New blog! Abusing Exchange: One API call away from Domain Admin. From any user with a mailbox to Domain Admin. Probably affects the majority of orgs using AD and Exchange.https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/ …
-
-
Replying to @_dirkjan
Hi! Really nice work Dirk :) I have two questions: 1) I tried a HTTP->LDAP relay after the ZDI blog went public without success. My Exchange was installed in the DC and I was doing the relay to itself (reflection). There is NO way to make HTTP->LDAP reflection work, right?
2 replies 0 retweets 6 likes -
I'm testing this out on a system where Exchange is loaded onto the same machine as the DC. The symptoms I'm seeing is that the USER/DOMAIN listed in the ntlmrelayx output shows up only as "/" (no user or domain) and FAILED. Is this just because it's on the same system?pic.twitter.com/FgUAwMHxeT
2 replies 0 retweets 5 likes -
Yes I don't think this will work when they are on the same machine
1 reply 0 retweets 4 likes
That was indeed the problem. With Exchange on a different box as the domain controller, the PoC works just fine!pic.twitter.com/n1zMxCWuzZ
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.