I had a problem when I use ruler. And I can visit my website https://mail.domain.com and owa

[+] Retrieving MAPI/HTTP info
ERROR: 11:31:58 ruler.go:29: mapi: a transport layer error occurred. An error occurred setting up RPC. mapi: a transport layer error occurred. Couldn't setup RPC channel - RPC Setup Err: dial tcp :443: connectex: No connection could be made because the target machine actively refused it.
exit status 4294967295

During my tests, setting up the http_proxy and https_proxy environment variables to configure upstream proxy or just using proxychains didn't made the tool work through the proxy as expected...

Can you implement a --proxy "http://user:[email protected]" on the tool?

Thanks.

Hey,

I'm currently having the exact same issue that is described in #19

Upon trying to bind it's trying to do:
"mapi: a transport layer error occurred. An error occurred setting up RPC. Time-out reading from RPC"

/ruler-linux64 --domain domain --username "username" --hash hash_here --email "[email protected]" --verbose --url https://domain.com/autodiscover/autodiscover.xml --insecure --rpc --nocache display

I've tried plenty of different variations while debugging it, due to certain characters in the password despite escaping them it would keep giving me 401, so I had to use a hash instead. Which does successfully obtain Autodiscover.xml, and in turn it tries to connect to:

https://company.com/rpc/rpcproxy.dll?company.com:6001

Manually going to the RPCProxy URL asks you for credentials, upon success it shows a blank page, which according to a couple of forums is the correct response, although I don't know for sure.

Also another thing to note, upon removing the domain parameter I get this error:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x58 pc=0x61ec94]

goroutine 1 [running]:
panic(0x7346a0, 0xc4200120a0)
/usr/lib/golang/src/runtime/panic.go:500 +0x1a1
github.com/sensepost/ruler/rpc-http.RPCOutWrite(0xc420088b00, 0x4d, 0x80)
/home/staaldraad/Go/gopath/src/github.com/sensepost/ruler/rpc-http/rpctransport.go:492 +0x24
github.com/sensepost/ruler/rpc-http.RPCBind(0xc420092cd0, 0xc420148638)
/home/staaldraad/Go/gopath/src/github.com/sensepost/ruler/rpc-http/rpctransport.go:242 +0x109
github.com/sensepost/ruler/mapi.mapiConnectRPC(0x58, 0x58, 0xc4201280c0, 0x58, 0x60, 0x97949f0400000000, 0x4e400000000, 0x40900000409, 0x1ffffffff, 0xc420012194, ...)
/home/staaldraad/Go/gopath/src/github.com/sensepost/ruler/mapi/mapi.go:172 +0x407
github.com/sensepost/ruler/mapi.AuthenticateRPC(0x7, 0xc42005e360, 0xc42005e301)
/home/staaldraad/Go/gopath/src/github.com/sensepost/ruler/mapi/mapi.go:331 +0x2ce
github.com/sensepost/ruler/mapi.Authenticate(0xc420080640, 0x78d31d, 0x7)
/home/staaldraad/Go/gopath/src/github.com/sensepost/ruler/mapi/mapi.go:294 +0x36
main.connect(0xc420080640, 0x78c2c8, 0x4)
/home/staaldraad/Go/gopath/src/github.com/sensepost/ruler/ruler.go:337 +0xdaf
main.main.func4(0xc420080640, 0x0, 0xc420080640)
/home/staaldraad/Go/gopath/src/github.com/sensepost/ruler/ruler.go:660 +0x2f
github.com/urfave/cli.HandleAction(0x723b20, 0x7bc0d8, 0xc420080640, 0xc42005e300, 0x0)
/home/staaldraad/Go/gopath/src/github.com/urfave/cli/app.go:483 +0xb9
github.com/urfave/cli.Command.Run(0x78d298, 0x7, 0x0, 0x0, 0xc4200630d0, 0x1, 0x1, 0x794ced, 0x1a, 0x0, ...)
/home/staaldraad/Go/gopath/src/github.com/urfave/cli/command.go:193 +0xb96
github.com/urfave/cli.(*App).Run(0xc420069380, 0xc420086000, 0xe, 0xe, 0x0, 0x0)
/home/staaldraad/Go/gopath/src/github.com/urfave/cli/app.go:250 +0x812
main.main()
/home/staaldraad/Go/gopath/src/github.com/sensepost/ruler/ruler.go:831 +0x1e25

tl;dr - Same problem as Issue #19 despite having the latest builds as of today.

Hi

I did a git clone and downloaded ruler but now i have issues where i cannot run it. Can you assistance me please?

`root@spikry:~/ruler# go env

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/root/go"
GORACE=""
GOROOT="/usr/lib/go-1.7"
GOTOOLDIR="/usr/lib/go-1.7/pkg/tool/linux_amd64"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build661526815=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"

root@spikry:~/ruler# go run ruler.go -h
ruler.go:9:2: cannot find package "github.com/sensepost/ruler/autodiscover" in any of:
/usr/lib/go-1.7/src/github.com/sensepost/ruler/autodiscover (from $GOROOT)
/root/go/src/github.com/sensepost/ruler/autodiscover (from $GOPATH)
ruler.go:10:2: cannot find package "github.com/sensepost/ruler/mapi" in any of:
/usr/lib/go-1.7/src/github.com/sensepost/ruler/mapi (from $GOROOT)
/root/go/src/github.com/sensepost/ruler/mapi (from $GOPATH)
ruler.go:11:2: cannot find package "github.com/sensepost/ruler/utils" in any of:
/usr/lib/go-1.7/src/github.com/sensepost/ruler/utils (from $GOROOT)
/root/go/src/github.com/sensepost/ruler/utils (from $GOPATH)

root@spikry:~/ruler# go version
go version go1.7 linux/amd64
`

I did what is written in the readme with > CreateObject("Wscript.Shell").Run "calc.exe", 0, False and it crashed outlook completely. I had to restart it in safe mode.

EDIT: After I deleted the rule and re-added it, it worked.

I've recently encountered some o365 portals that require an SMS authentication code. Are there any plans to update ruler to prompt for the 2FA code after asking for a password when running commands? Currently it seems to just fail with a bad authentication error.

I am to find the RPC endpoint and start setting up channels, but then I get this error:
[*] Setting up channels
[+] Binding to RPC
ERROR: 2017/08/29 15:49:56 RPC Timeout
ERROR: 2017/08/29 15:49:56 mapi: a transport layer error occurred. An error occurred setting up RPC. Invalid HTTP response: [HTTP/1.1 503 RPC Error: c0021009]

When executing check or display commands, after autodiscover, "Binding to RPC" causes the ruler process to go to 99% CPU usage and nothing happens after waiting for a long time. This is on the Linux 64 troopers release.

On the slightly older (but most recently available) Windows release the following error occurs:
[x] An error occurred setting up RPC.
[x] Couldn't setup RPC channel - illegal base64 data at input byte 5

./ruler-linux64 --verbose --domain "mydomain" --username Administrator --hash 49623ccc820122ab49b3f0fxxxxxxxxx --email administrator@domain --url https://exchange.domain.com/autodiscover/autodiscover.xml --insecure display

[+] Found cached Autodiscover record. Using this (use --nocache to force new lookup)
[] RPC URL set: http://exchange.domain.com/rpc/[email protected]:6001
[] Setting up channels
[+] Binding to RPC
[] User DN: /o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=60837e670da647f18aab23e43a167ee0-Administrator
[+] Got Context, Doing ROPLogin
[] And we are authenticated
[] Openning the Inbox
[+] Retrieving Rules
[+] No Rules Found
[] And disconnecting from server

The above works and in general i can create any malicious rule i want.

Although, i have issues with creating a malicious Outlook form. Specifically, I receive the following.

ERROR: 2017/07/01 12:44:54 RPC Timeout
ERROR: 2017/07/01 12:44:54 mapi: a transport layer error occurred. An error occurred setting up RPC. Invalid HTTP response: [HTTP/1.1 401 Unauthorized]

The credentials i supply are correct and i as mentioned above i can create rules successfully. Can you help me debug this difference in behavior between rules and forms?

Hi,

Thank you for this awesome tool.

I wonder if there is a way to set the parameter that normally would be parsed from the discover.xml?

My problem is that the Exchange server is not well configured and the discover.xml does not exist. I keep getting the following error.

./ruler-linux64 --email email@address --username name --password Password --basic --verbose check
[+] Retrieving MAPI/HTTP info
[] Autodiscover step 0 - URL: https://domain/autodiscover/autodiscover.xml
ERROR: 2017/05/04 15:09:35 Failed, StatusCode [301]
[] Autodiscover step 1 - URL: https://autodiscover.domain/autodiscover/autodiscover.xml
[*] Autodiscover step 2 - URL: http://autodiscover.domain/autodiscover/autodiscover.xml
ERROR: 2017/05/04 15:09:36 Failed, StatusCode [404]
ERROR: 2017/05/04 15:09:36 The autodiscover service request did not complete.
Permission Denied or URL not found: StatusCode [404]

I know I could set the URI with --url, but the problem is that there is no discover.xml.

Thank you

Hi,

i tried the Homepage Exploit today, but it didnt work here. It was possible to get a Html Only Homepage, but all the ActiveX Wscript.Shell Parts ended in an error page.
The Error Page stated: Site cannot be displayed, make sure that the web-Adress ieframe.dll/dnserrordiagoff.html# is correct.

No Notepad gets executed. The Patch is not applied.

I tried to include the Notepad POC Page manually without Ruler:

Some Ideas how to get this working?

Greetings

Hi !

Would it be possible to add a flag allowing to add a cookie to the http requests ?

Keep up the great work =)

ArnCo

Hi Staaldraad

I get the following error when attempting to display rules via RPC.

[+] Got Context, Doing ROPLogin
[] And we are authenticated
[] Openning the Inbox
[+] Retrieving Rules
ERROR: 2017/09/13 07:39:12 mapi: non-zero return value. ERROR_CODE: 4b9 - {CODE_NOT_FOUND}

Upon attempting to add a rule I get the following:

[+] Got Context, Doing ROPLogin
[] And we are authenticated
[] Openning the Inbox
[+] Adding Rule
[+] Rule Added. Fetching list of rules...
[*] And disconnecting from server

However ,I can confirm via mailbox access that the rule has not been created.

Any thoughts ?

First of all, great tool - thanks for your hard work.

I've got a client with ADFS integration, so requests to wget autodiscover.client.com end up first getting redirected to https://outlook.office365.com/owa/?realm=client.com&vd=autodiscover and then subsequently to https://login.microsoftonline.com/login.srf?<REDACTED> and then finally there is one more redirect to the client's own server for authentication before getting sent back to a valid Outlook 365 session.

I noticed that there is a --cookie option and I'm thinking that is one way to attack the issue, but I'm not sure which cookie I should set as there are about 15. So I guess my first question is, would it be possible to implement loading of a cookie file so I could just save all the cookies and provide a valid session?

I was investigating the config file option as well but the details required seem to be missing from Office 365. I guess I could also set up burp to see what's going on--that's on my todo list at the moment.

Am I doing something wrong or is this a limitation of ruler at the moment? Thanks!

I was just checking the logs to look for defenses, and I realized that the hostname is always "RULER," even when I change the user agent, which is also "ruler."

From an attacker perspective, this obviously limits value as the defender can just look for hostname RULER events, so I grepped for "ruler" but could not find any relevant code, so I think it may be in a binary file or something. Of course skids will still use the default so defenses can still pick up on them.

I'm wondering if this "RULER" hostname can be changed.

I was able to discover credentials via bruteforce, but I am not able to use them beyond the brute force. All I seem to get is the transport error occurred.

The system is using o365 and ADFS.

localhost:~/go/src/github.com/sensepost/ruler# go run ruler.go --nocache --o365 --debug --verbose --username first.last@<domain>.com --email first.last@<domain>.com -p <redacted> c
[*] Autodiscover step 0 - URL: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
[*] MAPI URL found:  https://outlook.office365.com/mapi/emsmdb/?MailboxId=<redacted>@<domain>.com
[*] MAPI AddressBook URL found:  https://outlook.office365.com/mapi/nspi/?MailboxId=<redacted>@<domain>.com
ERROR: 2017/07/25 16:16:01 mapi: a transport layer error occurred. Got a protocol error response: 
exit status 255

I am unable to set a channel to port 443, which is open. 'RPC URL set' instead points to port 80, which is filtered. I am reasoning this is the case because of the error: ... RPC Setup Err: dial tcp 10.7.12.10:80: getsockopt: connection timed out. This makes sense as port 80 is indeed filtered. Is there a way to set a channel to 443 (ie RPC URL set: https://blahblah)?

./ruler-linux64 --insecure --nocache --domain DOMAIN  --username 'USER' --email "EMAIL" --verbose check
Password:
[+] Retrieving MAPI/HTTP info
[*] Autodiscover step 0 - URL: https://autodiscover.DOMAIN/autodiscover/autodiscover.xml
[*] RPC URL set: http://MAIL.DOMAIN/rpc/rpcproxy.dll?fea6b5b5-35c3-421e-8144-69f0548694bb@DOMAIN:6001
[*] Setting up channels
ERROR: 16:34:20 ruler.go:29: mapi: a transport layer error occurred. An error occurred setting up RPC. mapi: a transport layer error occurred. Couldn't setup RPC channel - RPC Setup Err: dial tcp 10.7.12.10:80: getsockopt: connection timed out

