Exchange services

Theory

Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft. It runs exclusively on Windows Server operating systems.

Practice

Enumeration

Discover Exchange Servers

We can use following commands to discover Exchange servers from a large scope of subdomains:

$ cat subdomains.txt
sub1.example.com
sub2.example.ru
sub3.example.bz

$ for i in `cat subdomains.txt | rev | cut -d. -f1-2 | rev | sort -u`; do echo https://autodiscover.$i; done | httpx -silent -random-agent -fr -t 20 -sc -title -td -ip | grep Outlook | grep -oP '\d+\.\d+\.\d+\.\d+' | dnsx -silent -re -ptr
1.3.3.7 [mx1.example.com]
66.66.66.66 [mx2.example.ru]
123.123.123.123 [mx3.example.bz]

Enumerate Exchange Version

We can use following commands to retreive the Exchange build number and correlate it with the release dates:

curl -sSL https://<TARGET>/owa/auth/logon.aspx -k| grep favicon.ico
# OR
curl https://<TARGET>/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application -k | xmllint --format - | grep version

User Enumeration (GAL)

If access to a domain-joined computer or a corporate email account is obtained, the Global Address List (GAL) can be exported, allowing a list of usernames to be retreived.

Ruler

Ruler (Go) can be used to retreive the GAL using known credentials.

ruler -k -d target.domain -u user -p 'Passw0rd!' -e [email protected] --verbose abk dump -o gal.txt

global-address-list-owa

global-address-list-owa (Python) can also be used to export the Gal using known credentials.

python3 emailextract.py -i exch01.target.domain -u [email protected] -p 'P@ssword!'

Vulnerabilities

PrivExchangeProxyLogonProxyShellProxyNotShell

Password Spray

Password spray is an attack that involves using a single password against multiple accounts. This avoids account lockouts when multiple passwords are used on a single account. More details on this page.

Ruler (Go) can be used to perform password spray attacks

ruler -k --domain target.domain brute --users global_address_list.txt --passwords passwords.txt --verbose -a 4

Resources

Last updated

Was this helpful?