This instrument provides the attacker with an OWA looking interface, with access to the user’s contacts and mailbox.
- Raw XML accessibility to the EWS host, so you can send requests to features and functions that were not pre-programmed in exchangeRelayx
- Insert redirecting rules to the sufferer’s email for backdooring
- Download all attachments of this user, inbox and sent
- Hunt the international address book tied to Active Directory
- Send emails, with attachments, since the sufferer — the emails will not be saved in the user’s sent folder
The program breaks apart into the owaServer, the relay servers, and the HTTPAttack client (exchange plugin) that is created for each new relayed connection.
The owaServer is a flask established web server that listens on http://127.0.0.1:8000 by default. This web server serves up static HTML documents of index.html, OWA.html, and ComposeEmail.html — and everything else is packed with JSON asks (from EWS.js) into the owaServer endpoints. When a request is made to the owaServer, the owaServer will create the appropriate EWS telephone and input it to the shared-memory dictionary that is utilized by both the owaServer and the exchange plugin. When the exchange plugin receives the petition, it is going to ship it off to Exchange and then load the response in the same shared-memory dictionary. Finally, once the owaServer receives the response from the dirt, it parses the data and returns the results. You will notice that the file-download performance isn’t that of a standard website, and that is because of the asynchronous nature of the app.
The relay servers are regular impacket HTTP and SMB based NTLM relay servers, and They’ll create a new exchange plugin instance for every newly uninstalled link
The exchange plugin is also summary, the true HTTPClient manufacturing and receiving the requests in the EWS server. Each of exchange plugins is passed the exact same shared-memory dictionary on initialization, and they use this dictionary for interprocess communication. This allows the requests in the owaServer to be passed to the appropriate user’s relayed connection — which gives more flexibility for for multi-victim managing.