关于ExchangeFinder
ExchangeFinder是一款功能强大且使用简单的开源工具,该工具能够在给定域中尝试搜索指定的Microsoft Exchange实例,该工具的搜索机制基于Microsoft Exchange的常见DNS名称实现,并且能够识别指定的Microsoft Exchange版本,支持Microsoft Exchange 4.0到Microsoft Exchange Server 2019。
工具运行机制
ExchangeFinder首先会尝试解析Exchange服务器通常使用的任何子域,然后它将发送两个HTTP请求来解析服务器发送的响应内容,以确定它是否使用了Microsoft Exchange。
当前版本的ExchangeFinder拥有从Microsoft Exchange 4.0到Microsoft Exchange Server 2019的每个版本的签名,并能够根据Exchange发送的X-OWA-version信息来识别指定的Microsoft Exchange版本。
如果该工具发现了一个有效的Microsoft Exchange实例,它将会返回以下结果:
1、域名;
2、Microsoft Exchange版本;
3、登录页面;
4、Web服务器版本;
工具安装
由于该工具基于Python 3开发,因此广大研究人员首先需要在本地设备上安装并配置好Python 3环境。接下来,使用下列命令将该项目最新版本源码克隆至本地:
git clone https://github.com/mhaskar/ExchangeFinder(向右滑动,查看更多)
接下来,使用poetry install命令来安装该工具所需的所有依赖组件:
┌──(kali㉿kali)-[~/Desktop/ExchangeFinder]└─$ poetry install 1 ⨯Installing dependencies from lock filePackage operations: 15 installs, 0 updates, 0 removalsInstalling pyparsing (3.0.9)Installing attrs (22.1.0)Installing certifi (2022.6.15)Installing charset-normalizer (2.1.1)Installing idna (3.3)Installing more-itertools (8.14.0)Installing packaging (21.3)Installing pluggy (0.13.1)Installing py (1.11.0)Installing urllib3 (1.26.12)Installing wcwidth (0.2.5)Installing dnspython (2.2.1)Installing pytest (5.4.3)Installing requests (2.28.1)Installing termcolor (1.1.0)Installing the current project: ExchangeFinder (0.1.0)┌──(kali㉿kali)-[~/Desktop/ExchangeFinder](向右滑动,查看更多)
然后,我们就可以运行exchangefinder.py文件来使用ExchangeFinder了:
┌──(kali㉿kali)-[~/Desktop/ExchangeFinder]└─$ python3 exchangefinder.py______ __ _______ __/ ____/ __/ /_ ____ _____ ____ ____ / ____(_)___ ____/ /__ _____/ __/ | |/_/ __ \/ __ `/ __ \/ __ `/ _ \/ /_ / / __ \/ __ / _ \/ ___// /____> </ / / / /_/ / / / / /_/ / __/ __/ / / / / / /_/ / __/ //_____/_/|_/_/ /_/\__,_/_/ /_/\__, /\___/_/ /_/_/ /_/\__,_/\___/_//____/Find that Microsoft Exchange server ..[-] Please use --domain or --domains option┌──(kali㉿kali)-[~/Desktop/ExchangeFinder]└─$(向右滑动,查看更多)
工具使用
我们可以使用-h命令来查看工具帮助信息:
askar•/opt/redteaming/ExchangeFinder(main⚡)» python3 exchangefinder.py -h______ __ _______ __/ ____/ __/ /_ ____ _____ ____ ____ / ____(_)___ ____/ /__ _____/ __/ | |/_/ __ \/ __ `/ __ \/ __ `/ _ \/ /_ / / __ \/ __ / _ \/ ___// /____> </ / / / /_/ / / / / /_/ / __/ __/ / / / / / /_/ / __/ //_____/_/|_/_/ /_/\__,_/_/ /_/\__, /\___/_/ /_/_/ /_/\__,_/\___/_//____/Find that Microsoft Exchange server ..usage: exchangefinder.py [-h] [--domain DOMAIN] [--domains DOMAINS] [--useragent USERAGENT] [--output OUTPUT] [--verbose]DNSStager main parseroptional arguments:-h, --help show this help message and exit--domain DOMAIN The target domain you want to scan (example.com)--domains DOMAINS Path to domains file you want to scan (domains.txt)--useragent USERAGENTUseragent to use, the default is "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36."--output OUTPUT Export results to given .csv file--verbose Show detailed outputaskar•/opt/redteaming/ExchangeFinder(main⚡)»
(向右滑动,查看更多)
扫描单个域
我们可以使用--domain来扫描单个域:
