Attacking Exchange with MailSniper

Beau Bullock //

I’ve added in a few modules to MailSniper that will assist in remote attacks against organizations that are hosting an externally facing Exchange server (OWA or EWS). Specifically, the modules are Get-GlobalAddressList, Invoke-PasswordSprayOWA, and Invoke-PasswordSprayEWS.


Very often on external penetration tests we perform a reconnaissance phase that might yield us some email addresses or usernames of an organization. If we can successfully find valid credentials for any one of them, and the organization has an Outlook Web Access or Exchange Web Services portal it is possible to download the entire Global Address List from the Exchange server. So, from one valid credential we can now have access to all email addresses for every employee of an organization.

In trying to improve on the method Carrie Roberts wrote about in her blog post regarding gathering the Global Address List from OWA manually I’ve automated this task into MailSniper.  Brian Fehrman found something very interesting in OWA. There is a function called FindPeople that will allow you to pull back the entire GAL with a single request. Unfortunately, this function is only implemented in Exchange version 2013. In testing, Get-GlobalAddressList that utilizes the FindPeople function was able to pull 4282 email addresses from a remote OWA portal in 10 seconds.

The OWA “FindPeople” method requires you are using PowerShell version 3 or higher.

For cases where the Exchange version is less than 2013 Get-GlobalAddressList fails back to enumerating the GAL from Exchange Web Services. This method can take a bit longer due to the fact that EWS will only let you search 100 results at a time. To get around this restriction I basically search AA through ZZ then sort/uniq the results.

To use it import the module into a PowerShell version 3 session then run something like this:

Get-GlobalAddressList -ExchHostname -UserName

domain\username -Password Fall2016 -OutFile global-address-list.txt

If Exchange version is 2013 it should look something like this:

After obtaining the full email list you can then feed that back into password spraying attacks where you will likely gain more valid credentials.

Speaking of password spraying…

Invoke-PasswordSprayOWA & Invoke-PasswordSprayEWS

I wrote in two modules for password spraying Outlook Web Access and Exchange Web Services to MailSniper. Password spraying is an attack where instead of trying to brute force many password attempts for a single user account we try one password across many user accounts. This helps avoid account lockout and will still result in us obtaining valid credentials as users still pick passwords like “Fall2016”. Both of the functions are multi-threaded. Just pass the -Threads option and specify a number of threads (15 seems to be a pretty good starting point).

Both functions have a similar structure but one thing to note is that Invoke-PasswordSprayOWA requires PowerShell version 3 or higher.

To use Invoke-PasswordSprayOWA import the module into a PowerShell version 3 session then run something like this:

Invoke-PasswordSprayOWA -ExchHostname -UserList

.\userlist.txt -Password Fall2016 -Threads 15 -OutFile owa-sprayed-creds.txt

To use Invoke-PasswordSprayEWS import the module into a PowerShell session then run something like this:

Invoke-PasswordSprayEWS -ExchHostname -UserList

.\userlist.txt -Password Fall2016 -Threads 15 -OutFile ews-sprayed-creds.txt

You should start to see credentials populate in the terminal as MailSniper finds valid creds:

In testing I’ve noticed the EWS password spraying method is significantly faster. Both Invoke-PasswordSprayOWA and using Burp Intruder with 15 threads took about 1 hour and 45 minutes to complete spraying 10,000 users. Spraying that same list of users against EWS took only 9 minutes and 28 seconds.

For more information about MailSniper check out this blog post.

*Psst* If you liked this blog, we think you’d enjoy Beau’s class:

Breaching the Cloud 

Available live/virtual and on-demand!