Getting the GAL (via Skype/Lync)

This could also be called “The 1121st reason that I  <3 Sublime Text.”) All of this may already be well known, but I didn’t see too many references to it (if any), so I thought it would be helpful to share…

So the scenario was that this client had most of their externally facing portals configured to use a One Time Password, which I have not seen too often. Frankly, it sucks for us, but good for them. However, there was a Lync server setup and exposed to the internet.

A few rounds of password spraying later (using byt3bl33d3r’s spraying toolkit) and I had some valid creds. However, I couldn’t do a whole lot with them at that point, but let’s see what we can get out of Skype. I wasn’t interested in doing any SE with this account yet, but I wanted to try and grab the global address list somehow. I saw LyncSniper had some references to being able to do this, but it looks like the functionality didn’t make it in (yet). Because of the OTP set up, Dafthack’s mailsniper wasn’t working, and neither was ruler. (against O365). I would like to go back and investigate further why that is, but let’s move on for now…

I signed into the user’s Skype account and luckily for me, this user appeared to be OOO with his status manually set. I haven’t found any script that will do this automatically, but I was able to eventually obtain the GAL through the following (and had to do some cleanup within the file, but that’s shown below).


NOTE: Apparently in order to not hammer the front end servers, Skype does not automatically download the GAL to local disk right away. It seems to have taken about 15 minutes for the GAL to download to local disk and it ends up being stored in a file named galcontacts.db in:


It looks like in some older versions of the Lync client, you can change a registry key and force a download after restarting the application, but I did not find any key that they reference for Skype (for business 2016).

With that said, once the file is on disk, you can open it and extract the emails. It’s not in a pretty format, but there’s where sublime text came in handy. (and notepad, to be fair – I’m sure there’s an easier way to do this, but it was quick and dirty, and worked for me)

  1. Open notepad (plain old notepad.exe). File –> Open, and change the encoding to UTF-8 and change “Text Documents” to “All Files” then open galcontacts.db
  2. Copy all of the text (Ctrl-A) from that file, then paste it into sublime text (yes, it looks like ass)
  3. In ST, once you have the file pasted in:
    1. Find (Ctrl or Apple F), and click the option for a regex search (it’s the little .* on the bottom left of the screen – or use Alt + R)
    2. Paste in this regex (Taken from: and click “find all”

This should give you all of the emails in the GAL (along with the SIP addresses – so you will have duplicates). Ctrl/Apple-C then paste into a new file. After that it’s a simple matter of Edit –> Permute Lines –> Unique. (or sort -u of course).

So, this still didn’t get me much further, as the external perimiter is pretty locked down, but with more rounds of password spraying and some SE mixed in, things could get interesting…