利用NTLM Hash读取Exchange邮件

Related tags

Security related resourcesGetMail
Overview

GetMail

利用NTLM Hash读取Exchange邮件:在进行内网渗透时候,我们经常拿到的是账号的Hash凭据而不是明文口令。在这种情况下采用邮件客户端或者WEBMAIL的方式读取邮件就很麻烦,需要进行破解,NTLM的破解主要依靠字典强度,破解概率并不是很大。其实Exchange提供了利用NTLM Hash凭据进行验证的方法,从而可以进行任何操作。本程序支持邮箱目录结构的列举、邮件的阅读、附件的下载、关键字的搜索等功能,支持明文密码和NTLM Hash凭证两种认证方式。

参数介绍

  • -h, --help show this help message and exit
  • -u USER, --user=USER Please Input Username!
  • -H HASH, --hash=HASH Please Input Ntlmhash: xx:xx Or xxxx!
  • -p PSWD, --pswd=PSWD Please Input Password!
  • -e EMAIL, --email=EMAIL Please Input Email Address!
  • -c COUNT, --count=COUNT Please Input How Many Emails You Want To Read!
  • -s SERVER, --server=SERVER Please Input Email Server Address!
  • -k KEYWORD, --keyword=KEYWORD Please Input Keyword To Search!
  • -L, --List List All Email Floders!
  • -D, --download Whether Download Attachment Files Or Not!
  • -d, --display Show All Email Floders!
  • -l, --list List All Email Floders!
  • -f FLODER, --folder=FLODER Please Input Email Floder Name!

使用

列举邮箱目录结构

python3 getmail.py -u [USERNAME] -p [PASSWORD] -e [EMAIL ADDRESS] -L
python3 getmail.py -u [USERNAME] -H [NTLMHASH] -e [EMAIL ADDRESS] -L

阅读邮件

python3 getmail.py -u [USERNAME] -H [NTLMHASH] -e [EMAIL ADDRESS] -f [文件夹,默认是Inbox] -c 阅读邮件数量(按照时间倒序,最近的在最前面)
python3 getmail.py -u [USERNAME] -H [NTLMHASH] -e [EMAIL ADDRESS] -f [文件夹,默认是Inbox] -c 阅读邮件数量(按照时间倒序,最近的在最前面) -k [Keyword](展示包含关键字的邮件)

下载附件

python3 getmail.py -u [USERNAME] -H [NTLMHASH] -e [EMAIL ADDRESS] -f [文件夹,默认是Inbox] -c 阅读邮件数量(按照时间倒序,最近的在最前面)——D

ISSUE修复记录

  • 0x01 默认Inbox收件箱邮件阅读超过20封时候有会问题【已修复】
  • 0x02 同名附件自动下载导致附件覆盖问题【已修复】

Changelog

  • v1.1 20210421
    • 支持展示抄送、密送
    • 优化展示效果
    • 修复一些bug
  • v1.1 20210422 增加GUI版本
    • Mac测试通过 image





























Owner









[email protected]



Information Security Engineer



<a href=[email protected]">




 GitHub Repository










A TCP Backdoor made in python


 Tracey-Backdoor A Reverse Shell Backdoor made in python OOP. It supposed to work in Windows and Linux OS Functions: Reverse Connection Send Reverse TC






 13  Oct 15, 2022









Yesitsme - Simple OSINT script to find Instagram profiles by name and e-mail/phone


 Simple OSINT script to find Instagram profiles by name and e-mail/phone 






 108  Jan 07, 2023









An easy-to-use wrapper for NTFS-3G on macOS


 ezNTFS ezNTFS is an easy-to-use wrapper for NTFS-3G on macOS. ezNTFS can be used as a menu bar app, or via the CLI in the terminal. Installation To us





Matthew Go
 34  Dec 01, 2022









xkeysnail is yet another keyboard remapping tool for X environment written in Python


 xkeysnail is yet another keyboard remapping tool for X environment written in Python. It's like xmodmap but allows more flexible remappings.





Masafumi Oyamada
 809  Dec 26, 2022









Mass Shortlink Bypass Merupakan Tools Yang Akan Bypass Shortlink Ke Tujuan Asli, Dibuat Dengan Python 3


 Shortlink-Bypass Mass Shortlink Bypass Merupakan Tools Yang Akan Bypass Shortlink Ke Tujuan Asli, Dibuat Dengan Python 3 Support Shortlink tii.ai/tei.