when root try"go run ruler.go -h",is come this words:
ruler.go:15:2: cannot find package "github.com/howeyc/gopass" in any of:
/usr/local/go/src/github.com/howeyc/gopass (from $GOROOT)
/root/go/src/github.com/howeyc/gopass (from $GOPATH)
ruler.go:16:2: cannot find package "github.com/sensepost/ruler/autodiscover" in any of:
/usr/local/go/src/github.com/sensepost/ruler/autodiscover (from $GOROOT)
/root/go/src/github.com/sensepost/ruler/autodiscover (from $GOPATH)
ruler.go:17:2: cannot find package "github.com/sensepost/ruler/forms" in any of:
/usr/local/go/src/github.com/sensepost/ruler/forms (from $GOROOT)
/root/go/src/github.com/sensepost/ruler/forms (from $GOPATH)
ruler.go:18:2: cannot find package "github.com/sensepost/ruler/mapi" in any of:
/usr/local/go/src/github.com/sensepost/ruler/mapi (from $GOROOT)
/root/go/src/github.com/sensepost/ruler/mapi (from $GOPATH)
ruler.go:19:2: cannot find package "github.com/sensepost/ruler/utils" in any of:
/usr/local/go/src/github.com/sensepost/ruler/utils (from $GOROOT)
/root/go/src/github.com/sensepost/ruler/utils (from $GOPATH)
ruler.go:20:2: cannot find package "github.com/urfave/cli" in any of:
/usr/local/go/src/github.com/urfave/cli (from $GOROOT)
/root/go/src/github.com/urfave/cli (from $GOPATH)
root@kali:~/Tools/PentestTools/AutoTools/ruler# go version
go version go1.10 linux/arm
as u can see,my go version,so how can i fix this problem,thx for your time.

Would the rule still execute my code on web browsers such as Firefox/IE etc or only outlook.exe

Hello

Firstly, thanks for this tool!

Second, I'm trying to test it against my work mailbox (I have permission). I have been successful in doing it manually but using ruler I am running into a problem detailed below. From home I am able to upload a malicious rule to my work Outlook profile, send the trigger, and receive a session from my work laptop.

I read through the currently closed issues and set up a dummy Outlook.com account for testing which appears to work no problem:

./ruler -user "XXXX" -pass XXXX -email "[email protected]" -display -url https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
[] Retrieving MAPI/HTTP info
[] Doing Autodiscover for domain
[+] MAPI URL found: https://outlook.office365.com/mapi/emsmdb/[email protected]
[+] User DN: /o=First Organization/ou=Exchange Administrative Group(FYDIBOHF23SPDLT)/cn=Recipients/cn=00034001FB6A3D3C
[] Got Context, Doing ROPLogin
[] And we are authenticated
[+] Mailbox GUID: fb29132691adc3449f1ff6738b215ba4
[] Openning the Inbox
[+] Retrieving Rules
[+] Found 0 rules
[] And disconnecting from server

Work:

./ruler -user XXXX -pass XXXX -email [email protected] -domain domain.com -display
[] Retrieving MAPI/HTTP info
[] Doing Autodiscover for domain
[x] No MAPI URL found. Trying RPC/HTTP
[*] Retrieving RPC/HTTP info
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[+] MAPI URL found:
Post : Get : unsupported protocol scheme ""
panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xb code=0x1 addr=0x38 pc=0x4a9402]

goroutine 1 [running]:
panic(0x815a80, 0xc82000e130)
/usr/lib/golang/src/runtime/panic.go:481 +0x3e6
github.com/sensepost/ruler/mapi.Authenticate(0x7ffc202a765e, 0x0, 0x0)
/home/staaldraad/Go/gopath/src/github.com/sensepost/ruler/mapi/mapi.go:199 +0x2f2
main.main()
/home/staaldraad/Go/gopath/src/github.com/sensepost/ruler/ruler.go:166 +0x1141

Further to this, if I run with -check or -check -insecure, I get this:

[+] MAPI URL found:
[+] Authentication succeeded and MAPI/HTTP is available

Can you offer any insight? I can accept that maybe the tool will not work against my work, which is great, but the error messages I'm seeing seem strange. Maybe "Post : Get : unsupported protocol scheme """ is the indicator that it won't work but the golang errors made me question.

Thanks!

Ran into an issue where the RPC URL set from Autodiscover was a separate system that had been decommissioned. By editing the /etc/hosts file I was able to get around it, just thought I'd suggest including a command line option to manually set the RPC URL. I'd submit a PR but I'm no Gopher.

Looks like where this is set is here:

Just a suggestion, might be a one off. Appreciate the hard work!

