SMB, Exchange (OWA/EWS), SMTP (NTLM) support

[jeffmcjunkin]

Hello!

I'm loving this project, but given how often I encounter the above protocols, is there a consideration or timeline for authentication via the following protocols?

• SMB (tcp/445), standalone auth and domain
• Exchange (tcp/443), via HTTPS to https://exchange-server/owa
• Exchange (tcp/443), via HTTPS with BASIC auth to https://exchange-server/ews
• SMTP (tcp/25), to Exchange servers with NTLM authentication (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-smtpntlm/a048c79f-7597-401b-bcb4-521d682de765)

Sorry to make an issue for a wish list, but I think the above protocols could get this project even more traction as well.

Cheers!

[evilsocket]

Hey! So for the consideration:

SMB - i have a semi finished prototype for SMB, but it's relying on libsmbclient and i'm trying to keep the C/unsafe dependencies to the minimum. I'm not super happy with the current implementation as it makes cross compilation challenging, but i'll probably end up releasing it as it is if I can't find alternative solutions.

Exchange - the main challenge here is creating docker containers or VMs that i can use for testing while I develop the module, as I have almost no experience with MS things. Do you have any suggestion for this? Ideally I'd need a one-command solution that'd bring up an already configured env I can test with.

BTW issues are also for features request, so no problem here! Thanks for the feedback actually

[evilsocket]

SMB pushed!

[jeffmcjunkin]

Hmm, there's a few ways to build out Exchange in an automated fashion. I can help you build out your own if you like, or provide a working set of VMs, or point you at resources like https://automatedlab.org/en/latest/ if that's an option for you. Exchange is a bit tricky.

Great to hear about SMB! Thank you :D

[evilsocket]

@jeffmcjunkin it's not super clear to me if I can use automatedlab tool to create and run VMs on bare metal ... ? Do you have specific quick&dirty guides on how to setup an exchange VM on virtualbox/vmware/qemu? thank you so much for your help, has I said I have very little experience on microsoft envs and was leaving out a lot of protocols due to how difficult it is to bring up a test env :D

[evilsocket]

@jeffmcjunkin it turns out that the http module can already be used for the OWA endpoint. Here's the command line i used for the VM you provided:

legba http \
    -T "https://bahamut.local/owa/auth.owa" \
    -U "LEGBA\jeff" \
    -P data/wordlist.txt \
    --http-method POST \
    --http-payload 'destination=https://bahamut.local/&flags=4&username={USERNAME}&password={PASSWORD}' \
    --http-success-codes 302 \
    --http-success-string 'set-cookie'

Notice that the "destination" POST variable has to be a valid URL containing the Exchange server host. On successful login, the server will respond with a 302 redirect and a Set-Cookie header.

[evilsocket]

The EWS endpoint is using NTLMv2 negotiation via http basic auth. This is already supported by the HTTP module:

legba http.ntlm2 \
    --http-ntlm-domain LEGBA \
    -U jeff \
    -P data/wordlist.txt \
    -T "https://bahamut.local/ews" \
    --http-success-codes "200, 500"

Notice how in my setup I had to include a 500 response as success since I get this after logging in:

NOTE: The EWS endpoint, at least in my setup, seems to be a bit unreliable for bruteforcing. I don't know if it's related to the 500 error or there's some rate limiting going on there, but sometimes I get an "401 Unauthorized" response for valid credentials. So I think using OWA is the way to go against MS Exchange :D