Finding all things on-prem Microsoft for password spraying and enumeration.
The tool will used a list of common subdomains associated with your target apex domain to attempt to discover valid instances of on-prem Microsoft solutions. Screenshots of the tool in action are below:
Install the project using pipx
pipx install git+https://github.com/puzzlepeaches/msprobe.git The tool has four different modules that assist with the discovery of on-prem Microsoft products:
- Exchange
- RD Web
- ADFS
- Skype for Business
The help menu and supported modules are shown below:
Usage: msprobe [OPTIONS] COMMAND [ARGS]... Find Microsoft Exchange, RD Web, ADFS, and Skype instances Options: --help Show this message and exit. Commands: adfs Find Microsoft ADFS servers exch Find Microsoft Exchange servers full Find all Microsoft supported by msprobe rdp Find Microsoft RD Web servers skype Find Microsoft Skype servers Find ADFS servers associated with apex domain:
msprobe adfs acme.com Find RD Web servers associated with apex domain with verbose output:
msprobe rdp acme.com -v Find all Microsoft products hostsed on-prem for a domain:
msprobe full acme.com - Full wiki for each module
- Fixes for lxml based parsing in RD Web module
- @p0dalirius for RDWArecon
- @b17zr for the
ntlm_challenger.pyscript - @ReverendThing for his project Carnivore and it's included subdomains
- @busterbcook and their tool msmailprobe heavily influenced the creation of this project