Wan Naz ID
 6  Oct 24, 2022









Some Attacks of Exchange SSRF ProxyLogon&ProxyShell


 Some Attacks of Exchange SSRF This project is heavily replicated in ProxyShell, NtlmRelayToEWS https://mp.weixin.qq.com/s/GFcEKA48bPWsezNdVcrWag Get 1





Jumbo
 129  Dec 30, 2022









Big-Papa Integrates Javascript and python for remote cookie stealing which then can be used for session hijacking


 Big-Papa is a remote cookie stealer which can then be used for session hijacking and Bypassing 2 Factor Authentication







 77  Jan 03, 2023









A proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228)


 CVE-2021-44228 – Log4j RCE Unauthenticated About This is a proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228). This vulnerability





Pedro Havay
 20  Nov 11, 2022









Kunyu, more efficient corporate asset collection


 Kunyu(坤舆) - More efficient corporate asset collection English | 中文文档 0x00 Introduce Tool introduction Kunyu (kunyu), whose name is taken from , is act





Knownsec, Inc.
 772  Jan 05, 2023









An interactive python script that enables root access on the T-Mobile (Wingtech) TMOHS1, as well as providing several useful utilites to change the configuration of the device.


 TMOHS1 Root Utility Description An interactive python script that enables root access on the T-Mobile (Wingtech) TMOHS1, as well as providing several 






 40  Dec 29, 2022









Execution After Redirect (EAR) / Long Response Redirection Vulnerability Scanner written in python3


 Execution After Redirect (EAR) / Long Response Redirection Vulnerability Scanner written in python3, It Fuzzes All URLs of target website & then scan them for EAR





Pushpender Singh
 9  Dec 12, 2022









This project is all about building an amazing application that will help users manage their passwords and even generate new passwords for them


 An amazing application that will help us manage our passwords and even generate new passwords for us.






 1  Jan 23, 2022









Tools to make working the Arch Linux Security Tracker easier


 This is a collection of Python scripts to make working with the Arch Linux Security Tracker easier.





Jonas Witschel
 6  Jul 13, 2022









解密哥斯拉webshell管理工具流量


 kingkong 解密哥斯拉Godzilla-V2.96 webshell管理工具流量 目前只支持jsp类型的webshell流量解密 Usage 获取攻击者上传到服务器的webshell样本 获取wireshark之类的流量包,一般甲方有科来之类的全流量镜像设备,联系运维人员获取,这里以test.





h4ck for fun
 46  Dec 21, 2022









Facebook Fast Cracking Tool With Python


 Pro-Crack Facebook Fast Cracking Tool This is a multi-password‌ cracking tool that can help you hack facebook accounts very quickly Installation On Te





ReD H4CkeR
 5  Feb 19, 2022









A toolkit for web reconnaissance, it's fast and easy to use.


 A toolkit for web reconnaissance, it's fast and easy to use. File Structure httpsuite/ main.py init.py db/ db.py init.py subdomains_db directories_db 





whoami security
 22  Jul 22, 2022









This is simple python FTP password craker. To crack FTP login using wordlist based brute force attack


 This is simple python FTP password craker. To crack FTP login using wordlist based brute force attack





Varun Jagtap
 5  Oct 08, 2022









Fast python tool to test apache path traversal CVE-2021-41773 in a List of url 


 CVE-2021-41773 Fast python tool to test apache path traversal CVE-2021-41773 in a List of url Usage :- create a live urls file and use the flag "-l" p





Zahir Tariq
 12  Nov 09, 2022









Just another script for automatize boolean-based blind SQL injections.


 SQL Blind Injection Tool A script for automatize boolean-based blind SQL injections. Works with SQLite at least, supports using cookies. It uses bitwi





RIM
 51  Dec 15, 2022









CVE-2021-45232-RCE-多线程批量漏洞检测


 CVE-2021-45232-RCE CVE-2021-45232-RCE-多线程批量漏洞检测 FOFA 查询 title="Apache APISIX Das





孤桜懶契
 36  Sep 21, 2022