Microsoft Exchange Service Abuse
Ruler is a tool that allows you to interact with Exchange servers through the MAPI/HTTP protocol. The main aim is abuse the client-side Outlook mail rules.
“Silentbreak did a great job with this attack and it has served us well. The only downside has been that it takes time to get setup. Cloning a mailbox into a new instance of Outlook can be time consuming. And then there is all the clicking it takes to get a mailrule created. Wouldn’t the command line version of this attack be great? And that is how Ruler was born.”
What does it do?
Ruler has multiple functions and more are planned. These include
Enumerate valid users
View currently configured mail rules
Create new malicious mail rules
Delete mail rules
Dump the Global Address List (GAL)
VBScript execution through forms
Ruler attempts to be semi-smart when it comes to interacting with Exchange and uses the Autodiscover service (just as your Outlook client would) to discover the relevant information.
Getting the Code
Ruler is written in Go so you’ll need to have Go setup to run/build the project from source. The easiest way to get up and running from source is through go get.
Get it through Go:
go get github.com/sensepost/ruler
You can now run the app through go run in the GOPATH/src/github.com/sensepost/ruler directory:
go run ruler.go -h
Microsoft Exchange Service Abuse: Ruler Documentation
Interacting with Exchange
Ruler works with both RPC/HTTP and MAPI/HTTP. Ruler favours MAPI/HTTP as this is the default in Exchange 2016 and Office365 deployments. If MAPI/HTTP fails, an attempt will be made to use RPC/HTTP. You can also force RPC/HTTP by supplying the --rpc flag.
As mentioned before there are multiple functions to Ruler. In most cases you’ll want to first find a set of valid credentials. Do this however you wish, Phishing, Wifi+Mana or brute-force.
Ruler has 8 basic commands, these are:
display — list all the current rules
add — add a rule
delete — delete a rule
brute — brute force credentials
send — send an email to trigger the shell
abk — interact with the GAL (MAPI/HTTP only)
form — script execution through custom forms
help — show the help screen
There are a few global flags that should be used with most commands, while each command has sub-flags. For details on these, use the help command.
NAME:
ruler - A tool to abuse Exchange Services
USAGE:
ruler-linux64 [global options] command [command options] [arguments...]
VERSION:
2.0.17
DESCRIPTION:
_
_ __ _ _| | ___ _ __
| '__| | | | |/ _ \ '__|
| | | |_| | | __/ |
|_| \__,_|_|\___|_|
A tool by @_staaldraad from @sensepost to abuse Exchange Services.
AUTHOR:
Etienne Stalmans <etienne@sensepost.com>, @_staaldraad
Download