Ruler and Liniaal @ Troopers 17
1 likeâ˘1,880 views
The document outlines methods for exploiting Microsoft Exchange vulnerabilities through various techniques such as shell persistence and recon automation. It discusses a range of tools, malicious Outlook rules, and potential defenses to prevent exploitation. Additionally, it provides resources and links for further exploration and understanding of the exploited features and defensive measures.
![https://www.censys.io/certificates?q=parsed.names%3A+%28mail.onmicrosoft.com%29
[a-z0-9]*.mail.onmicrosoft.com](https://image.slidesharecdn.com/ruler-troopers17-170324094655/85/Ruler-and-Liniaal-Troopers-17-10-320.jpg)
![RPC/HTTP
00000000 05 00 00 03 10 00 00 00 98 01 10 00 05 00 00 00 |................|
00000010 80 01 00 00 01 00 0a 00 70 68 5c 85 ed be f8 cc |........ph.....|
00000020 c0 30 97 3f b0 6b c0 39 95 02 31 59 1f 1c 31 4c |.0.?.k.9..1Y..1L|
00000030 15 43 2f 8b 5c 24 f0 0c cf 8a 20 00 ad c7 53 fa |.C/.$.... ...S.|
00000040 c1 09 3c 97 a1 c9 a6 49 13 8e 3c 43 4b f9 68 f8 |..<....I..<CK.h.|
00000050 62 04 ea 9f 50 39 54 fe 6f df ff 3e b6 8a 83 88 |b...P9T.o..>....|
00000060 b4 0f ba 27 47 ec c5 c9 05 dd 62 70 04 8b 88 97 |...'G.....bp....|
00000070 6d 6a cf 22 cc a2 22 6f 24 a4 84 4f f1 37 8f e3 |mj.".."o$..O.7..|
00000000 05 00 0b 17 10 00 00 00 78 00 28 00 01 00 00 00 |........x.(.....|
00000010 f8 0f f8 0f 00 00 00 00 01 00 00 00 01 00 01 00 |................|
00000020 00 db f1 a4 47 ca 67 10 b3 1f 00 dd 01 06 62 da |....G.g.......b.|
00000030 00 00 51 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00 |..Q..]..........|
00000040 2b 10 48 60 02 00 00 00 0a 06 00 00 00 00 00 00 |+.H`............|
00000050 4e 54 4c 4d 53 53 50 00 01 00 00 00 b7 82 08 e2 |NTLMSSP.........|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000070 05 01 28 0a 00 00 00 0f |..(.....|
HTTP
DCE/RPC
MAPI
[Encrypted]](https://image.slidesharecdn.com/ruler-troopers17-170324094655/85/Ruler-and-Liniaal-Troopers-17-23-320.jpg)
Ruler and Liniaal @ Troopers 17
- 3. Outline Using Exchange to pop and persist shells Recon Exploit DefendPersist
- 4. Exchange
- 6. Recon
- 8. 10%
- 11. Gain Access
- 13. 18,287 domains
- 15. Exploit
- 16. Automation
- 18. Nothing to see here... pew.zips.exe localhostc$usersuseronedrives.exe host.com@SSLwebdav
- 20. MAPI Message Application Programming Interface
- 22. RPC/HTTP /rpcproxy.dll? CAS 1 CAS 2 CAS 3 CAS n Outlook/Ruler RPC_DATA_IN RPC_DATA_OUT
- 23. RPC/HTTP 00000000 05 00 00 03 10 00 00 00 98 01 10 00 05 00 00 00 |................| 00000010 80 01 00 00 01 00 0a 00 70 68 5c 85 ed be f8 cc |........ph.....| 00000020 c0 30 97 3f b0 6b c0 39 95 02 31 59 1f 1c 31 4c |.0.?.k.9..1Y..1L| 00000030 15 43 2f 8b 5c 24 f0 0c cf 8a 20 00 ad c7 53 fa |.C/.$.... ...S.| 00000040 c1 09 3c 97 a1 c9 a6 49 13 8e 3c 43 4b f9 68 f8 |..<....I..<CK.h.| 00000050 62 04 ea 9f 50 39 54 fe 6f df ff 3e b6 8a 83 88 |b...P9T.o..>....| 00000060 b4 0f ba 27 47 ec c5 c9 05 dd 62 70 04 8b 88 97 |...'G.....bp....| 00000070 6d 6a cf 22 cc a2 22 6f 24 a4 84 4f f1 37 8f e3 |mj.".."o$..O.7..| 00000000 05 00 0b 17 10 00 00 00 78 00 28 00 01 00 00 00 |........x.(.....| 00000010 f8 0f f8 0f 00 00 00 00 01 00 00 00 01 00 01 00 |................| 00000020 00 db f1 a4 47 ca 67 10 b3 1f 00 dd 01 06 62 da |....G.g.......b.| 00000030 00 00 51 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00 |..Q..]..........| 00000040 2b 10 48 60 02 00 00 00 0a 06 00 00 00 00 00 00 |+.H`............| 00000050 4e 54 4c 4d 53 53 50 00 01 00 00 00 b7 82 08 e2 |NTLMSSP.........| 00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000070 05 01 28 0a 00 00 00 0f |..(.....| HTTP DCE/RPC MAPI [Encrypted]
- 24. MAPI/HTTP /mapi/ CAS 1 CAS 2 CAS 3 CAS n Outlook/Ruler HTTP
- 27. Persistence
- 28. Never going to give you up
- 29. Iâll never let you go @slobtresix0 - Scot Berner
- 31. Donât Traverse Traditional Network Boundary Hidden Comms Hidden Unless you know where to look
- 33. Defence
- 35. Gateway - Block all WebDAV MFA - Exchange 2016, Office 365 Blocking
- 36. Gateway - Logging on Exchange Host - Outlook rules scanning Detection