• Stars
    star
    330
  • Rank 127,657 (Top 3 %)
  • Language
    Python
  • Created over 8 years ago
  • Updated 5 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

locate and attack Lync/Skype for Business
██╗  ██╗   ██╗███╗   ██╗ ██████╗███████╗███╗   ███╗ █████╗ ███████╗██╗  ██╗
██║  ╚██╗ ██╔╝████╗  ██║██╔════╝██╔════╝████╗ ████║██╔══██╗██╔════╝██║  ██║
██║   ╚████╔╝ ██╔██╗ ██║██║     ███████╗██╔████╔██║███████║███████╗███████║
██║    ╚██╔╝  ██║╚██╗██║██║     ╚════██║██║╚██╔╝██║██╔══██║╚════██║██╔══██║
███████╗██║   ██║ ╚████║╚██████╗███████║██║ ╚═╝ ██║██║  ██║███████║██║  ██║
╚══════╝╚═╝   ╚═╝  ╚═══╝ ╚═════╝╚══════╝╚═╝     ╚═╝╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝

a collection of tools to enumerate and attack self-hosted Skype for Business and Microsoft Lync installations

Note: these tools will not work with Skype/Lync installations hosted at Microsoft.


DerbyCon 6.0 YouTube link: https://www.youtube.com/watch?v=v0NTaCFk6VI

DerbyCon 6.0 Slide Deck: https://github.com/nyxgeek/nyxgeek-slides/blob/master/TheWeakestLync.pdf

scripts

  • lyncsmash.py - enumerate users via auth timing bug while brute forcing, lock accounts, locate lync installs
  • find_domain.sh - example of how to use Nmap with http-ntlm-info script to discover internal NetBIOS & domain names
  • brute_force_ntlm.sh - example of a brute force attack against Skype/Lync using Medusa
  • ntlm-info.py - script to get NetBIOS Domain name from NTLM auth

wordlists

  • skype-directories.txt - a listing of directories that may have NTLM-auth enabled
  • alexa-top-20000-sites.txt - a listing of the top 20,000 Alexa sites - to be used with discover mode

If you're looking for username lists, I highly recommend 'Statistically Likely Usernames': https://github.com/insidetrust/statistically-likely-usernames.git


using lyncsmash.py

lyncsmash has three operating modes:

  • enum - use to enumerate users via the auth timing attack
  • discover - will take a list of domains and determine which use Skype for Business/Lync
  • lock - make repeated bad authentication attempts in order to lock out an account

lyncsmash.py enum - enumerate users

** WARNING: THIS PERFORMS A DOMAIN LOGIN ATTEMPT AND CAN LOCK OUT ACCOUNTS **

Parameters:
    -H	hostname
    -U	username list
    -p  password
    -P  password list
    -d	NetBIOS domain
    -o  output file
    -t  manually set timeout
    -r  Randomize the user input list
    -s  Sleep between each request (seconds)(enum only)

In this mode lyncsmash will enumerate usernames via a timing attack, using the Webticket service located on the Lync Front-End server. If a bad username and/or domain is specified, the response will be long. If it is a valid user, the response will be short. Due to limitations of the timing-attack, this can only be run single-threaded.

usage:

python lyncsmash.py enum -H 2013-lync-fe.contoso.com -U usernamelist.txt -P passwordlist.txt -d CONTOSO -o CONTOSO_output.txt

or

python lyncsmash.py enum -H 2013-lync-fe.contoso.com -U usernamelist.txt -p Winter2017 -d CONTOSO

lyncsmash.py discover - discovering domains that are running Skype/Lync

Parameters:
    -H	host list - one DNS base domain per line

In this mode lyncsmash will attempt to enumerate various Skype/Lync subdomains via DNS, and returns a score based on number of indicators. Wildcard domains are discarded.

usage:

python lyncsmash.py discover -H domain_list.txt

lyncsmash lock - lockout an account with repeated login failures

** WARNING: THIS WILL LOCK OUT ACCOUNTS. **

Parameters:
    -H	hostname
    -u	username to lock out
    -d	NetBIOS domain

In this mode lyncsmash will make 5 login attempts with an incorrect password, attempting to lock out a user account.

usage:

python lyncsmash.py lock -H 2013-lync-fe.contoso.com -u administrator -d CONTOSO


ntlm-info.py

This script examines the HTTP headers from a null NTLM auth attempt. It will test against the /abs/ directory by default but any directory can be specified as a second argument (see below). This is a remake of the http-ntlm-info script from nmap (https://nmap.org/nsedoc/scripts/http-ntlm-info.html).

Additional potential NTLM auth directories can be found in this repository under wordlists (https://github.com/nyxgeek/lyncsmash/blob/master/wordlists/skype-directories.txt).

If you're having trouble locating NTLM auth directories, I wrote a script to scan for them: (https://github.com/nyxgeek/ntlmscan).

Requires requests_ntlm -- install with:

pip install requests_ntlm

Usage:

python ntlm-info.py dialin.domain.com

python ntlm-info.py dialin.domain.com RequestHandlerExt

thanks!

Thanks to @coldfusion39, @spoonman1091, @nettitude, @shellfail, picarddam, @fals3s3t, and @Oddvarmoe for contributing fixes and improvements!

More Repositories

1

o365recon

retrieve information via O365 and AzureAD with a valid cred
PowerShell
685
star
2

onedrive_user_enum

onedrive user enumeration - pentest tool to enumerate valid o365 users
Python
595
star
3

ntlmscan

scan for NTLM directories
Python
344
star
4

AzureAD_Autologon_Brute

Brute force attack tool for Azure AD Autologon/Seamless SSO - Source: https://arstechnica.com/information-technology/2021/09/new-azure-active-directory-password-brute-forcing-flaw-has-no-fix/
Python
97
star
5

guestlist

tool for identifying guest relationships between companies
Python
83
star
6

nyxgeek-rules

Custom password cracking rules for Hashcat and John the Ripper
Shell
77
star
7

dumpsniffer

tools for analyzing strings from password lists
Shell
56
star
8

track_the_planet

DEFCON 31
56
star
9

teamstracker

using graph proxy to monitor teams user presence
Python
51
star
10

imgdevil

quick and dirty proof-of-concept to hide shells in images
PowerShell
47
star
11

weakpass_generator

generates weak passwords based on current date
Python
40
star
12

dirdevil

hiding in plain sight: part 2
PowerShell
38
star
13

username-lists

list of usernames and email addresses for pentests
34
star
14

nyxgeek-wordlists

wordlists for password cracking
25
star
15

twitter-usernames-wordlist

Wordlist compiled from Twitter usernames
13
star
16

rpcfiend

Use rpc null sessions to retrieve machine list, domain admin list, domain controllers
Shell
12
star
17

nyxgeek-readinglist

hacker folklore, history, and culture
11
star
18

bad_guest

PowerShell
7
star
19

simple_scanners

simple pentest scanning scripts with no db
Python
6
star
20

f5-cookie-monster

give it a url, will decode f5 cookies to reveal internal IPs
PowerShell
5
star
21

phrack69

mirror of phrack issue 69
4
star
22

classic_hacking_tools

archive of classic hack tools < 2000
3
star
23

graphninja

Python
3
star
24

vulnmgmt

Be alerted ONLY on new vulnerabilities discovered in software you use
Python
3
star
25

h4x0rsearch

list of domains that are included in h4x0rsearch.com
3
star
26

nyxgeek-slides

slide decks etc
2
star
27

exploits

my public exploit code
PowerShell
2
star
28

bashscan

simple bash portscanner using nc
Shell
1
star
29

cloudkicker

[redacted]
1
star
30

retrocomputing_resources

collection of old computing stuff
1
star
31

autodiscover_enum

time-based user enum via Basic Auth in Azure
Python
1
star
32

media

images, gifs, movies i've modded or made
1
star