SprayingToolkit,






 315  Dec 28, 2022









logmap: Log4j2 jndi injection fuzz tool


 logmap - Log4j2 jndi injection fuzz tool Used for fuzzing to test whether there are log4j2 jndi injection vulnerabilities in header/body/path Use http





之乎者也
 67  Oct 25, 2022