Setspn-texample.domain.com-f-q */* | Findstr exchange
use a tool
1. Automatic discovery interface
/autodiscover /Autodiscover.xml
The Exchange auto-discovery service provides a simple way for users to complete the authentication process by simply entering their e-mail address and password.
Automatic discovery is divided into three stages:
1. Generate a list of auto-discovery servers.
2. Try to make a request for each server in the list until you get a successful response.
3. Try other alternatives for the last time, such as DNS query.
Visit /Autodiscover/Autodiscover, and the following figure shows that the autodiscover interface exists.
2. Cryptographic jet blasting involves the interfaces of OWA, EWS and ActiveSync.
* * Tool address: * *
Import module. \ mailsniper.ps1invoke-passwordsprayers-exchhostname SRV-mail.domain.com-user list. \ 1 . txt-Password * * * * * * * * * * * * * * * * *-exchange version exchange 20 13 _ sp 1
`
3.OWA form submission
Passwords can be exhausted by msf module /scanner/http/OWA _ EWS _ login.
Check the password policy.
4.EWS interface
EWS(Exchange web service) service is some API interfaces provided by Exchange server, which provides the function of communication between client and server. Burp captures EWS interface packets similar to automatic discovery, and the authentication process is the same.
5.Microsoft- server -ActiveSync interface
No available instances were found.
In the case of obtaining domain member accounts, the attack surface can be expanded through information collection.
Use MailSniper's Get-GlobalAddressList command to request the Exchange server to retrieve the global mailbox address.