Autore Topic: ExchangeRelayX - An NTLM Relay Tool To The EWS Endpoint For On-Premise Exchange Servers (Provides An OWA For Hackers)  (Letto 142 volte)

0 Utenti e 1 Visitatore stanno visualizzando questo topic.

Offline Flavio58

Advertisement
ExchangeRelayX - An NTLM Relay Tool To The EWS Endpoint For On-Premise Exchange Servers (Provides An OWA For Hackers)


Version 1.0.0. This tool is a PoC to demonstrate the ability of an attacker to perform an SMB or HTTP based NTLM relay attack to the EWS endpoint on an on-premise Microsoft Exchange server to compromise the mailbox of the victim. This tool provides the attacker with an OWA looking interface, with access to the user's mailbox and contacts.

Background
Released at Defcon26. View the background on the tool, the core issues being exploited, and a recorded demo here: https://blog.quickbreach.io/one-click-to-owa/

Installation
pip install -r requirements.txt

Usage
./exchangeRelayx.py -t https://mail.quickbreach.com

Features
  • Raw XML Access to the EWS server, so you can send requests to functions and features that were not pre-programmed in exchangeRelayx
  • Add redirecting rules to the victim's email for backdooring
  • Download all attachments of the user, inbox and sent
  • Search the global address book tied to Active Directory
  • Send emails, with attachments, as the victim - the emails will not be stored in the user's sent folder

Program Structure
The application breaks apart into the owaServer, the relay servers, and the HTTPAttack client (exchangePlugin) that is created for each new relayed connection.

owaServer
The owaServer is a flask based webserver that listens on http://127.0.0.1:8000 by default. This web server serves up static HTML files of index.html, OWA.html, and ComposeEmail.html - and everything else is loaded from JSON requests (from EWS.js) to the owaServer endpoints. When a request is made to the owaServer, the owaServer will generate the appropriate EWS call and input it to the shared-memory dictionary that is used by both the owaServer and the exchangePlugin. Once the exchangePlugin recieves the request, it will send it off to Exchange and then load the response into the same shared-memory dictionary. Finally, when the owaServer gets the response from the dict, it parses the data and returns the results. You will notice that the file-download functionality is not that of a standard website, and that's due to the asynchronous nature of the app.

relay servers
The relay servers are standard impacket HTTP and SMB based NTLM relay servers, and they will create a new exchangePlugin instance for each newly relayed connection

exchangePlugin
The exchangePlugin is, in a nutshell, the actual HTTPClient making and recieving the requests from the EWS server. All exchangePlugin's are passed the same shared-memory dictionary upon initialization, and they use this dictionary for interprocess communication. This allows the requests from the owaServer to be passed back to the appropriate user's relayed connection - which gives more flexibility for for multi-victim managing.

Roadmap
This tool was built and tested against Exchange 2013 on a Server 2012 R2 system, so I would bet that adjustments will need to be made for other environments. Some goals for the next few iterations of the tool are:
  1. Detect and handle the various types of Exchange
  2. Incorporate the ExpandDL and FindPeople functions in EWS
  3. Add the ability to download the emails of the user themselves, rather than just the attachments
  4. Include a form to remove any added redirecting rules, currently it is manual through the Raw XML interface with the UpdateInboxRules function
Pull requests are greatly appreciated



Source: ExchangeRelayX - An NTLM Relay Tool To The EWS Endpoint For On-Premise Exchange Servers (Provides An OWA For Hackers)


Consulente in Informatica dal 1984

Software automazione, progettazione elettronica, computer vision, intelligenza artificiale, IoT, sicurezza informatica, tecnologie di sicurezza militare, SIGINT. 

Facebook:https://www.facebook.com/flaviobernardotti58
Twitter : https://www.twitter.com/Flavio58

Cell:  +39 366 3416556

f.bernardotti@deeplearningitalia.eu

#deeplearning #computervision #embeddedboard #iot #ai

 

Related Topics

  Oggetto / Aperto da Risposte Ultimo post
0 Risposte
158 Visite
Ultimo post Luglio 03, 2018, 08:02:18 pm
da Flavio58
0 Risposte
122 Visite
Ultimo post Luglio 04, 2018, 10:07:51 pm
da Flavio58
0 Risposte
108 Visite
Ultimo post Agosto 01, 2018, 12:04:28 am
da Flavio58
0 Risposte
128 Visite
Ultimo post Agosto 19, 2018, 10:06:44 am
da Flavio58
0 Risposte
148 Visite
Ultimo post Agosto 19, 2018, 04:01:54 pm
da Ruggero Respigo

Sitemap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326