Maybe this is more a sort of 'user issue'. I am trying to use the --hash option on my o365 account without any luck. The hash is from an Responder.py capture:
[SMB] NTLMv2-SSP Client : 1.2.3.94
[SMB] NTLMv2-SSP Username : MYDOM\User1
[SMB] NTLMv2-SSP Hash : User1::MYDOM:1122334455667788:7447C51D9EF52FE10B1573xxxxxxxxx:0101000000000000B135E4754509D3011A45A6F59427EFD10000000002000A0053004D0042003100320001000A0053004D0042003100450004000A0053004D0042003100320003000A0053004D0042003100320005000A0053004D004200310045000800300030000000000000000100000000200000DD43E55E39E6DFF3AB439630A55FE258EF4C812C3F5AC136E1AC43A651A725390A001000000000000000000000000000000000000900260063006900660073002F00350022002E003200300030002E003100380035002E003100390031000000000000000000
I can't figure out the right part or format of that hash to put it in the ruler --hash option. I always get an authentication failed. Thanx in advance!

• Detect time-out on read
• Implement fragmentation of requests
• Detect HTTP errors inside RPC/HTTP
• Implement other authentication schemes

When ruler authenticates via a ntlm hash, is it possible to pull out emails? I'm looking into both ruler and mailsniper but one hash ntlm hashes and the other reads emails!

There is an issue with payload's size. I create a payload but ruler does not accept it displaying an error message "Command is too large. Maximum command size is 4096 characters"
.
Thank you in advance.

Hi

I'm interesting about the great tool you create called "Ruler", but i met some problems. Some properties can not be fetched correctly, like PR_BODY (0x1000) or PR_MESSAGE_ATTACHMENTS (0x0E13). Is there a way to help me solve these questions?

Thank you very much!

When bruteforcing with ruler you will often time receive this stack trace. If you rerun the same command it will eventually work. There appears to be some form of a race condition. Here is the one liner I am using:

ruler --o365 --url http://autodiscover.your_company_here.com/autodiscover/autodiscover.xml brute --users emails.txt --passwords passwords.txt --verbose

After some digging, the problematic code appears to be located in autodiscover/brute.go. The problem seems to be that the code tries to unlock a semaphore while it's already unlocked. I can't seem to find the exact condition that causes this. With that said, if you place a time.Sleep right before sem is called it seems to patch the issue:

for ui, u := range usernames {
	if u == "" || p == "" {
		continue
	}
	time.Sleep(time.Millisecond * 500) // patches mutex error
	sem <- true
	go func(u string, p string, i int) {
		defer func() { <-sem }()
		out := connect(autodiscoverURL, u, p, basic, insecure)
		out.Index = i

This is just a hack, it doesn't fix the underlying logic error or I would have submitted this as a PR. Do you have any idea what would cause this?

System and software info:

Linux dev-box 4.4.0-93-generic #116-Ubuntu SMP Fri Aug 11 21:17:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

go version go1.9 linux/amd64

ruler version 2.1.6

Hello there!

I'm using the latest dev build and am receiving this error when trying to display rules. I get a similar runtime error in other use cases as well. I've tried different combinations of switches and usernames to see if that was the issue, but no luck. Hoping maybe you can shed a bit of insight into this!

[*] Autodiscover step 0 - URL: [redacted]
[*] RPC URL set: [redacted]
[*] Setting up channels
panic: runtime error: slice bounds out of range

goroutine 4 [running]:
panic(0x33eb20, 0xc4200100e0)
	/usr/lib/golang/src/runtime/panic.go:500 +0x1a1
github.com/staaldraad/go-ntlm/ntlm.ParseChallengeMessage(0x54b580, 0x0, 0x0, 0xc420075818, 0x8, 0x0)
	/home/staaldraad/Go/gopath/src/github.com/staaldraad/go-ntlm/ntlm/message_challenge.go:59 +0x7e1
github.com/sensepost/ruler/rpc-http.setupHTTP(0x39aa62, 0xb, 0xc4202fc7e0, 0x6e, 0x40101, 0xc4200296d8, 0xc4200296a0, 0x4438c, 0xc4200296d8)
	/home/staaldraad/Go/gopath/src/github.com/sensepost/ruler/rpc-http/rpctransport.go:121 +0x10a1
github.com/sensepost/ruler/rpc-http.RPCOpen(0xc4202fc7e0, 0x6e, 0xc420421e00, 0xc420421e60, 0xc42011a550, 0xe1b1)
	/home/staaldraad/Go/gopath/src/github.com/sensepost/ruler/rpc-http/rpctransport.go:170 +0x7c
created by github.com/sensepost/ruler/mapi.mapiConnectRPC
	/home/staaldraad/Go/gopath/src/github.com/sensepost/ruler/mapi/mapi.go:162 +0x18d

When I specify the basic flag to enforce basic authentication, this gets stored in the session object. However when ruler uses autodiscovery, this config seems to be passed (referenced? I'm new to Go) on to the SessionConfig property.
This property is then written to around here:

When this config is then used in followup functions, the property no longer has its original value. In my case this caused the basic flag to switch to false halfway, causing subsequent requests to no longer be done with basic auth.

There may be other occurences of this in the code, but this is the only one I came across so far.

Using OSX/Brew to install Go
Then ran ruler:

./ruler -v -domain company.com
[*] Retrieving MAPI/HTTP info
[*] Doing Autodiscover for domain
[*] Autodiscover step 0 - URL: https://company.com/autodiscover/autodiscover.xml
[*] Autodiscover step 1 - URL: https://autodiscover.company.com/autodiscover/autodiscover.xml
[*] Autodiscover step 2 - URL: http://autodiscover.company.com/autodiscover/autodiscover.xml
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x40 pc=0x8dd9a]

goroutine 1 [running]:
panic(0x2f5f00, 0xc4200100b0)
    /usr/local/Cellar/go/1.7.1/libexec/src/runtime/panic.go:500 +0x1a1
github.com/sensepost/ruler/autodiscover.autodiscover(0x7fff5fbffc40, 0xa, 0xc4204c0001, 0x0, 0x0, 0x0)
    /home/mubix/go/src/github.com/sensepost/ruler/autodiscover/autodiscover.go:149 +0x31a
github.com/sensepost/ruler/autodiscover.autodiscover(0x7fff5fbffc40, 0xa, 0xc420134001, 0x0, 0x0, 0x0)
    /home/mubix/go/src/github.com/sensepost/ruler/autodiscover/autodiscover.go:180 +0x40c
github.com/sensepost/ruler/autodiscover.autodiscover(0x7fff5fbffc40, 0xa, 0x1, 0x0, 0x0, 0x0)
    /home/mubix/go/src/github.com/sensepost/ruler/autodiscover/autodiscover.go:144 +0xabb
github.com/sensepost/ruler/autodiscover.MAPIDiscover(0x7fff5fbffc40, 0xa, 0x1, 0x1e, 0x0)
    /home/mubix/go/src/github.com/sensepost/ruler/autodiscover/autodiscover.go:64 +0xbc
main.getMapiHTTP(0x0, 0x0, 0x0)
    /sensepost/ruler/ruler.go:48 +0xe2
main.main()
    /sensepost/ruler/ruler.go:145 +0x947

Manually going to those addresses results in:

[*] Autodiscover step 0 - URL: https://company.com/autodiscover/autodiscover.xml
> 404
[*] Autodiscover step 1 - URL: https://autodiscover.company.com/autodiscover/autodiscover.xml
> Auth required
[*] Autodiscover step 2 - URL: http://autodiscover.company.com/autodiscover/autodiscover.xml
> Connection refused

I am testing this in a corporate environment. Also, it detects http rather than https, and http is turned off, so I have to add the url manually.

root@kali:/opt/ruler# ./ruler --email [email protected] --username "test user" --url 'https://autodiscover.test.com/autodiscover/autodiscover.xml' --verbose check
Password:
[] Autodiscover step 0 - URL: https://autodiscover.test.com/autodiscover/autodiscover.xml
[] MAPI URL found: https://outlook.test.com/mapi/emsmdb/[email protected]
[] MAPI AddressBook URL found: https://outlook.test.com/mapi/nspi/[email protected]
[] v
ERROR: 2017/08/01 03:32:21 mapi: a transport layer error occurred. mapi: a transport layer error occurred. Empty HTTP Response

hi
Ruler is so cool that I want to achieve it on my local exchange service and i use outlook 2016
But now i have some connection problems then i search a lot not found any tips valid don't know how
Some wrong with:

Hi Staaldraad

I have an interesting issue accessing a client MAPI instance. Initially the following is displayed for attempting to add a form

root@localhost:/opt# ./ruler-linux64 --o365 --debug --verbose --basic --noencrypt --email [email protected] -p xxxxxx form add --suffix super --input /home/www/input.txt --send
[+] Found cached Autodiscover record. Using this (use --nocache to force new lookup)
[] MAPI URL found: https://xxxxx.exchangemail.co.za/mapi/emsmdb/[email protected]
[] MAPI AddressBook URL found: https://xxxx.exchangemail.co.za/mapi/nspi/[email protected]

ERROR: 08:39:48 ruler.go:29: mapi: a transport layer error occurred. Got a protocol error response:
root@localhost:/opt#

However , if I continue to re-attempt I get a little further , as per below before getting the same error.