askar•/opt/redteaming/ExchangeFinder(main⚡)» python3 exchangefinder.py --domain dummyexchangetarget.com______ __ _______ __/ ____/ __/ /_ ____ _____ ____ ____ / ____(_)___ ____/ /__ _____/ __/ | |/_/ __ \/ __ `/ __ \/ __ `/ _ \/ /_ / / __ \/ __ / _ \/ ___// /____> </ / / / /_/ / / / / /_/ / __/ __/ / / / / / /_/ / __/ //_____/_/|_/_/ /_/\__,_/_/ /_/\__, /\___/_/ /_/_/ /_/\__,_/\___/_//____/Find that Microsoft Exchange server ..[!] Scanning domain dummyexchangetarget.com[+] The following MX records found for the main domain10 mx01.dummyexchangetarget.com.[!] Scanning host (mail.dummyexchangetarget.com)[+] IIS server detected (https://mail.dummyexchangetarget.com)[!] Potential Microsoft Exchange Identified[+] Microsoft Exchange identified with the following details:Domain Found : https://mail.dummyexchangetarget.comExchange version : Exchange Server 2016 CU22 Nov21SULogin page : https://mail.dummyexchangetarget.com/owa/auth/logon.aspx?url=https%3a%2f%2fmail.dummyexchangetarget.com%2fowa%2f&reason=0IIS/Webserver version: Microsoft-IIS/10.0[!] Scanning host (autodiscover.dummyexchangetarget.com)[+] IIS server detected (https://autodiscover.dummyexchangetarget.com)[!] Potential Microsoft Exchange Identified[+] Microsoft Exchange identified with the following details:Domain Found : https://autodiscover.dummyexchangetarget.comExchange version : Exchange Server 2016 CU22 Nov21SULogin page : https://autodiscover.dummyexchangetarget.com/owa/auth/logon.aspx?url=https%3a%2f%2fautodiscover.dummyexchangetarget.com%2fowa%2f&reason=0IIS/Webserver version: Microsoft-IIS/10.0askar•/opt/redteaming/ExchangeFinder(main⚡)»(向右滑动,查看更多)
扫描多个域
我们可以使用--domains命令来扫描多个目标域,或选择一个域列表文件:
askar•/opt/redteaming/ExchangeFinder(main⚡)» python3 exchangefinder.py --domains domains.txt______ __ _______ __/ ____/ __/ /_ ____ _____ ____ ____ / ____(_)___ ____/ /__ _____/ __/ | |/_/ __ \/ __ `/ __ \/ __ `/ _ \/ /_ / / __ \/ __ / _ \/ ___// /____> </ / / / /_/ / / / / /_/ / __/ __/ / / / / / /_/ / __/ //_____/_/|_/_/ /_/\__,_/_/ /_/\__, /\___/_/ /_/_/ /_/\__,_/\___/_//____/Find that Microsoft Exchange server ..[+] Total domains to scan are 2 domains[!] Scanning domain externalcompany.com[+] The following MX records found for the main domain20 mx4.linfosyshosting.nl.10 mx3.linfosyshosting.nl.[!] Scanning host (mail.externalcompany.com)[+] IIS server detected (https://mail.externalcompany.com)[!] Potential Microsoft Exchange Identified[+] Microsoft Exchange identified with the following details:Domain Found : https://mail.externalcompany.comExchange version : Exchange Server 2016 CU22 Nov21SULogin page : https://mail.externalcompany.com/owa/auth/logon.aspx?url=https%3a%2f%2fmail.externalcompany.com%2fowa%2f&reason=0IIS/Webserver version: Microsoft-IIS/10.0[!] Scanning domain o365.cloud[+] The following MX records found for the main domain10 mailstore1.secureserver.net.0 smtp.secureserver.net.[!] Scanning host (mail.o365.cloud)[+] IIS server detected (https://mail.o365.cloud)[!] Potential Microsoft Exchange Identified[+] Microsoft Exchange identified with the following details:Domain Found : https://mail.o365.cloudExchange version : Exchange Server 2013 CU23 May22SULogin page : https://mail.o365.cloud/owa/auth/logon.aspx?url=https%3a%2f%2fmail.o365.cloud%2fowa%2f&reason=0IIS/Webserver version: Microsoft-IIS/8.5askar•/opt/redteaming/ExchangeFinder(main⚡)»
(向右滑动,查看更多)
许可证协议
本项目的开发与发布遵循GPL-3.0开源许可证协议。
项目地址
ExchangeFinder:https://github.com/mhaskar/ExchangeFinder
精彩推荐
文章来源: http://mp.weixin.qq.com/s?__biz=MjM5NjA0NjgyMA==&mid=2651213165&idx=4&sn=c38959f2634be23dfeb2a59331973d21&chksm=bd1ddfe68a6a56f060f5cf924cb39d971acfd56167a521b60464b14a758d016c2df273c5bdbf#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh