官方公众号企业安全新浪微博
FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。
FreeBuf+小程序
如何使用ExchangeFinder在给定域中寻找Microsoft Exchange实例
- 关注
如何使用ExchangeFinder在给定域中寻找Microsoft Exchange实例
关于ExchangeFinder
ExchangeFinder是一款功能强大且使用简单的开源工具,该工具能够在给定域中尝试搜索指定的Microsoft Exchange实例,该工具的搜索机制基于Microsoft Exchange的常见DNS名称实现,并且能够识别指定的Microsoft Exchange版本,支持Microsoft Exchange 4.0到Microsoft Exchange Server 2019。
工具运行机制
ExchangeFinder首先会尝试解析Exchange服务器通常使用的任何子域,然后它将发送两个HTTP请求来解析服务器发送的响应内容,以确定它是否使用了Microsoft Exchange。
当前版本的ExchangeFinder拥有从Microsoft Exchange 4.0到Microsoft Exchange Server 2019的每个版本的签名,并能够根据Exchange发送的X-OWA-version信息来识别指定的Microsoft Exchange版本。
如果该工具发现了一个有效的Microsoft Exchange实例,它将会返回以下结果:
1、域名;
2、Microsoft Exchange版本;
3、登录页面;
4、Web服务器版本;
工具安装
由于该工具基于Python 3开发,因此广大研究人员首先需要在本地设备上安装并配置好Python 3环境。接下来,使用下列命令将该项目最新版本源码克隆至本地:
git clone https://github.com/mhaskar/ExchangeFinder
接下来,使用poetry install命令来安装该工具所需的所有依赖组件:
┌──(kali㉿kali)-[~/Desktop/ExchangeFinder] └─$ poetry install 1 ⨯ Installing dependencies from lock file Package operations: 15 installs, 0 updates, 0 removals Installing pyparsing (3.0.9) Installing attrs (22.1.0) Installing certifi (2022.6.15) Installing charset-normalizer (2.1.1) Installing idna (3.3) Installing more-itertools (8.14.0) Installing packaging (21.3) Installing pluggy (0.13.1) Installing py (1.11.0) Installing urllib3 (1.26.12) Installing wcwidth (0.2.5) Installing dnspython (2.2.1) Installing pytest (5.4.3) Installing requests (2.28.1) Installing termcolor (1.1.0) Installing the current project: ExchangeFinder (0.1.0) ┌──(kali㉿kali)-[~/Desktop/ExchangeFinder]
然后,我们就可以运行exchangefinder.py文件来使用ExchangeFinder了:
┌──(kali㉿kali)-[~/Desktop/ExchangeFinder] └─$ python3 exchangefinder.py ______ __ _______ __ / ____/ __/ /_ ____ _____ ____ ____ / ____(_)___ ____/ /__ _____ / __/ | |/_/ __ \/ __ `/ __ \/ __ `/ _ \/ /_ / / __ \/ __ / _ \/ ___/ / /____> </ / / / /_/ / / / / /_/ / __/ __/ / / / / / /_/ / __/ / /_____/_/|_/_/ /_/\__,_/_/ /_/\__, /\___/_/ /_/_/ /_/\__,_/\___/_/ /____/ Find that Microsoft Exchange server .. [-] Please use --domain or --domains option ┌──(kali㉿kali)-[~/Desktop/ExchangeFinder] └─$
工具使用
我们可以使用-h命令来查看工具帮助信息:
askar•/opt/redteaming/ExchangeFinder(main⚡)» python3 exchangefinder.py -h ______ __ _______ __ / ____/ __/ /_ ____ _____ ____ ____ / ____(_)___ ____/ /__ _____ / __/ | |/_/ __ \/ __ `/ __ \/ __ `/ _ \/ /_ / / __ \/ __ / _ \/ ___/ / /____> </ / / / /_/ / / / / /_/ / __/ __/ / / / / / /_/ / __/ / /_____/_/|_/_/ /_/\__,_/_/ /_/\__, /\___/_/ /_/_/ /_/\__,_/\___/_/ /____/ Find that Microsoft Exchange server .. usage: exchangefinder.py [-h] [--domain DOMAIN] [--domains DOMAINS] [--useragent USERAGENT] [--output OUTPUT] [--verbose] DNSStager main parser optional arguments: -h, --help show this help message and exit --domain DOMAIN The target domain you want to scan (example.com) --domains DOMAINS Path to domains file you want to scan (domains.txt) --useragent USERAGENT Useragent to use, the default is "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36." --output OUTPUT Export results to given .csv file --verbose Show detailed output askar•/opt/redteaming/ExchangeFinder(main⚡)»
扫描单个域
我们可以使用--domain来扫描单个域:
askar•/opt/redteaming/ExchangeFinder(main⚡)» python3 exchangefinder.py --domain dummyexchangetarget.com ______ __ _______ __ / ____/ __/ /_ ____ _____ ____ ____ / ____(_)___ ____/ /__ _____ / __/ | |/_/ __ \/ __ `/ __ \/ __ `/ _ \/ /_ / / __ \/ __ / _ \/ ___/ / /____> </ / / / /_/ / / / / /_/ / __/ __/ / / / / / /_/ / __/ / /_____/_/|_/_/ /_/\__,_/_/ /_/\__, /\___/_/ /_/_/ /_/\__,_/\___/_/ /____/ Find that Microsoft Exchange server .. [!] Scanning domain dummyexchangetarget.com [+] The following MX records found for the main domain 10 mx01.dummyexchangetarget.com. [!] Scanning host (mail.dummyexchangetarget.com) [+] IIS server detected (https://mail.dummyexchangetarget.com) [!] Potential Microsoft Exchange Identified [+] Microsoft Exchange identified with the following details: Domain Found : https://mail.dummyexchangetarget.com Exchange version : Exchange Server 2016 CU22 Nov21SU Login page : https://mail.dummyexchangetarget.com/owa/auth/logon.aspx?url=https%3a%2f%2fmail.dummyexchangetarget.com%2fowa%2f&reason=0 IIS/Webserver version: Microsoft-IIS/10.0 [!] Scanning host (autodiscover.dummyexchangetarget.com) [+] IIS server detected (https://autodiscover.dummyexchangetarget.com) [!] Potential Microsoft Exchange Identified [+] Microsoft Exchange identified with the following details: Domain Found : https://autodiscover.dummyexchangetarget.com Exchange version : Exchange Server 2016 CU22 Nov21SU Login page : https://autodiscover.dummyexchangetarget.com/owa/auth/logon.aspx?url=https%3a%2f%2fautodiscover.dummyexchangetarget.com%2fowa%2f&reason=0 IIS/Webserver version: Microsoft-IIS/10.0 askar•/opt/redteaming/ExchangeFinder(main⚡)»
扫描多个域
我们可以使用--domains命令来扫描多个目标域,或选择一个域列表文件:
askar•/opt/redteaming/ExchangeFinder(main⚡)» python3 exchangefinder.py --domains domains.txt ______ __ _______ __ / ____/ __/ /_ ____ _____ ____ ____ / ____(_)___ ____/ /__ _____ / __/ | |/_/ __ \/ __ `/ __ \/ __ `/ _ \/ /_ / / __ \/ __ / _ \/ ___/ / /____> </ / / / /_/ / / / / /_/ / __/ __/ / / / / / /_/ / __/ / /_____/_/|_/_/ /_/\__,_/_/ /_/\__, /\___/_/ /_/_/ /_/\__,_/\___/_/ /____/ Find that Microsoft Exchange server .. [+] Total domains to scan are 2 domains [!] Scanning domain externalcompany.com [+] The following MX records found for the main domain 20 mx4.linfosyshosting.nl. 10 mx3.linfosyshosting.nl. [!] Scanning host (mail.externalcompany.com) [+] IIS server detected (https://mail.externalcompany.com) [!] Potential Microsoft Exchange Identified [+] Microsoft Exchange identified with the following details: Domain Found : https://mail.externalcompany.com Exchange version : Exchange Server 2016 CU22 Nov21SU Login page : https://mail.externalcompany.com/owa/auth/logon.aspx?url=https%3a%2f%2fmail.externalcompany.com%2fowa%2f&reason=0 IIS/Webserver version: Microsoft-IIS/10.0 [!] Scanning domain o365.cloud [+] The following MX records found for the main domain 10 mailstore1.secureserver.net. 0 smtp.secureserver.net. [!] Scanning host (mail.o365.cloud) [+] IIS server detected (https://mail.o365.cloud) [!] Potential Microsoft Exchange Identified [+] Microsoft Exchange identified with the following details: Domain Found : https://mail.o365.cloud Exchange version : Exchange Server 2013 CU23 May22SU Login page : https://mail.o365.cloud/owa/auth/logon.aspx?url=https%3a%2f%2fmail.o365.cloud%2fowa%2f&reason=0 IIS/Webserver version: Microsoft-IIS/8.5 askar•/opt/redteaming/ExchangeFinder(main⚡)»
许可证协议
本项目的开发与发布遵循GPL-3.0开源许可证协议。
项目地址
ExchangeFinder:【GitHub传送门】
本文为 独立观点,未经允许不得转载,授权请联系FreeBuf客服小蜜蜂,微信:freebee2022
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
- 0 文章数
- 0 关注者
文章目录