Exchange 2016
Exchange 2019:- ProxyShell Exploit
In my previous blog post we looked at the Proxy Logon Exploit where several CVE's could be used to exploit an Exchange Server. In this article we will look at another exploit called "ProxyShell". The CVE for this vulnerability is "CVE-2021-34473". Let's head over to...
Exchange 2019:- ProxyLogon Exploit
Many of us know the HAFNIUM attacks that took place a little while ago and many Exchange servers were compromised. The sad part is that many Exchange Servers are still unpatched and vulnerable to attack, maybe not to the CVE's listed below but to others as well. One...
Exchange 2019:- Brute forcing OWA to gain access to user accounts
We all know that end users hate complex passwords and having to change passwords often leads them to use the same password but add a number or character at the end of it. Password complexity is just one of the problems. The next problem is information disclosure such...
Information disclosure with NTLM Authentication in Exchange Server
Performing some tests against my lab Exchange servers, I noticed that Shodan.io revealed information. Take note that attackers also use Shodan.io when enumerating targets. After digging further with NMAP and some scripts, it became more apparent that internal...
Exchange 2016:- Move request failures are not always due to space/back pressure but sometimes misconfigurations
As an IT Admin, mailbox migrations are a constant thing. Moving users to new databases because you have a new database or you trying clean up and old one with few users, or simply moving to Microsoft 365, there are times when things error out. Errors are not always...
Exchange 2019:- Rollback CVE-2023-21709 PowerShell script workaround
In the August 2023 Security update (SU) for Exchange Server 2016 and Exchange Server 2019, there was a work around that had to be put in place to remove the Token Cache Module in IIS to mitigate a vulnerability. Microsoft provided the script and you could apply it to...
Exchange 2016:- Event ID 4002 after performing migrations to Office 365 and invalid certificate
Sometimes the event logs on Exchange servers throw up errors or warnings that do not appear again. The event ID, 4002 for MSExchange Availability is a broad error/warning/informational alert. Looking a the error below, a Proxy request failed with an HTTP status code...
Exchange 2016:- LSA Event ID 6037 – could not authenticate to target autodiscover URL
As everything relies heavily on DNS and the ability to resolve names to IP's etc., if your DNS upstream is not working or something firewall/internally is not working, things do not always function as they should and you are presented with false positives. A friend of...
Exchange 2016:- Event ID 12000 – Deserialization Log for PowerShell Process
In one of my lab machines I was sifting through the log files and came across Event ID 12000 as shown below. As this lab machine does not have internet access at all, the error was a bit strange and no other alerts were raised. Nothing out of the ordinary was done...
Exchange 2013/2016/2019:- How NMAP reveals Exchange Server information.
Over the past few years, Microsoft Exchange Server has come under heavy attack and with each new Cumulative Update (CU) and Security Update (SU), CVE's are addressed and closed. The problem comes in when organisations do not patch servers (as mentioned in a few of my...