Ruler is a tool that allows you to interact with Exchange servers through the MAPI/HTTP protocol. The main aim is abuse the client-side Outlook mail rules.
_ “ Silentbreak did a great job with this attack and it has served us well. The only downside has been that it takes time to get setup. Cloning a mailbox into a new instance of Outlook can be time consuming. And then there is all the clicking it takes to get a mailrule created. Wouldn’t the command line version of this attack be great? And that is how Ruler was born.” _
Ruler has multiple functions and more are planned. These include
Ruler attempts to be semi-smart when it comes to interacting with Exchange and uses the Autodiscover service (just as your Outlook client would) to discover the relevant information.
Ruler is written in Go so you’ll need to have Go setup to run/build the project from source. The easiest way to get up and running from source is through
go get .
Get it through Go:
go get github.com/sensepost/ruler
You can now run the app through
go run in the GOPATH/src/github.com/sensepost/ruler directory:
go run ruler.go -h
Ruler works with both RPC/HTTP and MAPI/HTTP. Ruler favours MAPI/HTTP as this is the default in Exchange 2016 and Office365 deployments. If MAPI/HTTP fails, an attempt will be made to use RPC/HTTP. You can also force RPC/HTTP by supplying the
As mentioned before there are multiple functions to Ruler. In most cases you’ll want to first find a set of valid credentials. Do this however you wish, Phishing, Wifi+Mana or brute-force.
Ruler has 8 basic commands, these are:
There are a few global flags that should be used with most commands, while each command has sub-flags. For details on these, use the help command.
NAME: ruler - A tool to abuse Exchange Services USAGE: ruler-linux64 [global options] command [command options] [arguments...] VERSION: 2.0.17 DESCRIPTION: _ _ __ _ _| | ___ _ __ | '__| | | | |/ _ \ '__| | | | |_| | | __/ | |_| \__,_|_|\___|_| A tool by @_staaldraad from @sensepost to abuse Exchange Services. AUTHOR: Etienne Stalmans <email@example.com>, @_staaldraad