ExchangeFinder是一款功能强大且使用简单的开源工具,该工具能够在给定域中尝试搜索指定的Microsoft Exchange实例,该工具的搜索机制基于Microsoft Exchange的常见DNS名称实现,并且能够识别指定的Microsoft Exchange版本,支持Microsoft Exchange 4.0到Microsoft Exchange Server 2019。
ExchangeFinder首先会尝试解析Exchange服务器通常使用的任何子域,然后它将发送两个HTTP请求来解析服务器发送的响应内容,以确定它是否使用了Microsoft Exchange。
当前版本的ExchangeFinder拥有从Microsoft Exchange 4.0到Microsoft Exchange Server 2019的每个版本的签名,并能够根据Exchange发送的X-OWA-version信息来识别指定的Microsoft Exchange版本。
如果该工具发现了一个有效的Microsoft Exchange实例,它将会返回以下结果:
1、域名;
2、Microsoft Exchange版本;
3、登录页面;
4、Web服务器版本;
由于该工具基于Python 3开发,因此广大研究人员首先需要在本地设备上安装并配置好Python 3环境。接下来,使用下列命令将该项目最新版本源码克隆至本地:
git clone https://github.com/mhaskar/ExchangeFinder
(向右滑动,查看更多)
接下来,使用poetry install命令来安装该工具所需的所有依赖组件:
┌──(kali㉿kali)-[~/Desktop/ExchangeFinder]
└─$ poetry install 1 ⨯
Installing dependencies from lock file
Package operations: 15 installs, 0 updates, 0 removals
Installing pyparsing (3.0.9)
Installing attrs (22.1.0)
Installing certifi (2022.6.15)
Installing charset-normalizer (2.1.1)
Installing idna (3.3)
Installing more-itertools (8.14.0)
Installing packaging (21.3)
Installing pluggy (0.13.1)
Installing py (1.11.0)
Installing urllib3 (1.26.12)
Installing wcwidth (0.2.5)
Installing dnspython (2.2.1)
Installing pytest (5.4.3)
Installing requests (2.28.1)
Installing termcolor (1.1.0)
Installing the current project: ExchangeFinder (0.1.0)
┌──(kali㉿kali)-[~/Desktop/ExchangeFinder]
(向右滑动,查看更多)
然后,我们就可以运行exchangefinder.py文件来使用ExchangeFinder了:
┌──(kali㉿kali)-[~/Desktop/ExchangeFinder]
└─$ python3 exchangefinder.py
______ __ _______ __
/ ____/ __/ /_ ____ _____ ____ ____ / ____(_)___ ____/ /__ _____
/ __/ | |/_/ __ \/ __ `/ __ \/ __ `/ _ \/ /_ / / __ \/ __ / _ \/ ___/
/ /____> </ / / / /_/ / / / / /_/ / __/ __/ / / / / / /_/ / __/ /
/_____/_/|_/_/ /_/\__,_/_/ /_/\__, /\___/_/ /_/_/ /_/\__,_/\___/_/
/____/
Find that Microsoft Exchange server ..
[-] Please use --domain or --domains option
┌──(kali㉿kali)-[~/Desktop/ExchangeFinder]
└─$
(向右滑动,查看更多)
我们可以使用-h命令来查看工具帮助信息:
askar•/opt/redteaming/ExchangeFinder(main⚡)» python3 exchangefinder.py -h
______ __ _______ __
/ ____/ __/ /_ ____ _____ ____ ____ / ____(_)___ ____/ /__ _____
/ __/ | |/_/ __ \/ __ `/ __ \/ __ `/ _ \/ /_ / / __ \/ __ / _ \/ ___/
/ /____> </ / / / /_/ / / / / /_/ / __/ __/ / / / / / /_/ / __/ /
/_____/_/|_/_/ /_/\__,_/_/ /_/\__, /\___/_/ /_/_/ /_/\__,_/\___/_/
/____/
Find that Microsoft Exchange server ..
usage: exchangefinder.py [-h] [--domain DOMAIN] [--domains DOMAINS] [--useragent USERAGENT] [--output OUTPUT] [--verbose]
DNSStager main parser
optional arguments:
-h, --help show this help message and exit
--domain DOMAIN The target domain you want to scan (example.com)
--domains DOMAINS Path to domains file you want to scan (domains.txt)
--useragent USERAGENT
Useragent to use, the default is "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36."
