原文地址:https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
In most organisations using Active Directory and Exchange, Exchange servers have such high privileges that being an Administrator on an Exchange server is enough to escalate to Domain Admin. Recently I came across a blog from the ZDI, in which they detail a way to let Exchange authenticate to attackers using NTLM over HTTP. This can be combined with an NTLM relay attack to escalate from any user with a mailbox to Domain Admin in probably 90% of the organisations I’ve seen that use Exchange. This attack is possible by default and while no patches are available at the point of writing, there are mitigations that can be applied to prevent this privilege escalation. This blog details the attack, some of the more technical details and mitigations, as well as releasing a proof-of-concept tool for this attack which I’ve dubbed “PrivExchange”.
前言引用來源:https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
文章圖片來源:https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
-------------------
如果你認同我們每日分享的文章,請幫我們按個讚並且點擊追蹤「搶先看」,讓我們提供最新消息給您!您的分享及點讚,是我們持續推廣資訊安全最大的動力來源。
https://www.facebook.com/LonelyPoPo/
![[漏洞預警]NagiosXI 全版本遠端程式碼執行-波波的寂寞世界](https://lonelysec.com/wp-content/uploads/2019/04/nagios-220x150.png)
![[ 隨機福利 ] 紅隊實戰演練環境 下載-波波的寂寞世界](https://lonelysec.com/wp-content/uploads/2019/04/red-team-3-220x150.png)
![紅隊實戰演練環境 下載 [ 單域環境 ]-波波的寂寞世界](https://lonelysec.com/wp-content/uploads/2019/04/red-team-2-220x150.png)