[+] Found cached Autodiscover record. Using this (use --nocache to force new lookup)
[] MAPI URL found: https://xxx.exchangemail.co.za/mapi/emsmdb/[email protected]
[] MAPI AddressBook URL found: https://xxxxxx.exchangemail.co.za/mapi/nspi/[email protected]
[] User DN: /o=First Organization/ou=Exchange Administrative Group (FYDIxxxxxxxxLT)/cn=Recipients/cn=2f2398707ff542cfa2e8e0xxxxxxx
[] Got Context, Doing ROPLogin
[] And we are authenticated
[] Openning the Inbox

_[*] Verifying that form does not exist.

ERROR: 08:52:44 ruler.go:29: mapi: a transport layer error occurred. Got a protocol error response:
[*] And disconnecting from server_

The same process occurs for homepage interaction. Eventually it works. With regard to the ABK - i get get to about 15% before the error occurs. Cant get the forms to go any further.

thanks
rob

Hi,

First of all, thanks for the nice tool! I've been playing with it recently and ran into some (minor) issues, so I'll open some issues/requests :)

The current autodiscover command only requests the "regular" autodiscover XML, which returns the RPC urls. It would be nice to have an option to also request/dump the MAPI one.
It can be accomplished currently by changing

Hello

I always get this error :

go run ruler.go --email [email protected] form display
Password: 
[+] Retrieving MAPI/HTTP info
ERROR: 2017/07/25 12:17:08 The autodiscover service request did not complete.
Error in autodiscover response, XML syntax error on line 14: invalid character entity &subset (no semicolon)
exit status 255

Any idea ?

I'm trying to insert a vbscript using 'command' option with no success.E-mail delivered successfully but i haven't achieved to make vbscript work.

Why was #61 closed?

In ruler.go it incorrectly states in the help output that the "delay" parameter is measured in seconds.

In autodiscover.go you can see that the time duration is measured in minutes. It also states that it delays for "minutes":

Please consider reevaluating and merging this PR.

Just following setup guide on up-to-date Kali build. Getting the following:

command-line-arguments

./ruler.go:89: config.Proxy undefined (type utils.Session has no field or method Proxy)
./ruler.go:155: undefined: autodiscover.Init
./ruler.go:160: not enough arguments in call to autodiscover.BruteForce
./ruler.go:162: not enough arguments in call to autodiscover.UserPassBruteForce
./ruler.go:303: config.Proxy undefined (type utils.Session has no field or method Proxy)
./ruler.go:520: undefined: mapi.FetchRules
./ruler.go:786: undefined: mapi.WebViewPersistenceObjectStream
./ruler.go:793: undefined: mapi.PidTagFolderWebViewInfo

Its very likely that I have setup my Go env incorrectly, but I can query the Go version and still run the old version of ruler just fine. I was just looking to build the latest code from github. Appreciate an help you might lend. If "It works on my machine", then feel free to close 👍

I've tried different combination :

--location "\\localhost\c$\windows\system32\calc.exe"
--location "c:\windows\system32\calc.exe"

EnableUnsafeClientMailRules is not set and I'm using Office 2016.

Not sure If I'm doing something wrong but the Delay / attempts flags arent working for me:

`./ruler --domain XXXXXXXX.com --insecure brute --users /root/tools/XX/users2.txt --passwords /root/tools/XX/pass.txt --attempts 1 --delay 35 -v

[+] Starting bruteforce
[+] Trying to Autodiscover domain
[x] Failed: user1:Password1!
[x] Failed: user2:Password1!
[x] Failed: user3:Password1!
[x] Failed: user4:Password1!
[x] Failed: user5:Password1!
[x] Failed: user6:Password1!
[x] Failed: user7:Password1!
[x] Failed: user8:Password1!
[x] Failed: user9:Password1!`

all those attempts happened in less than 3 sec instead of taking ~315 sec ( 9 users * 35 sec delay)
expected behavior would be try user1 , sleep for 35 sec , try user2 , etc..

Thanks in Advance

Hi,

Congrats and thanks for sharing this fantastic tool !

Do you see any means of tweaking ruler to get its NTLM authentication phase done through an NTLM relay attack tool ?

Say for instance, using the Impacket/ntlmrelayx and the pointing the victim to the ntlmrelayx listener (a simple e-mail with a hidden image pointing to ntlmrelayx HTTP listener does the trick), and you can get any outgoing HTTP(S) request to the target (Exchange server) with NTLM authentication handled/relayed automatically.

