This tool provides the attacker with an OWA looking interface, using the user’s contacts and mailbox.
- Raw XML accessibility to the EWS host, so you can send requests to features and functions that were not pre-programmed in exchangeRelayx
- Add redirecting rules into the sufferer’s email for backdooring
- Download all attachments of this consumer, inbox and sent
- Hunt the international address book tied to Active Directory
- Send emails, with attachments, since the sufferer — the emails will not be saved in the user’s sent folder
Program StructureThe application breaks apart to the owaServer, the relay servers, and the HTTPAttack customer (exchange plugin) that is created for each new relayed connection.
The owaServer is a flask-based web server that listens on http://127.0.0.1:8000 by default. This web server works static HTML files of index.html, OWA.html, and ComposeEmail.html — and everything else is packed with JSON asks (from EWS.js) into the owaServer endpoints. When a request is made to the owaServer, the owaServer will generate the suitable EWS call and enter it into the shared-memory dictionary that is utilized by the owaServer and the exchange plugin. Once the exchange plugin receives the request, it will send it off to Exchange and then load the answer in precisely the same shared-memory dictionary. Finally, once the owaServer receives the response from the diet, it parses the data and returns the results. You’ll notice that the file-download performance is not that of a typical site, and that’s due to the asynchronous nature of the program.
The relay servers are standard impacket HTTP and SMB established NTLM relay servers, and they will create a new exchange plugin case for each newly relayed connection
The exchange plugin is also a nutshell, the true HTTPClient making and receiving the requests from the EWS server. All exchangePlugin’s are passed exactly the exact same shared-memory dictionary upon initialization, and they use this dictionary for interprocess communication. This allows the requests in the owaServer to be passed back to the appropriate user’s relayed link — which gives more flexibility for multi-victim managing.