Skip to content

Getting Started

Jump to bottom
Etienne Stalmans edited this page Feb 19, 2021 · 7 revisions

Getting Started

Ruler works with both RPC/HTTP and MAPI/HTTP. Ruler favours MAPI/HTTP as this is the default in Exchange 2016 and Office365 deployments. If MAPI/HTTP fails, an attempt will be made to use RPC/HTTP. You can also force RPC/HTTP by supplying the --rpc flag.

Exchange and Outlook Support

Ruler has been tested against the following systems:

  • Exchange 2003
  • Exchange 2013
  • Exchange 2013 SP1
  • Exchange 2016
  • Office365

The following Outlook clients have been tested:

  • Outlook 2010
  • Outlook 2013
  • Outlook 2016 (Only Forms work by default)

Installation/Setup

The easiest way to use Ruler is through the pre-built binaries. These are kept up to date, as far as possible, and can be found in the [Releases].

Getting the Code

Ruler is written in Go so you'll need to have Go setup to run/build the project from source. The easiest way to get up and running from source is through go get.

Get it through Go, make sure you have go modules support:

 GO111MODULE=on go get github.com/sensepost/ruler

You can now run the app through go run in the GOPATH/src/github.com/sensepost/ruler directory:

go run ruler.go -h

Or build it from source:

When building you'll need to have your GOPATH correctly configured.

The first step as always is to clone the repo. Here it is probably best to clone into $GOPATH/src/github.com/sensepost/ruler this saves you from having to change a whole bunch of paths. If you are cloning into a different directory, remember you'll need to change all references to github.com/sensepost/ruler in the imports.

git clone https://github.com/sensepost/ruler.git

Ensure you have the dependencies (go get is the easiest option, otherwise clone the repos into your GOPATH):

go get github.com/urfave/cli
go get github.com/howeyc/gopass
go get gopkg.in/yaml.v2
go get github.com/staaldraad/go-ntlm/ntlm

Then build it

go build

If building on a different branch from master, please see this entry about ensuring you have the correct branch/version.

Interacting with Exchange

Ruler works with both RPC/HTTP and MAPI/HTTP. Ruler favours MAPI/HTTP as this is the default in Exchange 2016 and Office365 deployments. If MAPI/HTTP fails, an attempt will be made to use RPC/HTTP. You can also force RPC/HTTP by supplying the --rpc flag.

As mentioned before there are multiple functions to Ruler. In most cases you'll want to first find a set of valid credentials. Do this however you wish, Phishing, Wifi+Mana or brute-force.

Basic Usage

Ruler has 8 basic commands, these are:

  • display -- list all the current rules
  • add -- add a rule
  • delete -- delete a rule
  • brute -- brute force credentials
  • send -- send an email to trigger the shell
  • abk -- interact with the GAL (MAPI/HTTP only)
  • form -- script execution through custom forms
  • help -- show the help screen

There are a few global flags that should be used with most commands, while each command has sub-flags. For details on these, use the help command.

NAME:
   ruler - A tool to abuse Exchange Services

USAGE:
   ruler-linux64 [global options] command [command options] [arguments...]

VERSION:
   2.1.6

DESCRIPTION:
            _
 _ __ _   _| | ___ _ __
| '__| | | | |/ _ \ '__|
| |  | |_| | |  __/ |
|_|   \__,_|_|\___|_|

A tool by @_staaldraad from @sensepost to abuse Exchange Services.

AUTHOR:
   Etienne Stalmans <etienne@sensepost.com>, @_staaldraad

Global verses Local Options

There are a number of global options, that are required for most uses of Ruler. These are set before the COMMAND you wish to execute. Think of these as the configuration values that Ruler needs to actually function, credentials etc.

The local options are specific to the command you are executing. These come after the COMMAND and control the different features exposed by a command.

To view the global options: ./ruler --help

To view the local options: ./ruler command --help

The config file

Ruler allows you to supply data via the config file. This allows you to supply values for instances where Exchange may not be exposing the Autodiscover service.

The fields such as email, username, can be left blank, as these can be supplied through the global flags.

Using the config file is simple, just pass the config file location as a global option:

./ruler --config config.yml check

Mandatory options are:

  • userdn
  • mailbox
  • rpcurl -- if rpc is set to true
  • mapiurl -- if rpc is set to false

Most values can be found in OWA, through the Options->About tab. The URL is usually: https://owadomain/?ae=Options&t=About

From there you need the following info:

  • Exchange mailbox address -> this is your userdn
  • Exchange Client Access server name -> this is your mailbox

If you are getting permission denied, it might be worth switching from NTLM auth to Basic auth. This is done by changing ntlm to false.

A sample config file:

username: ""
email: ""
password: ""
hash: ""
domain: ""
userdn: "/o=First Organization/ou=Exchange Administrative Group(FYDIBOHF23SPDLT)/cn=Recipients/cn=0003BFFDFEF9FB24"
mailbox: "0003bffd-fef9-fb24-0000-000000000000@outlook.com"
rpcurl: "https://outlook.office365.com/rpc/rpcproxy.dll"
rpc: false
rpcencrypt: true
ntlm: true
mapiurl: "https://outlook.office365.com/mapi/emsmdb/"

More information on the Config option is available in this issue

Clone this wiki locally