Exchange Web Service(EWS)开发指南6——requests_ntlm
source link: https://3gstudent.github.io/Exchange-Web-Service(EWS)%E5%BC%80%E5%8F%91%E6%8C%87%E5%8D%976-requests_ntlm
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Exchange Web Service(EWS)开发指南6——requests_ntlm
22 Nov 20210x00 前言
在之前的文章《Exchange Web Service(EWS)开发指南4——Auto Downloader》和《Exchange Web Service(EWS)开发指南5——exchangelib》介绍了两种利用hash访问Exchange资源的方法,各有特点。 前者采用了较为底层的通信协议,在功能实现上相对繁琐,但是有助于理解通信协议原理和漏洞利用。后者借助第三方库exchangelib,开发便捷,但是不太适用于漏洞利用。
站在漏洞利用的角度,如果仅使用封装NTLM认证的第三方包,既不影响漏洞利用,又能兼顾效率。
所以本文选取了第三方包requests_ntlm,以自动化下载邮件和提取附件为例,开源代码,介绍用法。
0x01 简介
本文将要介绍以下内容:
- requests_ntlm用法
0x02 requests_ntlm用法
说明文档:
https://github.com/requests/requests-ntlm
1.两种登录方法
我在低于1.0.0版本的requests_ntlm.py找到了使用Hash登录的方法,代码位置:
https://github.com/requests/requests-ntlm/blob/v0.3.0/requests_ntlm/requests_ntlm.py#L16
这里可以找到使用Hash登录的参数格式为ABCDABCDABCDABCD:ABCDABCDABCDABCD
两种登录Exchange的示例代码如下:
(1)明文登录
target = "192.168.1.1"
username = "[email protected]"
password = "password1"
res = requests.post("https://" + target + "/ews/exchange.asmx", data=POST_BODY, headers=headers, verify=False, auth=HttpNtlmAuth(username, password))
print(res.status_code)
print(res.text)
(2)Hash登录
target = "192.168.1.1"
username = "[email protected]"
hash = "00000000000000000000000000000000:5835048CE94AD0564E29A924A03510EF"
res = requests.post("https://" + target + "/ews/exchange.asmx", data=POST_BODY, headers=headers, verify=False, auth=HttpNtlmAuth(username, hash))
print(res.status_code)
print(res.text)
2.Session机制
requests_ntlm支持Session机制,能够减少身份验证的次数,缩短通信数据包,效率更高
0x03 开发细节
1.使用requests_ntlm重新实现ewsManage_Downloader.py
在原有脚本ewsManage_Downloader.py的基础上,只需做以下替换即可
status, responsetext = ntlm_auth_login(host, port, mode, domain, user, data, POST_BODY)
res = requests.post("https://" + host + "/ews/exchange.asmx", data=POST_BODY, headers=headers, verify=False, auth=HttpNtlmAuth(user, data))
status
res.status_code
if res.status_code == "200" and "NoError" in responsetext:
if res.status_code == 200 and "NoError" in res.text:
host, port, mode, domain, user, data
host, mode, user, data
responsetext
res.text
sys.argv[1], int(sys.argv[2]), sys.argv[3], sys.argv[4], sys.argv[5], sys.argv[6]
sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4]
path1 + '\\' + sys.argv[5]
path1 + '\\' + sys.argv[3]
最后再去除一些多余的代码即可
完整的代码已上传至github,地址如下:
https://github.com/3gstudent/Homework-of-Python/blob/master/ewsManage_requests_ntlm_Downloader.py.py
2.使用Session机制重新实现ewsManage_Downloader.py
通过Session机制能够减少身份验证的次数,缩短通信数据包,效率更高
所以在这里使用Session机制重新实现ewsManage_Downloader.py
换用Session机制的方法示例:
target = "192.168.1.1"
username = "[email protected]"
password = "password1"
res = requests.post("https://" + target + "/ews/exchange.asmx", data=POST_BODY, headers=headers, verify=False, auth=HttpNtlmAuth(username, password))
print(res.status_code)
print(res.text)
res = requests.post("https://" + target + "/ews/exchange.asmx", data=POST_BODY2, headers=headers, verify=False, auth=HttpNtlmAuth(username, password))
print(res.status_code)
print(res.text)
target = "192.168.1.1"
username = "[email protected]"
password = "password1"
session = requests.Session()
session.auth = HttpNtlmAuth(username, password)
res = session.post("https://" + target + "/ews/exchange.asmx", data=POST_BODY, headers=headers, verify=False)
print(res.status_code)
print(res.text)
res = session.post("https://" + target + "/ews/exchange.asmx", data=POST_BODY2, headers=headers, verify=False)
print(res.status_code)
print(res.text)
完整的代码已上传至github,地址如下:
https://github.com/3gstudent/Homework-of-Python/blob/master/ewsManage_requests_ntlm_Session_Downloader.py
0x04 小结
在Exchange Web Service(EWS)开发上,使用第三方包requests_ntlm,封装了NTLM认证过程,不仅可以提高开发效率,同时不影响漏洞利用代码的编写,更可以借助Session机制减少认证过程的通信数据,十分推荐。
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK