{"id":13438525,"url":"https://github.com/nyxgeek/lyncsmash","last_synced_at":"2025-03-20T06:30:38.638Z","repository":{"id":47020373,"uuid":"59265031","full_name":"nyxgeek/lyncsmash","owner":"nyxgeek","description":"locate and attack Lync/Skype for Business","archived":false,"fork":false,"pushed_at":"2024-10-01T11:22:01.000Z","size":18445,"stargazers_count":333,"open_issues_count":2,"forks_count":65,"subscribers_count":11,"default_branch":"master","last_synced_at":"2024-10-28T00:23:10.684Z","etag":null,"topics":["brute-force","derbycon","hacking","lync","pentesting","skype-for-business","user-enumeration"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nyxgeek.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-05-20T04:32:41.000Z","updated_at":"2024-10-25T05:44:18.000Z","dependencies_parsed_at":"2022-09-04T17:10:09.673Z","dependency_job_id":"338e7622-96e1-4329-80e8-e288cfa47607","html_url":"https://github.com/nyxgeek/lyncsmash","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nyxgeek%2Flyncsmash","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nyxgeek%2Flyncsmash/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nyxgeek%2Flyncsmash/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nyxgeek%2Flyncsmash/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nyxgeek","download_url":"https://codeload.github.com/nyxgeek/lyncsmash/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244564897,"owners_count":20473155,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["brute-force","derbycon","hacking","lync","pentesting","skype-for-business","user-enumeration"],"created_at":"2024-07-31T03:01:06.227Z","updated_at":"2025-03-20T06:30:33.627Z","avatar_url":"https://github.com/nyxgeek.png","language":"Python","funding_links":[],"categories":["Asset Discovery","\u003ca id=\"9eee96404f868f372a6cbc6769ccb7f8\"\u003e\u003c/a\u003e新添加的","[↑](#contents)Business Communication Infrastructure Discovery","\u003ca id=\"9eee96404f868f372a6cbc6769ccb7f8\"\u003e\u003c/a\u003e工具"],"sub_categories":["Business Communication Infrastructure Discovery","\u003ca id=\"31185b925d5152c7469b963809ceb22d\"\u003e\u003c/a\u003e新添加的"],"readme":"\n```\n██╗  ██╗   ██╗███╗   ██╗ ██████╗███████╗███╗   ███╗ █████╗ ███████╗██╗  ██╗\n██║  ╚██╗ ██╔╝████╗  ██║██╔════╝██╔════╝████╗ ████║██╔══██╗██╔════╝██║  ██║\n██║   ╚████╔╝ ██╔██╗ ██║██║     ███████╗██╔████╔██║███████║███████╗███████║\n██║    ╚██╔╝  ██║╚██╗██║██║     ╚════██║██║╚██╔╝██║██╔══██║╚════██║██╔══██║\n███████╗██║   ██║ ╚████║╚██████╗███████║██║ ╚═╝ ██║██║  ██║███████║██║  ██║\n╚══════╝╚═╝   ╚═╝  ╚═══╝ ╚═════╝╚══════╝╚═╝     ╚═╝╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝\n```                                                                   \n\n\na collection of tools to enumerate and attack self-hosted Skype for Business and Microsoft Lync installations\n\n*Note: these tools will not work with Skype/Lync installations hosted at Microsoft.*\n\u003chr\u003e\n\nDerbyCon 6.0 YouTube link: https://www.youtube.com/watch?v=v0NTaCFk6VI\n\nDerbyCon 6.0 Slide Deck: https://github.com/nyxgeek/nyxgeek-slides/blob/master/TheWeakestLync.pdf\n\n\n## scripts\n * lyncsmash.py - enumerate users via auth timing bug while brute forcing, lock accounts, locate lync installs\n * find_domain.sh  - example of how to use Nmap with http-ntlm-info script to discover internal NetBIOS \u0026 domain names\n * brute_force_ntlm.sh - example of a brute force attack against Skype/Lync using Medusa\n * ntlm-info.py - script to get NetBIOS Domain name from NTLM auth\n\n## wordlists\n * skype-directories.txt - a listing of directories that may have NTLM-auth enabled\n * alexa-top-20000-sites.txt - a listing of the top 20,000 Alexa sites - to be used with discover mode\n\nIf you're looking for username lists, I highly recommend 'Statistically Likely Usernames': https://github.com/insidetrust/statistically-likely-usernames.git\n\n\u003chr\u003e\n\n## using lyncsmash.py\n\nlyncsmash has three operating modes:\n * enum - use to enumerate users via the auth timing attack\n * discover - will take a list of domains and determine which use Skype for Business/Lync\n * lock - make repeated bad authentication attempts in order to lock out an account\n\n\n\n### lyncsmash.py enum - enumerate users\n\n** WARNING: THIS PERFORMS A DOMAIN LOGIN ATTEMPT AND CAN LOCK OUT ACCOUNTS **\n\n```\nParameters:\n    -H\thostname\n    -U\tusername list\n    -p  password\n    -P  password list\n    -d\tNetBIOS domain\n    -o  output file\n    -t  manually set timeout\n    -r  Randomize the user input list\n    -s  Sleep between each request (seconds)(enum only)\n```\nIn this mode lyncsmash will enumerate usernames via a timing attack, using the Webticket service located on the Lync Front-End server. If a bad username and/or domain is specified, the response will be long. If it is a valid user, the response will be short. Due to limitations of the timing-attack, this can only be run single-threaded.\n\n\nusage:\n```\npython lyncsmash.py enum -H 2013-lync-fe.contoso.com -U usernamelist.txt -P passwordlist.txt -d CONTOSO -o CONTOSO_output.txt\n\nor\n\npython lyncsmash.py enum -H 2013-lync-fe.contoso.com -U usernamelist.txt -p Winter2017 -d CONTOSO\n\n```\n\n### lyncsmash.py discover - discovering domains that are running Skype/Lync\n\n```\nParameters:\n    -H\thost list - one DNS base domain per line\n```\nIn this mode lyncsmash will attempt to enumerate various Skype/Lync subdomains via DNS, and returns a score based on number of indicators. Wildcard domains are discarded.\n\nusage:\n```\npython lyncsmash.py discover -H domain_list.txt\n\n```\n\n### lyncsmash lock - lockout an account with repeated login failures\n** WARNING: THIS WILL LOCK OUT ACCOUNTS. **\n\n```\nParameters:\n    -H\thostname\n    -u\tusername to lock out\n    -d\tNetBIOS domain\n```\n\nIn this mode lyncsmash will make 5 login attempts with an incorrect password, attempting to lock out a user account.\n\n\nusage:\n```\npython lyncsmash.py lock -H 2013-lync-fe.contoso.com -u administrator -d CONTOSO\n\n```\n\n\u003chr\u003e\n\n## ntlm-info.py\n\nThis script examines the HTTP headers from a null NTLM auth attempt.  It will test against the /abs/ directory by default but any directory can be specified as a second argument (see below). This is a remake of the http-ntlm-info script from nmap (https://nmap.org/nsedoc/scripts/http-ntlm-info.html).\n\nAdditional potential NTLM auth directories can be found in this repository under wordlists (https://github.com/nyxgeek/lyncsmash/blob/master/wordlists/skype-directories.txt).\n\nIf you're having trouble locating NTLM auth directories, I wrote a script to scan for them:  (https://github.com/nyxgeek/ntlmscan).\n\nRequires requests_ntlm -- install with:\n\n```pip install requests_ntlm```\n\nUsage:\n```\npython ntlm-info.py dialin.domain.com\n\npython ntlm-info.py dialin.domain.com RequestHandlerExt\n```\n\n## thanks!\nThanks to @coldfusion39, @spoonman1091, @nettitude, @shellfail, picarddam, @fals3s3t, and @Oddvarmoe for contributing fixes and improvements!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnyxgeek%2Flyncsmash","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnyxgeek%2Flyncsmash","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnyxgeek%2Flyncsmash/lists"}