├── LICENSE
└── README.md


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2016 Beau Bullock
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 
23 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # MailSniper
  2 | MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email or by an Exchange administrator to search the mailboxes of every user in a domain.
  3 | 
  4 | MailSniper also includes additional modules for password spraying, enumerating users and domains, gathering the Global Address List (GAL) from OWA and EWS and checking mailbox permissions for every Exchange user at an organization.
  5 | 
  6 | For more information about the primary MailSniper functionality check out [blog post](http://www.blackhillsinfosec.com/?p=5296).
  7 | 
  8 | For more information about additional MailSniper modules check out:
  9 | 
 10 | - [GAL & Password Spraying](http://www.blackhillsinfosec.com/?p=5330)
 11 | 
 12 | - [Invoke-OpenInboxFinder](http://www.blackhillsinfosec.com/?p=5871)
 13 | 
 14 | Download the [MailSniper Field Manual](http://www.dafthack.com/files/MailSniper-Field-Manual.pdf) to quickly reference various MailSniper functions.
 15 | 
 16 | ## Quick Start Guide
 17 | There are two main functions in MailSniper. These two functions are **Invoke-GlobalMailSearch** and **Invoke-SelfSearch**.
 18 | 
 19 | **Invoke-GlobalMailSearch** is a module that will connect to a Microsoft Exchange server and grant the "ApplicationImpersonation" role to a specified user. Having the "ApplicationImpersonation" role allows that user to search through all other domain user's mailboxes. After this role has been granted, the Invoke-GlobalMailSearch function creates a list of all mailboxes in the Exchange database. It then connects to Exchange Web Services (EWS) using the impersonation role to gather a number of emails from each mailbox and ultimately searches through them for specific terms. By default, the script searches for "\*password\*","\*creds\*","\*credentials\*"
 20 | 
 21 | To search all mailboxes in a domain:
 22 | 
 23 | ```PowerShell
 24 | Invoke-GlobalMailSearch -ImpersonationAccount current-username -ExchHostname Exch01 -OutputCsv global-email-search.csv
 25 | ```
 26 | 
 27 | This command will connect to the Exchange server located at 'Exch01' and prompt for administrative credentials (i.e. member of "Exchange Organization Administrators" or "Organization Management" group). Once administrative credentials have been entered, a PowerShell remoting session is setup with the Exchange server where the ApplicationImpersonation role is then granted to the "current-username" user. A list of all email addresses in the domain is then gathered, followed by a connection to EWS as "current-username" where by default, 100 of the latest emails from each mailbox will be searched through for the terms "\*pass\*","\*creds\*","\*credentials\*" and output to a CSV file called global-email-search.csv.
 28 | 
 29 | **Invoke-SelfSearch** is a module that will connect to a Microsoft Exchange server using EWS to gather a number of emails from the current user's mailbox. It then searches through them for specific terms. This could potentially assist in privilege escalation after obtaining a user's credentials or assist in locating sensitive data as a non-admin user.
 30 | 
 31 | To search the current user's mailbox:
 32 | 
 33 | ```PowerShell
 34 | Invoke-SelfSearch -Mailbox current-user@domain.com
 35 | ```
 36 | 
 37 | This command will connect to the Exchange server autodiscovered from the email address entered using EWS where by default, 100 of the latest emails from the "Mailbox" will be searched through for the terms "\*pass\*","\*creds\*","\*credentials\*".
 38 | 
 39 | **Invoke-GlobalO365MailSearch** same as Invoke-GlobalMailSearch, with support for single sign-on (SSO) based authentication to O365.
 40 | 
 41 | ### Invoke-GlobalMailSearch Options
 42 | ```
 43 | ImpersonationAccount  - This user will be granted the ApplicationImpersonation role on the Exchange server.
 44 | ExchHostname          - The hostname of the Exchange server to connect to (If $AutoDiscoverEmail is specified the server will be autodiscovered).
 45 | AutoDiscoverEmail     - A valid email address that will be used to autodiscover where the Exchange server is located.
 46 | MailsPerUser          - The total number of emails returned from each mailbox.
 47 | Terms                 - Specific search terms used to search through each email subject and body. By default, the script searches for "*password*","*creds*","*credentials*".
 48 | OutputCsv             - Outputs the results of the search to a CSV file.
 49 | ExchangeVersion       - Specify the version of Exchange server to connect to. By default the script tries Exchange2010.
 50 | AdminUserName         - The username of an Exchange administator (i.e. member of the "Exchange Organization Administrators" or "Organization Management" group) including the domain (i.e. domain\adminusername).
 51 | AdminPassword         - The password to the Exchange administator (i.e. member of the "Exchange Organization Administrators" or "Organization Management" group) account specified with AdminUserName.
 52 | EmailList             - A text file listing email addresses to search (one per line).
 53 | Folder                - A specific folder within each mailbox to search. By default, the script only searches the "Inbox" folder. By specifying 'all', all folders and subfolders will be searched.
 54 | Regex                 - Use a regular expressions when performing searches. This will override the -Terms flag.
 55 | CheckAttachments      - Attempts to search through the contents of email attachements in addition to the default body and subject. These attachments can be downloaded by specifying the -DownloadDir option. Searches for the following extensions: .bat, .htm, .msg, .pdf, .txt, .ps1, .doc and .xls.
 56 | DownloadDir           - Download files to a specific location.
 57 | ```
 58 | ### Invoke-SelfSearch Options
 59 | ```
 60 | ExchHostname          - The hostname of the Exchange server to connect to (If $Mailbox is specified the server will be autodiscovered).
 61 | Mailbox               - Email address of the current user the PowerShell process is running as.
 62 | MailsPerUser          - Number of emails to return.
 63 | Terms                 - Specific search terms used to search through each email subject and body. By default, the script searches for "*password*","*creds*","*credentials*".
 64 | OutputCsv             - Outputs the results of the search to a CSV file.
 65 | ExchangeVersion       - Specify the version of Exchange server to connect to (default Exchange2010).
 66 | Remote                - A new credential box will pop up for accessing a remote EWS service from the internet.
 67 | Folder                - A specific folder within each mailbox to search. By default, the script only searches the "Inbox" folder. By specifying 'all', all folders and subfolders will be searched.
 68 | Regex                 - Use a regular expressions when performing searches. This will override the -Terms flag.
 69 | CheckAttachments      - Attempts to search through the contents of email attachements in addition to the default body and subject. These attachments can be downloaded by specifying the -DownloadDir option. Searches for the following extensions: .bat, .htm, .msg, .pdf, .txt, .ps1, .doc and .xls.
 70 | DownloadDir           - Download files to a specific location.
 71 | OtherUserMailbox      - Use this flag when attempting to read emails from a different user's mailbox
 72 | UsePrt                - Uses the current user's PRT to authenticate.
 73 | AccessToken           - Use provided oauth access token to authenticate.
 74 | ```
 75 | ### Invoke-GlobalO365MailSearch Options
 76 | ```
 77 | UsePrtImperonsationAccount       - Uses the current user's PRT to authenticate ImperonsationAccount.
 78 | AccessTokenImpersonationAccount  - Use provided oauth access token to authenticate ImperonsationAccount.
 79 | UsePrtAdminAccount               - Uses the current user's PRT to authenticate AdminAccount.
 80 | AccessTokenAdminAccount          - Use provided oauth access token to authenticate ImperonsationAccount.
 81 | ```
 82 | ## Additional MailSniper Modules
 83 | **Get-GlobalAddressList** will attempt to connect to an Outlook Web Access (OWA) portal and utilize the "FindPeople" method (only available in Exchange2013 and up) of gathering email addresses from the GAL. If this does not succeed the script will attempt to connect to EWS and attempt to gather the GAL.
