• Stars
    star
    152
  • Rank 244,685 (Top 5 %)
  • Language
    Python
  • License
    Other
  • Created about 8 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

PEAS is a Python 2 library and command line application for running commands on an ActiveSync server e.g. Microsoft Exchange.

PEAS

PEAS is a Python 2 library and command line application for running commands on an ActiveSync server e.g. Microsoft Exchange. It is based on research into Exchange ActiveSync protocol by Adam Rutherford and David Chismon of MWR.

Prerequisites

  • python is Python 2, otherwise use python2
  • Python Requests library

Significant source files

Path Functionality
peas/__main__.py The command line application.
peas/peas.py The PEAS client class that exclusively defines the interface to PEAS.
peas/py_activesync_helper.py The helper functions that control the interface to pyActiveSync.
peas/pyActiveSync/client The pyActiveSync EAS command builders and parsers.

Optional installation

python setup.py install

PEAS application

PEAS can be run without installation from the parent peas directory (containing this readme). PEAS can also be run with the command peas after installation.

Running PEAS

python -m peas [options] <server>

Example usage

Check server

python -m peas 10.207.7.100

Check credentials

python -m peas --check -u luke2 -p ChangeMe123 10.207.7.100

Get emails

python -m peas --emails -u luke2 -p ChangeMe123 10.207.7.100

Save emails to directory

python -m peas --emails -O emails -u luke2 -p ChangeMe123 10.207.7.100

List file shares

python -m peas --list-unc='\\fictitious-dc' -u luke2 -p ChangeMe123 10.207.7.100

python -m peas --list-unc='\\fictitious-dc\guestshare' -u luke2 -p ChangeMe123 10.207.7.100

Note: Using an IP address or FQDN instead of a hostname in the UNC path may fail.

View file on file share

python -m peas --dl-unc='\\fictitious-dc\guestshare\fileonguestshare.txt' -u luke2 -p ChangeMe123 10.207.7.100

Save file from file share

python -m peas --dl-unc='\\fictitious-dc\guestshare\fileonguestshare.txt' -o file.txt -u luke2 -p ChangeMe123 10.207.7.100

Command line arguments

Run python -m peas --help for the latest options.

Options:
  -h, --help            show this help message and exit
  -u USER               username
  -p PASSWORD           password
  --smb-user=USER       username to use for SMB operations
  --smb-pass=PASSWORD   password to use for SMB operations
  --verify-ssl          verify SSL certificates (important)
  -o FILENAME           output to file
  -O PATH               output directory (for specific commands only, not
                        combined with -o)
  -F repr,hex,b64,stdout,stderr,file
                        output formatting and encoding options
  --check               check if account can be accessed with given password
  --emails              retrieve emails
  --list-unc=UNC_PATH   list the files at a given UNC path
  --dl-unc=UNC_PATH     download the file at a given UNC path

PEAS library

PEAS can be imported as a library.

Example code

import peas

# Create an instance of the PEAS client.
client = peas.Peas()

# Display the documentation for the PEAS client.
help(client)

# Disable certificate verification so self-signed certificates don't cause errors.
client.disable_certificate_verification()

# Set the credentials and server to connect to.
client.set_creds({
    'server': '10.207.7.100',
    'user': 'luke2',
    'password': 'ChangeMe123',
})

# Check the credentials are accepted.
print("Auth result:", client.check_auth())

# Retrieve a file share directory listing.
listing = client.get_unc_listing(r'\\fictitious-dc\guestshare')
print(listing)

# Retrieve emails.
emails = client.extract_emails()
print(emails)

Extending

To extend the functionality of PEAS, there is a four step process:

  1. Create a builder and parser for the EAS command if it has not been implemented in pyActiveSync/client. Copying an existing source file for another command and then editing it has proved effective. The Microsoft EAS documentation describes the structure of the XML that must be created and parsed from the response.

  2. Create a helper function in py_activesync_helper.py that connects to the EAS server over HTTPS, builds and runs the command to achieve the desired functionality. Again, copying an existing function such as get_unc_listing can be effective.

  3. Create a method in the Peas class that calls the helper function to achieve the desired functionality. This is where PEAS would decide which backend helper function to call if py-eas-client was also an option.

  4. Add command line support for the feature to the PEAS application by editing peas/__main__.py. A new option should be added that when set, calls the method created in the previous step.

Limitations

PEAS has been tested on Kali 2.0 against Microsoft Exchange Server 2013 and 2016. The domain controller was Windows 2012 and the Exchange server was running on the same machine. Results with other configurations may vary.

py-eas-client support is limited to retrieving emails and causes a dependency on Twisted. It was included when the library was being evaluated but it makes sense to remove it from PEAS now, as all functionality can be provided by pyActiveSync.

The licence may be restrictive due to the inclusion of pyActiveSync, which uses the GPLv2.

The requirement to know the hostname of the target machine for file share access may impede enumeration.

