MCPcopy Index your code
hub / github.com/sensepost/ruler

github.com/sensepost/ruler @2.5.0

repository ↗ · DeepWiki ↗ · release 2.5.0 ↗ · Ask this repo → · + Follow
540 symbols 1,874 edges 20 files 495 documented · 92% updated 2y ago2.4.1-unicode · 2021-02-19★ 2,30713 open issues
README

Introduction

Ruler is a tool that allows you to interact with Exchange servers remotely, through either the MAPI/HTTP or RPC/HTTP protocol. The main aim is abuse the client-side Outlook features and gain a shell remotely.

The full low-down on how Ruler was implemented and some background regarding MAPI can be found in our blog posts: * Ruler release * Pass the Hash with Ruler * Outlook forms and shells * Outlook Home Page – Another Ruler Vector

For a demo of it in action: Ruler on YouTube

What does it do?

Ruler has multiple functions and more are planned. These include

  • Enumerate valid users
  • Create new malicious mail rules
  • Dump the Global Address List (GAL)
  • VBScript execution through forms
  • VBScript execution through the Outlook Home Page

Ruler attempts to be semi-smart when it comes to interacting with Exchange and uses the Autodiscover service (just as your Outlook client would) to discover the relevant information.

Getting Started

Compiled binaries for Linux, OSX and Windows are available. Find these in Releases information about setting up Ruler from source is found in the getting-started guide.

Usage

Ruler has multiple functions, these have their own documentation that can be found in the wiki:

  • BruteForce -- discover valid user accounts
  • Rules -- perform the traditional, rule based attack
  • Forms -- execute VBScript through forms
  • Homepage -- use the Outlook 'home page' for shell and persistence
  • GAL -- grab the Global Address List

Attacking Exchange

The library included with Ruler allows for the creation of custom message using MAPI. This along with the Exchange documentation is a great starting point for new research. For an example of using this library in another project, see SensePost Liniaal.

License

License: CC BY-NC-SA 4.0

Ruler is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (http://creativecommons.org/licenses/by-nc-sa/4.0/) Permissions beyond the scope of this license may be available at http://sensepost.com/contact/.

Extension points exported contracts — how you extend this code

AuxInfo (Interface)
AuxInfo interface to make Aux buffers generic [84 implementers]
rpc-http/packets.go
RopResponse (Interface)
RopResponse interface for common methods on RopResponses [60 implementers]
mapi/datastructs.go
Restriction (Interface)
Restriction interface to generalise restrictions [84 implementers]
mapi/restrictionDatastructs.go
RopRequest (Interface)
RopRequest interface for common methods on RopRequests [84 implementers]
mapi/datastructs.go
RopBuffer (Interface)
RopBuffer interface for common methods on RopBuffer Data [60 implementers]
mapi/datastructs.go
Request (Interface)
Request interface type [84 implementers]
mapi/datastructs.go
GetProperties (Interface)
GetProperties interface allowing both RopgetPropertyIdsFromName and RopGetProperties to be used [3 implementers]
mapi/datastructs.go

Core symbols most depended-on inside this repo

ReadByte
called by 119
utils/utils.go
BodyToBytes
called by 105
utils/utils.go
ReadUint32
called by 104
utils/utils.go
String
called by 61
mapi/constants.go
ReadBytes
called by 60
utils/utils.go
UniString
called by 43
utils/utils.go
Init
called by 42
mapi/datastructs.go
sendMapiRequest
called by 42
mapi/mapi.go

Shape

Struct 186
Function 182
Method 163
Interface 7
TypeAlias 2

Languages

Go100%

Modules by API surface

mapi/datastructs.go234 symbols
mapi/mapi.go70 symbols
rpc-http/packets.go57 symbols
mapi/datastructs-abk.go35 symbols
utils/utils.go29 symbols
ruler.go22 symbols
utils/datatypes.go15 symbols
rpc-http/rpctransport.go15 symbols
mapi/restrictionDatastructs.go12 symbols
autodiscover/autodiscover.go12 symbols
mapi/mapi-abk.go9 symbols
forms/rulerforms.go9 symbols

Dependencies from manifests, versioned

github.com/ThomsonReutersEikon/go-ntlmv0.0.0-2018113017112 · 1×
github.com/howeyc/gopassv0.0.0-2019091015205 · 1×
github.com/staaldraad/go-ntlmv0.0.0-2017031714001 · 1×
github.com/urfave/cliv1.22.1 · 1×
golang.org/x/netv0.0.0-2019111218230 · 1×
gopkg.in/yaml.v2v2.2.5 · 1×

For agents

$ claude mcp add ruler \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact