-
Notifications
You must be signed in to change notification settings - Fork 357
Getting Started
Ruler works with both RPC/HTTP and MAPI/HTTP. Ruler favours MAPI/HTTP as this is the default in Exchange 2016 and Office365 deployments. If MAPI/HTTP fails, an attempt will be made to use RPC/HTTP. You can also force RPC/HTTP by supplying the --rpc
flag.
Ruler has been tested against the following systems:
- Exchange 2003
- Exchange 2013
- Exchange 2013 SP1
- Exchange 2016
- Office365
The following Outlook clients have been tested:
- Outlook 2010
- Outlook 2013
- Outlook 2016 (Only Forms work by default)
The easiest way to use Ruler is through the pre-built binaries. These are kept up to date, as far as possible, and can be found in the [Releases].
Ruler is written in Go so you'll need to have Go setup to run/build the project from source. The easiest way to get up and running from source is through go get
.
Get it through Go, make sure you have go modules support:
GO111MODULE=on go get github.com/sensepost/ruler
You can now run the app through go run
in the GOPATH/src/github.com/sensepost/ruler directory:
go run ruler.go -h
When building you'll need to have your GOPATH correctly configured.
The first step as always is to clone the repo. Here it is probably best to clone into $GOPATH/src/github.com/sensepost/ruler
this saves you from having to change a whole bunch of paths. If you are cloning into a different directory, remember you'll need to change all references to github.com/sensepost/ruler
in the imports.
git clone https://github.com/sensepost/ruler.git
Ensure you have the dependencies (go get is the easiest option, otherwise clone the repos into your GOPATH):
go get github.com/urfave/cli
go get github.com/howeyc/gopass
go get gopkg.in/yaml.v2
go get github.com/staaldraad/go-ntlm/ntlm
Then build it
go build
If building on a different branch from master, please see this entry about ensuring you have the correct branch/version.
Ruler works with both RPC/HTTP and MAPI/HTTP. Ruler favours MAPI/HTTP as this is the default in Exchange 2016 and Office365 deployments. If MAPI/HTTP fails, an attempt will be made to use RPC/HTTP. You can also force RPC/HTTP by supplying the --rpc
flag.
As mentioned before there are multiple functions to Ruler. In most cases you'll want to first find a set of valid credentials. Do this however you wish, Phishing, Wifi+Mana or brute-force.
Ruler has 8 basic commands, these are:
- display -- list all the current rules
- add -- add a rule
- delete -- delete a rule
- brute -- brute force credentials
- send -- send an email to trigger the shell
- abk -- interact with the GAL (MAPI/HTTP only)
- form -- script execution through custom forms
- help -- show the help screen
There are a few global flags that should be used with most commands, while each command has sub-flags. For details on these, use the help command.
NAME:
ruler - A tool to abuse Exchange Services
USAGE:
ruler-linux64 [global options] command [command options] [arguments...]
VERSION:
2.1.6
DESCRIPTION:
_
_ __ _ _| | ___ _ __
| '__| | | | |/ _ \ '__|
| | | |_| | | __/ |
|_| \__,_|_|\___|_|
A tool by @_staaldraad from @sensepost to abuse Exchange Services.
AUTHOR:
Etienne Stalmans <[email protected]>, @_staaldraad
There are a number of global options, that are required for most uses of Ruler. These are set before the COMMAND
you wish to execute. Think of these as the configuration values that Ruler needs to actually function, credentials etc.
The local options are specific to the command you are executing. These come after the COMMAND
and control the different features exposed by a command.
To view the global options: ./ruler --help
To view the local options: ./ruler command --help
Ruler allows you to supply data via the config file. This allows you to supply values for instances where Exchange may not be exposing the Autodiscover service.
The fields such as email, username, can be left blank, as these can be supplied through the global flags.
Using the config file is simple, just pass the config file location as a global option:
./ruler --config config.yml check
Mandatory options are:
- userdn
- mailbox
- rpcurl -- if rpc is set to true
- mapiurl -- if rpc is set to false
Most values can be found in OWA, through the Options->About tab. The URL is usually: https://owadomain/?ae=Options&t=About
From there you need the following info:
- Exchange mailbox address -> this is your userdn
- Exchange Client Access server name -> this is your mailbox
If you are getting permission denied, it might be worth switching from NTLM auth to Basic auth. This is done by changing ntlm to false.
A sample config file:
username: ""
email: ""
password: ""
hash: ""
domain: ""
userdn: "/o=First Organization/ou=Exchange Administrative Group(FYDIBOHF23SPDLT)/cn=Recipients/cn=0003BFFDFEF9FB24"
mailbox: "[email protected]"
rpcurl: "https://outlook.office365.com/rpc/rpcproxy.dll"
rpc: false
rpcencrypt: true
ntlm: true
mapiurl: "https://outlook.office365.com/mapi/emsmdb/"
More information on the Config option is available in this issue