More Repositories

1

drozer

The Leading Security Assessment Framework for Android.
Python
3,894
star
2

chainsaw

Rapidly Search and Hunt through Windows Forensic Artefacts
Rust
2,713
star
3

C3

Custom Command and Control (C3). A framework for rapid prototyping of custom C2 channels, while still providing integration with existing offensive toolkits.
C++
1,498
star
4

needle

The iOS Security Testing Framework
Python
1,331
star
5

doublepulsar-detection-script

A python2 script for sweeping a network to find windows systems compromised with the DOUBLEPULSAR implant.
Python
1,008
star
6

awspx

A graph-based tool for visualizing effective access and resource relationships in AWS environments.
Python
913
star
7

python-exe-unpacker

A helper script for unpacking and decompiling EXEs compiled from python code.
Python
751
star
8

leonidas

Automated Attack Simulation in the Cloud, complete with detection use cases.
Jupyter Notebook
446
star
9

android-keystore-audit

JavaScript
385
star
10

physmem2profit

Physmem2profit can be used to create a minidump of a target hosts' LSASS process by analysing physical memory remotely
C#
364
star
11

Jandroid

Python
323
star
12

CallStackSpoofer

A PoC implementation for spoofing arbitrary call stacks when making sys calls (e.g. grabbing a handle via NtOpenProcess)
C++
294
star
13

bitlocker-spi-toolkit

Tools for decoding TPM SPI transaction and extracting the BitLocker key from them.
Python
271
star
14

captcha22

CAPTCHA22 is a toolset for building, and training, CAPTCHA cracking models using neural networks.
Python
243
star
15

doublepulsar-c2-traffic-decryptor

A python2 script for processing a PCAP file to decrypt C2 traffic sent to DOUBLEPULSAR implant
Python
224
star
16

snake

snake - a malware storage zoo
Shell
205
star
17

Jamf-Attack-Toolkit

Suite of tools to facilitate attacks against the Jamf macOS management platform.
Python
172
star
18

IAMSpy

Python
169
star
19

damn-vulnerable-llm-agent

Python
169
star
20

LinuxCatScale

Incident Response collection and processing scripts with automated reporting scripts
Shell
165
star
21

IceKube

Python
161
star
22

ppid-spoofing

Scripts for performing and detecting parent PID spoofing
PowerShell
127
star
23

detectree

Data visualization for blue teams
Svelte
123
star
24

GarbageMan

GarbageMan is a set of tools for analyzing .NET binaries through heap analysis.
C++
113
star
25

drozer-agent

The Android Agent for the Mercury Security Assessment Framework.
Java
111
star
26

doublepulsar-usermode-injector

A utility to use the usermode shellcode from the DOUBLEPULSAR payload to reflectively load an arbitrary DLL into another process, for use in testing detection techniques or other security research.
C
104
star
27

TickTock

C++
102
star
28

ModuleStomping

https://blog.f-secure.com/hiding-malicious-code-with-module-stomping/
C++
87
star
29

dotnet-gargoyle

A spiritual .NET equivalent to the Gargoyle memory scanning evasion technique
C#
50
star
30

cloud-wiki

A public cloud security knowledgebase - https://www.secwiki.cloud/
CSS
48
star
31

AMSIDetection

AMSI detection PoC
C#
29
star
32

tau-engine

A document tagging library
Rust
29
star
33

radare2-scripts

A collection of useful radare2 scripts!
Python
25
star
34

CVE-2021-25374_Samsung-Account-Access

This script can be used to gain access to a victim's Samsung Account if they have a specific version of Samsung Members installed on their Samsung Device, and if the victim's device is from the US or Korea region.
Python
22
star
35

ESFang

ESF modular ingestion tool for development and research.
Objective-C
18
star
36

macOSTriageCollectionScript

A triage data collection script for macOS
Shell
17
star
37

lazarus-sigma-rules

17
star
38

RemotePSpy

RemotePSpy provides live monitoring of remote PowerShell sessions, which is particularly useful for older (pre-5.0) versions of PowerShell which do not have comprehensive logging facilities built in.
Python
17
star
39

FLAIR

F-Secure Lightweight Acqusition for Incident Response (FLAIR)
Batchfile
16
star
40

mongo-rs

A higher-level wrapper on top of the official bson & mongodb crates.
Rust
15
star
41

llm-vulnerable-recruitment-app

An example vulnerable app that integrates an LLM
Python
12
star
42

volatility-plugins

Python
11
star
43

FixerUpper

A Burp extension to enable modification of FIX messages when relayed from MitM_Relay
Python
11
star
44

snake-core

snake-core - the real snake
Python
11
star
45

jdiesel

jdiesel fuels the drozer
Java
10
star
46

deject

Memory dump and Sample analysis tool
Python
8
star
47

memory-carving-scripts

Scripts for extracting useful information from infected memory dumps
PowerShell
7
star
48

shadowhammer

Tools related to 'shadowhammer' attack, https://securelist.com/operation-shadowhammer/89992
Python
7
star
49

keywe-tooling

Tools that can be used to interact with the KeyWe Smart Lock device.
Python
6
star
50

datamate

Python
6
star
51

usb-ninja-detection-poc

USB Ninja Detection PoC
C++
5
star
52

iocs

YARA
5
star
53

snake-scales

snake-scales - the default repository of snake scales
Python
4
star
54

dreamer

Easier cloud infrastructure with Terraform and Ansible
Python
4
star
55

snake-skin

snake-skin - the web ui for snake
Svelte
2
star
56

boops-boops-android-agent

Java
1
star
57

snake-tail

snake-tail - the command line ui for snake
Python
1
star
58

slide-decks

1
star