 84 | ```PowerShell
 85 | Get-GlobalAddressList -ExchHostname mail.domain.com -UserName domain\username -Password Spring2021 -OutFile gal.txt
 86 | ```
 87 | **Get-MailboxFolders** will connect to a Microsoft Exchange server using EWS and gather a list of folders from the current user's mailbox.
 88 | ```PowerShell
 89 | Get-MailboxFolders -Mailbox current-user@domain.com
 90 | ```
 91 | **Invoke-PasswordSprayOWA** will attempt to connect to an OWA portal and perform a password spraying attack using a userlist and a single password.
 92 | ```PowerShell
 93 | Invoke-PasswordSprayOWA -ExchHostname mail.domain.com -UserList .\userlist.txt -Password Spring2021 -Threads 15 -OutFile owa-sprayed-creds.txt
 94 | ```
 95 | **Invoke-PasswordSprayEWS** will attempt to connect to an EWS portal and perform a password spraying attack using a userlist and a single password.
 96 | ```PowerShell
 97 | Invoke-PasswordSprayEWS -ExchHostname mail.domain.com -UserList .\userlist.txt -Password Spring2021 -Threads 15 -OutFile sprayed-ews-creds.txt
 98 | ```
 99 | **Invoke-PasswordSprayGmail** This module will first attempt to connect to a Gmail Authentication portal and perform a password spraying attack using a userlist and a single password.
100 | ```PowerShell
101 | Invoke-PasswordSprayGmail -UserList .\userlist.txt -Password Fall2016 -Threads 15 -OutFile gmail-sprayed-creds.txt
102 | ```
103 | **Invoke-DomainHarvestOWA** will attempt to connect to an OWA portal and determine a valid domain name for logging into the portal from the WWW-Authenticate header returned in a web response from the server or based off of small timing differences in login attempts.
104 | ```PowerShell
105 | Invoke-DomainHarvestOWA -ExchHostname mail.domain.com
106 | ```
107 | **Invoke-UsernameHarvestOWA** will attempt to connect to an OWA portal and harvest valid usernames based off of small timing differences in login attempts.
108 | ```PowerShell
109 | Invoke-UsernameHarvestOWA -ExchHostname mail.domain.com -UserList .\userlist.txt -Threads 1 -OutFile owa-valid-users.txt
110 | ```
111 | **Invoke-UsernameHarvestGmail** is a module that will attempt to enumerate Google Apps user accounts and potentially identify user accounts that opt-out of implemented 2FA solutions.
112 | ```PowerShell
113 | Invoke-UsernameHarvestGmail -Account
114 | Invoke-UsernameHarvestGmail -UserFile .\emails.txt
115 | Invoke-UsernameHarvestGmail -UserFile .\emails.txt -ProxyHosts 10.0.0.5:8080,10.0.0.6:8080,10.0.0.10:443
116 | Invoke-UsernameHarvestGmail -UserFile .\emails.txt -Detailed
117 | Get-Content emails.txt | % { Invoke-UsernameHarvestGmail $_ }
118 | ```
119 | **Invoke-OpenInboxFinder** will attempt to determine if the current user has access to the Inbox of each email address in a list of addresses.
120 | ```PowerShell
121 | Invoke-OpenInboxFinder -EmailList email-list.txt
122 | ```
123 | **Get-ADUsernameFromEWS** will attempt to determine the Active Directory username for a single email address or a list of addresses. Use the Get-GlobalAddressList module to harvest a full list of email addresses to use with Get-ADUsernameFromEWS.
124 | ```PowerShell
125 | Get-ADUsernameFromEWS -EmailList email-list.txt
126 | ```
127 | **Send-EWSEmail** will attempt to connect to EWS and send an email.
128 | ```PowerShell
129 | Send-EWSEmail --ExchHostname substrate.office.com -Recipient $targetEmail -Subject "Foo" -EmailBody "Bar" -AccessToken $Accesstoken
130 | ```
131 | 


--------------------------------------------------------------------------------