Port msmailprobe(Nick Powers) + Cleanup for GO bridge

[clee-r7]

OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks.
This module leverages all known, and even some lesser-known services exposed by default
Exchange installations to enumerate email.
Error-based user enumeration for Office 365 integrated email addresses

Verification

• Start msfconsole
• use auxiliary/scanner/msmail/exchange_enum
• set (EMAILorEMAIL_FILE)
• run
• creds
  Results should look something like below if valid users were found:

host      origin    service        public  private  realm  private_type
----      ------    -------        ------  -------  -----  ------------
<ip>      <ip>      443/tcp (owa)  chris@somecompany.com

OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks.
This module leverages all known, and even some lesser-known services exposed by default
Exchange installations to enumerate users. It also targets Office 365 for error-based user enumeration.
Identify Command

• Used for gathering information about a host that may be pointed towards an Exchange or o365 tied domain
• Queries for specific DNS records related to Office 365 integration
• Attempts to extract internal domain name for onprem instance of Exchange
• Identifies services vulnerable to time-based user enumeration for onprem Exchange
• Lists password-sprayable services exposed for onprem Exchange host
  Note: Currently uses RHOSTS which resolves to an IP which is NOT desired, this is currently being fixed

Verification

• Start msfconsole
• use auxiliary/scanner/msmail/host_id
• set RHOSTS <target>
• run
  Results should look like below:

msf5 > use auxiliary/scanner/msmail/host_id
msf5 auxiliary(scanner/msmail/host_id) > set RHOSTS <host>
RHOSTS => <host>
msf5 auxiliary(scanner/msmail/host_id) > run
[*] Running for <ip>...
[*] Attempting to harvest internal domain:
[*] Internal Domain:
[*] <domain>
[*] [-] Domain is not using o365 resources.
[*] Identifying endpoints vulnerable to time-based enumeration:
[*] [+] https://<host>/Microsoft-Server-ActiveSync
[*] [+] https://<host>/autodiscover/autodiscover.xml
[*] [+] https://<host>/owa
[*] Identifying exposed Exchange endpoints for potential spraying:
[*] [+] https://<host>/oab
[*] [+] https://<host>/ews

OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks.
This module leverages all known, and even some lesser-known services exposed by default
Exchange installations to enumerate users. It also targets Office 365 for error-based user enumeration.

• Error-based user enumeration for on premise Exchange services
  Note: Currently uses RHOSTS which resolves to an IP which is NOT desired, this is currently being fixed

Verification

• Start msfconsole
• use auxiliary/scanner/msmail/onprem_enum
• set RHOSTS <target>
• set (USERorUSER_FILE`)
• run
• creds
  Results should look something like below if valid users were found:

host      origin    service        public  private  realm  private_type
----      ------    -------        ------  -------  -----  ------------
10.1.1.1  10.1.1.1  443/tcp (owa)
10.1.1.1  10.1.1.1  443/tcp (owa)  chris

[busterb]

The .md file is in a path where not only does it not actually work in Metasploit, but the module actually fails to load. Please move it to the path with all other documentation files are (2 other PRs have landed in the same way; people need to please start using the info -d command to test documentation).

[busterb]

The side-effect of putting the .md file where it is is this in the log:

[11/20/2018 10:09:41] [e(0)] core: /Users/bcook/projects/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enumerator.md failed to load due to the following error:
Errno::ENOENT

[jmartin-tech]

Jenkins test this please.

[busterb]

oops!

[cblack-r7]

This should probably be a MSF configured parameter

[acammack-r7]

That's sorta a WIP thing: #9228

[busterb]

ah right!

[cblack-r7]

I'll try and loop back on a patch on this, but realistically this should probably return an http.Response and error instead of an integer.

[cblack-r7]

This also seems like it should be MSF defined, but it does switch to a "desktop" UA. I talked to Nick and he says that this was to simulate the "real devices" for the devices that normally hit then endpoints (ie a phone generally only accesses the ActiveSync)

[busterb]

We have an old PR of mine that's supposed to cleanup UA handling and make it work properly for external modules. I should go back and finish it up. Don't think it blocks this though.

[busterb]

replace these with some redacted test runs, so someone looking at the docs later would see what the output of this module should look like

[busterb]

shouldn't gofmt pick up spacing things like this?

[clee-r7]

why yes - I'm not sure why IDE doesn't auto run this

[mkienow-r7]

Is this a debug statement from development?

[clee-r7]

bwhaha - thanks

[mkienow-r7]

Consider using File.join for this:

shared_module_lib_path = File.join(File.dirname(module_path), 'shared')

[mkienow-r7]

Minor: space after {, however, no space before }.

[mkienow-r7]

Is there a way to determine the fullname programmatically?

[clee-r7]

if you figure it out let me know :)

[acammack-r7]

The report method should not need this. The Msf::Module::External mixin has access to this info and should be the one using it

[acammack-r7]

This type of interface makes it impossible to report just a username vs a valid login with an empty password.

[mkienow-r7]

This method should behave more like the log method in lib/msf/core/modules/external/python/metasploit/cli.py, otherwise, all callers become responsible for adding the leading log status indicators ([*], [!], [+], etc) to the actual messages themselves. This could result in many inconsistencies in the log.

[busterb]

I think the 'level' string makes metasploit display the correct character at the beginning of the message already. So this should be fine.

[busterb]

cli.py is something that interprets the output of the message that comes from a module like this, so it's a different thing.

[mkienow-r7]

I was unsure of that since there are plenty of locations in this PR where module.LogInfo is being called with a leading indicator in the message string.

[busterb]

Yep, you are right.

[busterb]

also, all of the 'mux.Lock/Unlock' code needs to be fixed

[busterb]

I think this is good to go, we can continue improving in the tree. Thanks all!

Also, oops, hit the wrong button!

[busterb]

Shouldn't auxiliary/scanner/msmail/exchange_enum just have an 'RHOSTS' with a default value of the normal target? Seems silly to force the user to set a value since there actually is one it uses. Also, unregistering or even never registering datastore values is possible. You might just have to declare a new template type though.

[busterb]

sorted out above comment offline, going to land and iterate from there

[acammack-r7]

@busterb, there was still a lot that needs to be fixed. Are we keeping track of that anywhere besides this PR?

[busterb]

@clee-r7 are you going to do that? @mkienow-r7 has some valid points that I missed in time.
The mux code here should all be moved into the library as well.

[busterb]

Chatted with @clee-r7 , he'll take care of the additional issues. Thanks!

[busterb]

Release Notes

This adds additional support for modules written in Go, specifically adding auxiliary scanner and reporting functionality. It also adds three modules for enumerating users with Microsoft Exchange and Office 365.