如何使用ExchangeFinder在给定域中寻找Microsoft Exchange实例
2023-1-10 19:12:55 Author: FreeBuf(查看原文) 阅读量:20 收藏

 关于ExchangeFinder 

ExchangeFinder是一款功能强大且使用简单的开源工具,该工具能够在给定域中尝试搜索指定的Microsoft Exchange实例,该工具的搜索机制基于Microsoft Exchange的常见DNS名称实现,并且能够识别指定的Microsoft Exchange版本,支持Microsoft Exchange 4.0到Microsoft Exchange Server 2019。

 工具运行机制 

ExchangeFinder首先会尝试解析Exchange服务器通常使用的任何子域,然后它将发送两个HTTP请求来解析服务器发送的响应内容,以确定它是否使用了Microsoft Exchange。

当前版本的ExchangeFinder拥有从Microsoft Exchange 4.0到Microsoft Exchange Server 2019的每个版本的签名,并能够根据Exchange发送的X-OWA-version信息来识别指定的Microsoft Exchange版本。

如果该工具发现了一个有效的Microsoft Exchange实例,它将会返回以下结果:

1、域名;

2、Microsoft Exchange版本;

3、登录页面;

4、Web服务器版本;

 工具安装 

由于该工具基于Python 3开发,因此广大研究人员首先需要在本地设备上安装并配置好Python 3环境。接下来,使用下列命令将该项目最新版本源码克隆至本地:

git clone https://github.com/mhaskar/ExchangeFinder

(向右滑动,查看更多

接下来,使用poetry install命令来安装该工具所需的所有依赖组件:

┌──(kali㉿kali)-[~/Desktop/ExchangeFinder]
└─$ poetry install 1 ⨯
Installing dependencies from lock file
Package operations: 15 installs, 0 updates, 0 removals
Installing pyparsing (3.0.9)Installing attrs (22.1.0)Installing certifi (2022.6.15)Installing charset-normalizer (2.1.1)Installing idna (3.3)Installing more-itertools (8.14.0)Installing packaging (21.3)Installing pluggy (0.13.1)Installing py (1.11.0)Installing urllib3 (1.26.12)Installing wcwidth (0.2.5)Installing dnspython (2.2.1)Installing pytest (5.4.3)Installing requests (2.28.1)Installing termcolor (1.1.0)
Installing the current project: ExchangeFinder (0.1.0)                                                                                                                                   ┌──(kali㉿kali)-[~/Desktop/ExchangeFinder]

(向右滑动,查看更多

然后,我们就可以运行exchangefinder.py文件来使用ExchangeFinder了:

┌──(kali㉿kali)-[~/Desktop/ExchangeFinder]
└─$ python3 exchangefinder.py 
______ __ _______ __
/ ____/ __/ /_ ____ _____ ____ ____ / ____(_)___ ____/ /__ _____
/ __/ | |/_/ __ \/ __ `/ __ \/ __ `/ _ \/ /_ / / __ \/ __ / _ \/ ___/
/ /____> </ / / / /_/ / / / / /_/ / __/ __/ / / / / / /_/ / __/ /
/_____/_/|_/_/ /_/\__,_/_/ /_/\__, /\___/_/ /_/_/ /_/\__,_/\___/_/
/____/
                                                Find that Microsoft Exchange server ..
[-] Please use --domain or --domains option                                                                                                                                      ┌──(kali㉿kali)-[~/Desktop/ExchangeFinder]
└─$

(向右滑动,查看更多

 工具使用 

我们可以使用-h命令来查看工具帮助信息:

askar•/opt/redteaming/ExchangeFinder(main⚡)» python3 exchangefinder.py -h                                                                                                          
______ __ _______ __
/ ____/ __/ /_ ____ _____ ____ ____ / ____(_)___ ____/ /__ _____
/ __/ | |/_/ __ \/ __ `/ __ \/ __ `/ _ \/ /_ / / __ \/ __ / _ \/ ___/
/ /____> </ / / / /_/ / / / / /_/ / __/ __/ / / / / / /_/ / __/ /
/_____/_/|_/_/ /_/\__,_/_/ /_/\__, /\___/_/ /_/_/ /_/\__,_/\___/_/
/____/                                        Find that Microsoft Exchange server ..
usage: exchangefinder.py [-h] [--domain DOMAIN] [--domains DOMAINS] [--useragent USERAGENT] [--output OUTPUT] [--verbose]
DNSStager main parser
optional arguments:
-h, --help show this help message and exit
--domain DOMAIN The target domain you want to scan (example.com)
--domains DOMAINS Path to domains file you want to scan (domains.txt)
--useragent USERAGENT
Useragent to use, the default is "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36."
--output OUTPUT Export results to given .csv file
--verbose Show detailed output
askar•/opt/redteaming/ExchangeFinder(main⚡)»