--output OUTPUT Export results to given .csv file
--verbose Show detailed output
askar•/opt/redteaming/ExchangeFinder(main⚡)»
(向右滑动,查看更多)
我们可以使用--domain来扫描单个域:
askar•/opt/redteaming/ExchangeFinder(main⚡)» python3 exchangefinder.py --domain dummyexchangetarget.com
______ __ _______ __
/ ____/ __/ /_ ____ _____ ____ ____ / ____(_)___ ____/ /__ _____
/ __/ | |/_/ __ \/ __ `/ __ \/ __ `/ _ \/ /_ / / __ \/ __ / _ \/ ___/
/ /____> </ / / / /_/ / / / / /_/ / __/ __/ / / / / / /_/ / __/ /
/_____/_/|_/_/ /_/\__,_/_/ /_/\__, /\___/_/ /_/_/ /_/\__,_/\___/_/
/____/
Find that Microsoft Exchange server ..
[!] Scanning domain dummyexchangetarget.com
[+] The following MX records found for the main domain
10 mx01.dummyexchangetarget.com.
[!] Scanning host (mail.dummyexchangetarget.com)
[+] IIS server detected (https://mail.dummyexchangetarget.com)
[!] Potential Microsoft Exchange Identified
[+] Microsoft Exchange identified with the following details:
Domain Found : https://mail.dummyexchangetarget.com
Exchange version : Exchange Server 2016 CU22 Nov21SU
Login page : https://mail.dummyexchangetarget.com/owa/auth/logon.aspx?url=https%3a%2f%2fmail.dummyexchangetarget.com%2fowa%2f&reason=0
IIS/Webserver version: Microsoft-IIS/10.0
[!] Scanning host (autodiscover.dummyexchangetarget.com)
[+] IIS server detected (https://autodiscover.dummyexchangetarget.com)
[!] Potential Microsoft Exchange Identified
[+] Microsoft Exchange identified with the following details:
Domain Found : https://autodiscover.dummyexchangetarget.com
Exchange version : Exchange Server 2016 CU22 Nov21SU
Login page : https://autodiscover.dummyexchangetarget.com/owa/auth/logon.aspx?url=https%3a%2f%2fautodiscover.dummyexchangetarget.com%2fowa%2f&reason=0
IIS/Webserver version: Microsoft-IIS/10.0
askar•/opt/redteaming/ExchangeFinder(main⚡)»
(向右滑动,查看更多)
我们可以使用--domains命令来扫描多个目标域,或选择一个域列表文件:
askar•/opt/redteaming/ExchangeFinder(main⚡)» python3 exchangefinder.py --domains domains.txt
______ __ _______ __
/ ____/ __/ /_ ____ _____ ____ ____ / ____(_)___ ____/ /__ _____
/ __/ | |/_/ __ \/ __ `/ __ \/ __ `/ _ \/ /_ / / __ \/ __ / _ \/ ___/
/ /____> </ / / / /_/ / / / / /_/ / __/ __/ / / / / / /_/ / __/ /
/_____/_/|_/_/ /_/\__,_/_/ /_/\__, /\___/_/ /_/_/ /_/\__,_/\___/_/
/____/
Find that Microsoft Exchange server ..
[+] Total domains to scan are 2 domains
[!] Scanning domain externalcompany.com
[+] The following MX records found for the main domain
20 mx4.linfosyshosting.nl.
10 mx3.linfosyshosting.nl.
[!] Scanning host (mail.externalcompany.com)
[+] IIS server detected (https://mail.externalcompany.com)
[!] Potential Microsoft Exchange Identified
[+] Microsoft Exchange identified with the following details:
Domain Found : https://mail.externalcompany.com
Exchange version : Exchange Server 2016 CU22 Nov21SU
Login page : https://mail.externalcompany.com/owa/auth/logon.aspx?url=https%3a%2f%2fmail.externalcompany.com%2fowa%2f&reason=0
IIS/Webserver version: Microsoft-IIS/10.0
[!] Scanning domain o365.cloud
[+] The following MX records found for the main domain
10 mailstore1.secureserver.net.
0 smtp.secureserver.net.
[!] Scanning host (mail.o365.cloud)
[+] IIS server detected (https://mail.o365.cloud)
[!] Potential Microsoft Exchange Identified
[+] Microsoft Exchange identified with the following details:
Domain Found : https://mail.o365.cloud
Exchange version : Exchange Server 2013 CU23 May22SU
Login page : https://mail.o365.cloud/owa/auth/logon.aspx?url=https%3a%2f%2fmail.o365.cloud%2fowa%2f&reason=0
IIS/Webserver version: Microsoft-IIS/8.5
askar•/opt/redteaming/ExchangeFinder(main⚡)»
(向右滑动,查看更多)
本项目的开发与发布遵循GPL-3.0开源许可证协议。
ExchangeFinder:https://github.com/mhaskar/ExchangeFinder
精彩推荐