https://github.com/nyxgeek/lyncsmash

locate and attack Lync/Skype for Business
https://github.com/nyxgeek/lyncsmash

brute-force derbycon hacking lync pentesting skype-for-business user-enumeration

Last synced: 3 months ago
JSON representation

locate and attack Lync/Skype for Business

• Host: GitHub
• URL: https://github.com/nyxgeek/lyncsmash
• Owner: nyxgeek
• Created: 2016-05-20T04:32:41.000Z (over 8 years ago)
• Default Branch: master
• Last Pushed: 2024-06-27T09:47:20.000Z (7 months ago)
• Last Synced: 2024-08-01T03:27:34.484Z (5 months ago)
• Topics: brute-force, derbycon, hacking, lync, pentesting, skype-for-business, user-enumeration
• Language: Python
• Homepage:
• Size: 17.6 MB
• Stars: 330
• Watchers: 11
• Forks: 67
• Open Issues: 2
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-hacking-tools - Lyncsmash - Tools to enumerate and attack self-hosted Lync/Skype for Business (Asset Discovery / Business Communication Infrastructure Discovery)
• Awesome-Asset-Discovery - Lyncsmash - hosted Lync/Skype for Business ([↑](#contents)Business Communication Infrastructure Discovery)

README

        

```

██╗  ██╗   ██╗███╗   ██╗ ██████╗███████╗███╗   ███╗ █████╗ ███████╗██╗  ██╗

██║  ╚██╗ ██╔╝████╗  ██║██╔════╝██╔════╝████╗ ████║██╔══██╗██╔════╝██║  ██║

██║   ╚████╔╝ ██╔██╗ ██║██║     ███████╗██╔████╔██║███████║███████╗███████║

██║    ╚██╔╝  ██║╚██╗██║██║     ╚════██║██║╚██╔╝██║██╔══██║╚════██║██╔══██║

███████╗██║   ██║ ╚████║╚██████╗███████║██║ ╚═╝ ██║██║  ██║███████║██║  ██║

╚══════╝╚═╝   ╚═╝  ╚═══╝ ╚═════╝╚══════╝╚═╝     ╚═╝╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝

```                                                                   

a collection of tools to enumerate and attack self-hosted Skype for Business and Microsoft Lync installations

*Note: these tools will not work with Skype/Lync installations hosted at Microsoft.*



DerbyCon 6.0 YouTube link: https://www.youtube.com/watch?v=v0NTaCFk6VI

DerbyCon 6.0 Slide Deck: https://github.com/nyxgeek/nyxgeek-slides/blob/master/TheWeakestLync.pdf

## scripts

 * lyncsmash.py - enumerate users via auth timing bug while brute forcing, lock accounts, locate lync installs

 * find_domain.sh  - example of how to use Nmap with http-ntlm-info script to discover internal NetBIOS & domain names

 * brute_force_ntlm.sh - example of a brute force attack against Skype/Lync using Medusa

 * ntlm-info.py - script to get NetBIOS Domain name from NTLM auth

## wordlists

 * skype-directories.txt - a listing of directories that may have NTLM-auth enabled

 * alexa-top-20000-sites.txt - a listing of the top 20,000 Alexa sites - to be used with discover mode

If you're looking for username lists, I highly recommend 'Statistically Likely Usernames': https://github.com/insidetrust/statistically-likely-usernames.git



## using lyncsmash.py

lyncsmash has three operating modes:

 * enum - use to enumerate users via the auth timing attack

 * discover - will take a list of domains and determine which use Skype for Business/Lync

 * lock - make repeated bad authentication attempts in order to lock out an account

### lyncsmash.py enum - enumerate users

** WARNING: THIS PERFORMS A DOMAIN LOGIN ATTEMPT AND CAN LOCK OUT ACCOUNTS **

```

Parameters:

    -H	hostname

    -U	username list

    -p  password

    -P  password list

    -d	NetBIOS domain

    -o  output file

    -t  manually set timeout

    -r  Randomize the user input list

    -s  Sleep between each request (seconds)(enum only)

```

In this mode lyncsmash will enumerate usernames via a timing attack, using the Webticket service located on the Lync Front-End server. If a bad username and/or domain is specified, the response will be long. If it is a valid user, the response will be short. Due to limitations of the timing-attack, this can only be run single-threaded.

usage:

```

python lyncsmash.py enum -H 2013-lync-fe.contoso.com -U usernamelist.txt -P passwordlist.txt -d CONTOSO -o CONTOSO_output.txt

or

python lyncsmash.py enum -H 2013-lync-fe.contoso.com -U usernamelist.txt -p Winter2017 -d CONTOSO

```

### lyncsmash.py discover - discovering domains that are running Skype/Lync

```

Parameters:

    -H	host list - one DNS base domain per line

```

In this mode lyncsmash will attempt to enumerate various Skype/Lync subdomains via DNS, and returns a score based on number of indicators. Wildcard domains are discarded.

usage:

```

python lyncsmash.py discover -H domain_list.txt

```

### lyncsmash lock - lockout an account with repeated login failures

** WARNING: THIS WILL LOCK OUT ACCOUNTS. **

```

Parameters:

    -H	hostname

    -u	username to lock out

    -d	NetBIOS domain

```

In this mode lyncsmash will make 5 login attempts with an incorrect password, attempting to lock out a user account.

usage:

```

python lyncsmash.py lock -H 2013-lync-fe.contoso.com -u administrator -d CONTOSO

```



## ntlm-info.py

This script examines the HTTP headers from a null NTLM auth attempt.  It will test against the /abs/ directory by default but any directory can be specified as a second argument (see below). This is a remake of the http-ntlm-info script from nmap (https://nmap.org/nsedoc/scripts/http-ntlm-info.html).

Additional potential NTLM auth directories can be found in this repository under wordlists (https://github.com/nyxgeek/lyncsmash/blob/master/wordlists/skype-directories.txt).

If you're having trouble locating NTLM auth directories, I wrote a script to scan for them:  (https://github.com/nyxgeek/ntlmscan).

Requires requests_ntlm -- install with:

```pip install requests_ntlm```

Usage:

```

python ntlm-info.py dialin.domain.com

python ntlm-info.py dialin.domain.com RequestHandlerExt

```

## thanks!

Thanks to @coldfusion39, @spoonman1091, @nettitude, @shellfail, picarddam, @fals3s3t, and @Oddvarmoe for contributing fixes and improvements!