GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → nyxgeek → Lyncsmash

nyxgeek / Lyncsmash

locate and attack Lync/Skype for Business

Programming Languages

python
139335 projects - #7 most used programming language

Labels

hackingpentestingbrute-force

Projects that are alternatives of or similar to Lyncsmash

Web Brutator
Fast Modular Web Interfaces Bruteforcer
Stars: ✭ 97 (-62.4%)
Mutual labels:  hacking, pentesting, brute-force
Dirsearch
Web path scanner
Stars: ✭ 7,246 (+2708.53%)
Mutual labels:  hacking, pentesting, brute-force
Hawkeye
Hawkeye filesystem analysis tool
Stars: ✭ 202 (-21.71%)
Mutual labels:  hacking, pentesting
Evil Ssdp
Spoof SSDP replies and create fake UPnP devices to phish for credentials and NetNTLM challenge/response.
Stars: ✭ 204 (-20.93%)
Mutual labels:  hacking, pentesting
Pandwarf
PandwaRF: RF analysis tool with a sub-1 GHz wireless transceiver controlled by a smartphone or
Stars: ✭ 206 (-20.16%)
Mutual labels:  hacking, brute-force
Mosint
An automated e-mail OSINT tool
Stars: ✭ 184 (-28.68%)
Mutual labels:  hacking, pentesting
Fdsploit
File Inclusion & Directory Traversal fuzzing, enumeration & exploitation tool.
Stars: ✭ 199 (-22.87%)
Mutual labels:  hacking, pentesting
Ladon
大型内网渗透扫描器&Cobalt Strike,Ladon8.9内置120个模块,包含信息收集/存活主机/端口扫描/服务识别/密码爆破/漏洞检测/漏洞利用。漏洞检测含MS17010/SMBGhost/Weblogic/ActiveMQ/Tomcat/Struts2,密码口令爆破(Mysql/Oracle/MSSQL)/FTP/SSH(Linux)/VNC/Windows(IPC/WMI/SMB/Netbios/LDAP/SmbHash/WmiHash/Winrm),远程执行命令(smbexec/wmiexe/psexec/atexec/sshexec/webshell),降权提权Runas、GetSystem,Poc/Exploit,支持Cobalt Strike 3.X-4.0
Stars: ✭ 2,911 (+1028.29%)
Mutual labels:  hacking, brute-force
Awesome Shodan Queries
🔍 A collection of interesting, funny, and depressing search queries to plug into shodan.io 👩‍💻
Stars: ✭ 2,758 (+968.99%)
Mutual labels:  hacking, pentesting
Capsulecorp Pentest
Vagrant VirtualBox environment for conducting an internal network penetration test
Stars: ✭ 214 (-17.05%)
Mutual labels:  hacking, pentesting
Onelistforall
Rockyou for web fuzzing
Stars: ✭ 213 (-17.44%)
Mutual labels:  hacking, pentesting
Cameradar
Cameradar hacks its way into RTSP videosurveillance cameras
Stars: ✭ 2,775 (+975.58%)
Mutual labels:  hacking, pentesting
Hrshell
HRShell is an HTTPS/HTTP reverse shell built with flask. It is an advanced C2 server with many features & capabilities.
Stars: ✭ 193 (-25.19%)
Mutual labels:  hacking, pentesting
Getjs
A tool to fastly get all javascript sources/files
Stars: ✭ 190 (-26.36%)
Mutual labels:  hacking, pentesting
Filevaultcracker
macOS FileVault cracking tool
Stars: ✭ 199 (-22.87%)
Mutual labels:  hacking, brute-force
Webmap
A Python tool used to automate the execution of the following tools : Nmap , Nikto and Dirsearch but also to automate the report generation during a Web Penetration Testing
Stars: ✭ 188 (-27.13%)
Mutual labels:  hacking, pentesting
O365recon
retrieve information via O365 with a valid cred
Stars: ✭ 204 (-20.93%)
Mutual labels:  hacking, pentesting
Hatch
Hatch is a brute force tool that is used to brute force most websites
Stars: ✭ 242 (-6.2%)
Mutual labels:  hacking, brute-force
Hack Tools
The all-in-one Red Team extension for Web Pentester 🛠
Stars: ✭ 2,750 (+965.89%)
Mutual labels:  hacking, pentesting
Crithit
Takes a single wordlist item and tests it one by one over a large collection of websites before moving onto the next. Create signatures to cross-check vulnerabilities over multiple hosts.
Stars: ✭ 182 (-29.46%)
Mutual labels:  hacking, pentesting
View All Similar Projects ➔ 
██╗  ██╗   ██╗███╗   ██╗ ██████╗███████╗███╗   ███╗ █████╗ ███████╗██╗  ██╗
██║  ╚██╗ ██╔╝████╗  ██║██╔════╝██╔════╝████╗ ████║██╔══██╗██╔════╝██║  ██║
██║   ╚████╔╝ ██╔██╗ ██║██║     ███████╗██╔████╔██║███████║███████╗███████║
██║    ╚██╔╝  ██║╚██╗██║██║     ╚════██║██║╚██╔╝██║██╔══██║╚════██║██╔══██║
███████╗██║   ██║ ╚████║╚██████╗███████║██║ ╚═╝ ██║██║  ██║███████║██║  ██║
╚══════╝╚═╝   ╚═╝  ╚═══╝ ╚═════╝╚══════╝╚═╝     ╚═╝╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝

a collection of tools to enumerate and attack self-hosted Skype for Business and Microsoft Lync installations

Note: these tools will not work with Skype/Lync installations hosted at Microsoft.

DerbyCon 6.0 YouTube link: https://www.youtube.com/watch?v=v0NTaCFk6VI

DerbyCon 6.0 Slide Deck: https://github.com/nyxgeek/nyxgeek-slides/blob/master/TheWeakestLync.pdf

scripts

  • lyncsmash.py - enumerate users via auth timing bug while brute forcing, lock accounts, locate lync installs
  • find_domain.sh - example of how to use Nmap with http-ntlm-info script to discover internal NetBIOS & domain names
  • brute_force_ntlm.sh - example of a brute force attack against Skype/Lync using Medusa
  • ntlm-info.py - script to get NetBIOS Domain name from NTLM auth

wordlists

  • skype-directories.txt - a listing of directories that may have NTLM-auth enabled
  • alexa-top-20000-sites.txt - a listing of the top 20,000 Alexa sites - to be used with discover mode

If you're looking for username lists, I highly recommend 'Statistically Likely Usernames': https://github.com/insidetrust/statistically-likely-usernames.git

using lyncsmash.py

lyncsmash has three operating modes:

  • enum - use to enumerate users via the auth timing attack
  • discover - will take a list of domains and determine which use Skype for Business/Lync
  • lock - make repeated bad authentication attempts in order to lock out an account

lyncsmash.py enum - enumerate users

** WARNING: THIS PERFORMS A DOMAIN LOGIN ATTEMPT AND CAN LOCK OUT ACCOUNTS **

Parameters:
    -H	hostname
    -U	username list
    -p  password
    -P  password list
    -d	NetBIOS domain
    -o  output file
    -t  manually set timeout
    -r  Randomize the user input list

In this mode lyncsmash will enumerate usernames via a timing attack, using the Webticket service located on the Lync Front-End server. If a bad username and/or domain is specified, the response will be long. If it is a valid user, the response will be short. Due to limitations of the timing-attack, this can only be run single-threaded.

usage:

python lyncsmash.py enum -H 2013-lync-fe.contoso.com -U usernamelist.txt -P passwordlist.txt -d CONTOSO -o CONTOSO_output.txt

or

python lyncsmash.py enum -H 2013-lync-fe.contoso.com -U usernamelist.txt -p Winter2017 -d CONTOSO

lyncsmash.py discover - discovering domains that are running Skype/Lync

Parameters:
    -H	host list - one DNS base domain per line

In this mode lyncsmash will attempt to enumerate various Skype/Lync subdomains via DNS, and returns a score based on number of indicators. Wildcard domains are discarded.

usage:

python lyncsmash.py discover -H domain_list.txt

lyncsmash lock - lockout an account with repeated login failures

** WARNING: THIS WILL LOCK OUT ACCOUNTS. **

Parameters:
    -H	hostname
    -u	username to lock out
    -d	NetBIOS domain

In this mode lyncsmash will make 5 login attempts with an incorrect password, attempting to lock out a user account.

usage:

python lyncsmash.py lock -H 2013-lync-fe.contoso.com -u administrator -d CONTOSO

ntlm-info.py

This script examines the HTTP headers from a null NTLM auth attempt. It will test against the /abs/ directory by default but any directory can be specified as a second argument (see below). This is a remake of the http-ntlm-info script from nmap (https://nmap.org/nsedoc/scripts/http-ntlm-info.html).

Additional potential NTLM auth directories can be found in this repository under wordlists (https://github.com/nyxgeek/lyncsmash/blob/master/wordlists/skype-directories.txt).

If you're having trouble locating NTLM auth directories, I wrote a script to scan for them: (https://github.com/nyxgeek/ntlmscan).

Requires requests_ntlm -- install with:

pip install requests_ntlm

Usage:

python ntlm-info.py dialin.domain.com

python ntlm-info.py dialin.domain.com RequestHandlerExt

thanks!

Thanks to @coldfusion39, @spoonman1091, @nettitude, @shellfail, picarddam, @fals3s3t, and @Oddvarmoe for contributing fixes and improvements!

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].