 (向右滑动,查看更多

扫描单个域

我们可以使用--domain来扫描单个域:

askar•/opt/redteaming/ExchangeFinder(main⚡)» python3 exchangefinder.py --domain dummyexchangetarget.com                                                                                               ______     __                           _______           __         
/ ____/ __/ /_ ____ _____ ____ ____ / ____(_)___ ____/ /__ _____
/ __/ | |/_/ __ \/ __ `/ __ \/ __ `/ _ \/ /_ / / __ \/ __ / _ \/ ___/
/ /____> </ / / / /_/ / / / / /_/ / __/ __/ / / / / / /_/ / __/ /
/_____/_/|_/_/ /_/\__,_/_/ /_/\__, /\___/_/ /_/_/ /_/\__,_/\___/_/
/____/                                         Find that Microsoft Exchange server ..
[!] Scanning domain dummyexchangetarget.com
[+] The following MX records found for the main domain
10 mx01.dummyexchangetarget.com.
[!] Scanning host (mail.dummyexchangetarget.com)
[+] IIS server detected (https://mail.dummyexchangetarget.com)
[!] Potential Microsoft Exchange Identified
[+] Microsoft Exchange identified with the following details:
Domain Found : https://mail.dummyexchangetarget.com
Exchange version : Exchange Server 2016 CU22 Nov21SU
Login page : https://mail.dummyexchangetarget.com/owa/auth/logon.aspx?url=https%3a%2f%2fmail.dummyexchangetarget.com%2fowa%2f&reason=0
IIS/Webserver version: Microsoft-IIS/10.0
[!] Scanning host (autodiscover.dummyexchangetarget.com)
[+] IIS server detected (https://autodiscover.dummyexchangetarget.com)
[!] Potential Microsoft Exchange Identified
[+] Microsoft Exchange identified with the following details:
Domain Found : https://autodiscover.dummyexchangetarget.com
Exchange version : Exchange Server 2016 CU22 Nov21SU
Login page : https://autodiscover.dummyexchangetarget.com/owa/auth/logon.aspx?url=https%3a%2f%2fautodiscover.dummyexchangetarget.com%2fowa%2f&reason=0
IIS/Webserver version: Microsoft-IIS/10.0
askar•/opt/redteaming/ExchangeFinder(main⚡)»

    (向右滑动,查看更多

扫描多个域

我们可以使用--domains命令来扫描多个目标域,或选择一个域列表文件:

askar•/opt/redteaming/ExchangeFinder(main⚡)» python3 exchangefinder.py --domains domains.txt                                                                                                            
______ __ _______ __
/ ____/ __/ /_ ____ _____ ____ ____ / ____(_)___ ____/ /__ _____
/ __/ | |/_/ __ \/ __ `/ __ \/ __ `/ _ \/ /_ / / __ \/ __ / _ \/ ___/
/ /____> </ / / / /_/ / / / / /_/ / __/ __/ / / / / / /_/ / __/ /
/_____/_/|_/_/ /_/\__,_/_/ /_/\__, /\___/_/ /_/_/ /_/\__,_/\___/_/
                             /____/                                                                                      
                                                Find that Microsoft Exchange server ..    
[+] Total domains to scan are 2 domains
[!] Scanning domain externalcompany.com
[+] The following MX records found for the main domain
20 mx4.linfosyshosting.nl.
10 mx3.linfosyshosting.nl. [!] Scanning host (mail.externalcompany.com)
[+] IIS server detected (https://mail.externalcompany.com)
[!] Potential Microsoft Exchange Identified
[+] Microsoft Exchange identified with the following details: 
Domain Found : https://mail.externalcompany.com
Exchange version : Exchange Server 2016 CU22 Nov21SU
Login page : https://mail.externalcompany.com/owa/auth/logon.aspx?url=https%3a%2f%2fmail.externalcompany.com%2fowa%2f&reason=0
IIS/Webserver version: Microsoft-IIS/10.0 
[!] Scanning domain o365.cloud
[+] The following MX records found for the main domain
10 mailstore1.secureserver.net.
0 smtp.secureserver.net.[!] Scanning host (mail.o365.cloud)
[+] IIS server detected (https://mail.o365.cloud)
[!] Potential Microsoft Exchange Identified
[+] Microsoft Exchange identified with the following details: Domain Found : https://mail.o365.cloud
Exchange version : Exchange Server 2013 CU23 May22SU
Login page : https://mail.o365.cloud/owa/auth/logon.aspx?url=https%3a%2f%2fmail.o365.cloud%2fowa%2f&reason=0
IIS/Webserver version: Microsoft-IIS/8.5
askar•/opt/redteaming/ExchangeFinder(main⚡)»

(向右滑动,查看更多)

 许可证协议 

本项目的开发与发布遵循GPL-3.0开源许可证协议。

 项目地址 

ExchangeFinderhttps://github.com/mhaskar/ExchangeFinder

精彩推荐


文章来源: http://mp.weixin.qq.com/s?__biz=MjM5NjA0NjgyMA==&mid=2651213165&idx=4&sn=c38959f2634be23dfeb2a59331973d21&chksm=bd1ddfe68a6a56f060f5cf924cb39d971acfd56167a521b60464b14a758d016c2df273c5bdbf#rd
如有侵权请联系:admin#unsafe.sh