Microsoft Exchange – NTLM Relay

Gaining access to the mailbox of a user during a penetration test or a red team engagement can lead to arbitrary code execution, discovery of sensitive data such as credentials or performing internal Phishing to expand access across the network. Typically access to the mailbox is achieved via Phishing or Password Spraying.

Microsoft Exchange servers give a number of opportunities to attackers to abuse existing services like ActiveSync, EWS etc. Some of these services (MAPI, RPC and EWS) support NTLM authentication by default which can allow an attacker to perform a NTLM relay and get direct access to the inbox of a user. This avoids the need to crack the password hash which can be a time consuming process.

William Martin developed a python tool called ExchangeRelayX which can conduct NTLM Relay attack to Microsoft Exchange servers by attacking Exchange Web Services. Executing the following command will check if the Exchange Server support NTLM authentication.

 ./ -c -t 

ExchangeRelayX – Check for NTLM Support

Running again the tool only with the -t parameter (IP address of the Exchange Server) will setup an SMB listener and an HTTP server that will serve a local mail server.

 ./ -t 

ExchangeRelayX – Relay Servers

The mail server will run on localhost port 8000 and it can be access from the browser. Domain users which they got their NTLM password hash captured will appear on this page.

ExchangeRelayX – Main Page

There are multiple ways that NTLM authentication can be triggered. Some of them they have described in the article Places of Interest in Stealing NetNTLM hashes. However, the easiest method is to send an email that will contain a UNC path that will point to the address of the listeners.

Email – UNC Path

Users which they will receive a link with a UNC path that will target the IP address of the listeners will leak their NTLM hash once they click it. The NTLM hash will be captured and the tool will relay the hash to the Exchange for authentication. If the authentication is successful users will be added to the connection manager.

ExchangeRelayX – Relay Attack

The email server acts as an email viewer and the communication is performed via API calls to the Exchange Web Services (EWS).

ExchangeRelayX – Popped Users

The users will be able to get access to the inbox, draft, sent and deleted items. Any sensitive emails stored in these folders can be retrieved. The ExchangeRelayX also has a function to compose a new email for conducting an internal Phishing campaign in order to compromise mailboxes of additional users.

ExchangeRelayX – Accessing Mailbox

The address list can be also retrieved from the Address Book function.

ExchangeRelayX – Address List

Similar to ExchangeRelayx, Arno0x0x developed a tool called NtlmRelayToEWS which can be used to perform the same attack but without the Email interface. Both of these tools require Impacket suite for relay. This tool can be used to perform the following:

  • Send an HTML formed email
  • Harvest all items from Inbox, Sent Items, Calendar, Tasks
  • Inject a malicious forward rule to another email address
  • Home Page attack
  • Set a delegate address

The following command can be used to send an HTML formed email. Full details about the tool usage can be found in the GitHub page.

 ./ -t -r sendMail -d "Ian@pentest.local" -s Subject -m sampleMsg.html