This would remove the credentials hunting phase.

Cheers.

It seems ruler is currently hardcoded to use the External url for MAPI/RPC

//ExtractMapiURL extract the External mapi url from the autodiscover response
func ExtractMapiURL(resp *utils.AutodiscoverResp) string {
	for _, v := range resp.Response.Account.Protocol {
		if v.TypeAttr == "mapiHttp" {
			return v.MailStore.InternalUrl
		}
	}
	return ""
}

However when running ruler on an internal network, the external URL might not be configured or not reachable. It would be great if there is an option to automatically use the InternalUrl in these cases, or a command line switch to indicate which URL ruler should use.

Hi!

I have read the issue "No autodiscover.xml" and edited my config:

username: "Administrator"
email: "[email protected]"
password: "password"
domain: "codingkoala"
userdn: "/o=First Organization/ou=Exchange Administrative Group ‎(FYDIBOHF23SPDLT)‎/cn=Recipients/cn=Administrator96b"
mailbox: "[email protected]"
rpcurl: "https://192.168.179.150/rpc/rpcproxy.dll"
rpc: true
rpcencrypt: true
mapiurl: ""

I couldn't find GUID from OWA, so I get it from Exchange Management Shell.

And I get the following error:

C:\Users\Administrator\Desktop>ruler --config config.yml check
ERROR: 13:20:53 ruler.go:29: mapi: a transport layer error occurred. Post ?Mailb
oxId=[email protected]: Get ?MailboxId=7367e4
[email protected]: unsupported protocol scheme ""

Is there something wrong with GUID?

Thank you.

Hi,

when adding a proxy with the --proxy flag it isn't used all times. Here is my call:

ruler-linux64 --verbose --proxy https://127.0.0.1:8080 -e [email protected] -d some.domain -k u

The request to https://some.domain/autodiscover/autodiscover.xml does not pass my proxy, but the second one to https://autodiscover.some.domain/autodiscover/autodiscover.xml does. (According to both Burp and Wireshark)

The expected behavior would be, that the set proxy is used for all requests.

[edit]
Interesting: If I prepend the cli call with https_proxy I get a segfault:

[+] Checking if domain is hosted on Office 365
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x4016e6]

goroutine 1 [running]:
panic(0x777400, 0xc4200120d0)
	/usr/lib/golang/src/runtime/panic.go:500 +0x1a1
main.discover(0xc42008a780, 0x4, 0xc4200644e0)
	/home/staaldraad/Go/gopath/src/github.com/sensepost/ruler/ruler.go:77 +0x596
main.main.func7(0xc42008a780, 0x0, 0xc42008a780)
	/home/staaldraad/Go/gopath/src/github.com/sensepost/ruler/ruler.go:985 +0x2f
github.com/urfave/cli.HandleAction(0x765a60, 0x807748, 0xc42008a780, 0xc420064400, 0x0)
	/home/staaldraad/Go/gopath/src/github.com/urfave/cli/app.go:483 +0xb9
github.com/urfave/cli.Command.Run(0x7d5f64, 0xc, 0x0, 0x0, 0xc4200135b0, 0x1, 0x1, 0x7e7cee, 0x42, 0x0, ...)
	/home/staaldraad/Go/gopath/src/github.com/urfave/cli/command.go:193 +0xb96
github.com/urfave/cli.(*App).Run(0xc420084b60, 0xc42000c0c0, 0xc, 0xc, 0x0, 0x0)
	/home/staaldraad/Go/gopath/src/github.com/urfave/cli/app.go:250 +0x812
main.main()
	/home/staaldraad/Go/gopath/src/github.com/sensepost/ruler/ruler.go:1240 +0x2cd0

If I can find the OWA site, but AutoDiscover isn't being agreeable is there a way to simply specify the MAPI URL?

Not sure if this is because of Bash for Windows (WSL) but receive the following output. Will test from Kali as well on the specific mailbox

I get the following error while using ruler with --insecure flag:
"Incorrect Usage: flag provided but not defined: --insecure"

My brute-force command line options were:
./ruler --domain domain.com brute --users users.txt --passwords password.txt --delay 0 --verbose --insecure

Am I missing something?

For a reason that I don't understand, I'm getting a "failed attempt" when I am using a set of credentials that works with the following command:

ruler --o365 --domain mydomain.com brute --users email.txt --passwords passwd.txt -v

However if I do :

ruler --o365 --domain mydomain.com --email [email protected] --password mypassword display

It returns me all my rules. I tried different combination in email.txt (full email, etc.) but it gives the same result. I also tried --basic and --userpass combination.

Any idea why ?

The autodiscover service request did not complete