MSExchange/Lync pentest

Tool 1:Exchangefinder

---

| | _ _ _ _ | / / | | | | __ _ _ _ __ _ | () __ _____ _____ _ _ | || || | ' / | |/| _ \ |\ \ / | ' / | ' \/ _ / -) |) | (-</ / _ \ V / -) '| |_, |||_|| ||//__|||_,|||_, _|/|//___/_/_|_| |/ |___/

                            Developed and designed by Lazaar Sami
                            lazaars@gmail.com

this is a tool to discover the Lync and MSExchange subdomains from a main domain. It allows to discover the links that are protected by NTLM authentication and therefore probably vulnerable to brute force attack.

Usage: python Exchangefinder.py

Dependencies: requests

we can use patator to perform brute force attack against the NTLM protected urls, Ex:

python patator.py http_fuzz url=https://mail.domain.com/EWS/Services.wsdl user_pass=FILE0:FILE1 0=users.txt 1=pass.txt -t 10 auth_type=ntlm method=get -x ignore:code=401

Tool 2:SSC_extractor.py, An Exchange Autodiscovery Domain User IDs grabber

 _____ _            __      _                  _
/__   \ |__   ___  /__\_  _| |_ _ __ __ _  ___| |_ ___  _ __
  / /\/ '_ \ / _ \/_\ \ \/ / __| '__/ _` |/ __| __/ _ \| '__|
 / /  | | | |  __//__  >  <| |_| | | (_| | (__| || (_) | |
 \/   |_| |_|\___\__/ /_/\_\\__|_|  \__,_|\___|\__\___/|_|


                            Developed and designed by Lazaar Sami
                            inspired by adisenum.rb, http://h.foofus.net/goons/n8/tools/exchange/
                            lazaars@gmail.com

Microsoft Exchange Autodiscover User Account Enumeration Information Disclosure.

This tool extracts domain users ID by using an email address dictionary and exploiting a flaw in the Autodiscovery service of the Exchange server.

Usage:

python SSC_extractor.py

Dependencies: requests, urlparse, urllib2, httplib, prettytable, etaprogress, testchallenge (included in the Repository)

ex: pip install requests

email adresses are collected using https://github.com/laramies/theHarvester Ex:

theHarvester -d domain -b all