Top Related Projects
Impacket is a collection of Python classes for working with network protocols.
A swiss army knife for pentesting networks
Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
Quick Overview
Ruler is a tool for abusing Exchange services. It allows remote enumeration of Exchange servers and provides a framework for interacting with Exchange through MAPI/HTTP or RPC/HTTP. Ruler can be used for various tasks, including gaining a shell on the Exchange server.
Pros
- Provides a comprehensive set of features for interacting with Exchange servers
- Supports both MAPI/HTTP and RPC/HTTP protocols
- Offers various attack vectors and exploitation techniques
- Actively maintained and regularly updated
Cons
- Can be used for malicious purposes if not handled responsibly
- Requires in-depth knowledge of Exchange services for effective use
- May trigger security alerts or be detected by antivirus software
- Limited documentation for some advanced features
Code Examples
As Ruler is a command-line tool and not a code library, there are no code examples to provide. Instead, here are some example command-line usage scenarios:
# Enumerate Exchange server information
ruler --email user@domain.com --password Pass1234! --verbose brute --domain domain.com
# Create a malicious form
ruler --email user@domain.com --password Pass1234! form add --name evilform --fromaddr attacker@evil.com --subject "Important Update" --body "Please click the link" --send
# Execute a command on the Exchange server
ruler --email user@domain.com --password Pass1234! --verbose shell --trigger logon --command "powershell.exe -enc BASE64_ENCODED_COMMAND"
Getting Started
To get started with Ruler:
- Install Go on your system if not already installed.
- Clone the Ruler repository:
git clone https://github.com/sensepost/ruler.git
- Navigate to the Ruler directory and build the project:
cd ruler go build
- Run Ruler with the desired options:
./ruler --help
Note: Always ensure you have proper authorization before using Ruler on any Exchange server. Unauthorized use may be illegal and unethical.
Competitor Comparisons
Impacket is a collection of Python classes for working with network protocols.
Pros of Impacket
- Broader scope: Supports multiple protocols and attack vectors beyond Exchange
- More active development: Frequent updates and contributions
- Extensive documentation and community support
Cons of Impacket
- Steeper learning curve due to its comprehensive nature
- Requires more setup and configuration for specific tasks
Code Comparison
Ruler (Go):
func (r *RuleAction) SetReply(reply string) {
r.Reply = reply
r.ActionType = "Reply"
}
Impacket (Python):
def send_ntlm_auth(self, serverChallenge, authenticateMessage):
if authenticateMessage.user_name != '':
self.username = authenticateMessage.user_name
return self.session.sendAuth(authenticateMessage)
Key Differences
- Ruler focuses specifically on Exchange server manipulation
- Impacket provides a broader set of tools for network protocols
- Ruler is written in Go, while Impacket is in Python
- Impacket offers more flexibility but requires more expertise
- Ruler is more user-friendly for Exchange-specific tasks
Use Cases
- Ruler: Ideal for targeted Exchange server testing and exploitation
- Impacket: Suitable for comprehensive network penetration testing and research
Community and Support
- Ruler: Smaller, more focused community
- Impacket: Larger user base, more third-party resources available
A swiss army knife for pentesting networks
Pros of CrackMapExec
- Broader scope: Supports multiple protocols (SMB, WMI, MSSQL, etc.) for network penetration testing
- Active development: Frequent updates and community contributions
- Modular architecture: Easily extendable with custom modules
Cons of CrackMapExec
- Steeper learning curve due to its extensive feature set
- May trigger more security alerts due to its aggressive scanning capabilities
- Requires more setup and dependencies compared to Ruler
Code Comparison
Ruler (Exchange-specific command):
ruler --email user@domain.com --password Pass123! display
CrackMapExec (SMB enumeration):
crackmapexec smb 192.168.1.0/24 -u user -p password --shares
Both tools offer command-line interfaces, but CrackMapExec provides a more versatile approach for network penetration testing across multiple protocols. Ruler focuses specifically on Microsoft Exchange and Outlook, offering a more specialized toolset for those environments.
While Ruler excels in Exchange-related tasks, CrackMapExec offers a broader range of functionalities for various network penetration testing scenarios. The choice between the two depends on the specific requirements of the penetration test and the target environment.
Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
Pros of Responder
- Broader attack surface: Targets multiple protocols and services
- Active development: More frequent updates and community contributions
- Extensive documentation and usage examples
Cons of Responder
- More complex setup and configuration
- Potentially higher false positive rate due to broader scope
- May trigger more security alerts in protected environments
Code Comparison
Responder (Python):
def start():
try:
server = ThreadingUDPServer(('', 137), UDPHandler)
t = threading.Thread(name='UDP', target=server.serve_forever)
t.setDaemon(True)
t.start()
except Exception:
print(color("[!] Error starting UDP server on port 137", 1))
Ruler (Go):
func connect(c *cli.Context) error {
config := utils.GetConfig(c)
url := c.String("url")
if url == "" {
return fmt.Errorf("Required param --url is missing")
}
return autodiscover.CreateAutodiscover(url, config)
}
Responder focuses on network protocol exploitation, while Ruler targets Exchange/Outlook vulnerabilities. Responder's code snippet shows its multi-threaded approach to handling network requests, whereas Ruler's code demonstrates its command-line interface and configuration handling for targeting specific Exchange servers.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Introduction
Ruler is a tool that allows you to interact with Exchange servers remotely, through either the MAPI/HTTP or RPC/HTTP protocol. The main aim is abuse the client-side Outlook features and gain a shell remotely.
The full low-down on how Ruler was implemented and some background regarding MAPI can be found in our blog posts:
- Ruler release
- Pass the Hash with Ruler
- Outlook forms and shells
- Outlook Home Page â Another Ruler Vector
For a demo of it in action: Ruler on YouTube
What does it do?
Ruler has multiple functions and more are planned. These include
- Enumerate valid users
- Create new malicious mail rules
- Dump the Global Address List (GAL)
- VBScript execution through forms
- VBScript execution through the Outlook Home Page
Ruler attempts to be semi-smart when it comes to interacting with Exchange and uses the Autodiscover service (just as your Outlook client would) to discover the relevant information.
Getting Started
Compiled binaries for Linux, OSX and Windows are available. Find these in Releases information about setting up Ruler from source is found in the getting-started guide.
Usage
Ruler has multiple functions, these have their own documentation that can be found in the wiki:
- BruteForce -- discover valid user accounts
- Rules -- perform the traditional, rule based attack
- Forms -- execute VBScript through forms
- Homepage -- use the Outlook 'home page' for shell and persistence
- GAL -- grab the Global Address List
Attacking Exchange
The library included with Ruler allows for the creation of custom message using MAPI. This along with the Exchange documentation is a great starting point for new research. For an example of using this library in another project, see SensePost Liniaal.
License
Ruler is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (http://creativecommons.org/licenses/by-nc-sa/4.0/) Permissions beyond the scope of this license may be available at http://sensepost.com/contact/.
Top Related Projects
Impacket is a collection of Python classes for working with network protocols.
A swiss army knife for pentesting networks
Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot