Convert Figma logo to code with AI

dafthack logoMailSniper

MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an administrator to search the mailboxes of every user in a domain.

2,899
565
2,899
20

Top Related Projects

Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient

2,147

A tool to abuse Exchange services

A toolkit to attack Office365

Quick Overview

MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific information. It can be used to search for sensitive information across a company's email environment, as well as perform a variety of other email-related security assessments.

Pros

  • Comprehensive set of email-related security assessment capabilities, including searching for sensitive information, enumerating users, and more.
  • Supports a wide range of Microsoft Exchange versions, from Exchange 2010 to Exchange 2019.
  • Actively maintained and updated by the project maintainers.
  • Provides detailed documentation and examples to help users get started.

Cons

  • Requires a certain level of technical expertise to use effectively, as it is a command-line tool.
  • Primarily focused on Microsoft Exchange environments, so it may not be as useful for organizations using other email platforms.
  • Some features, such as the ability to send phishing emails, could potentially be misused for malicious purposes.
  • Requires access to the target email environment, which may not always be available in a penetration testing scenario.

Getting Started

To get started with MailSniper, follow these steps:

  1. Clone the repository from GitHub:
git clone https://github.com/dafthack/MailSniper.git
  1. Navigate to the MailSniper directory:
cd MailSniper
  1. Import the MailSniper module in PowerShell:
Import-Module .\MailSniper.ps1
  1. Use one of the available functions to start your email security assessment. For example, to search for sensitive information in emails:
Find-AllMailboxes -Mailbox "target@example.com" -SearchTerm "confidential"

This command will search the mailbox of the specified user for any emails containing the word "confidential".

You can also use other functions, such as Get-GlobalAddressList to enumerate email users, or Invoke-DomainHarvestOWA to attempt to guess email addresses.

Refer to the project's documentation for a complete list of available functions and usage examples.

Competitor Comparisons

Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient

Pros of SprayingToolkit

  • Supports multiple protocols and services (OWA, O365, Lync/Skype, EWS)
  • Includes additional tools like a proxy scraper and IP rotator
  • Offers more customization options for spraying attacks

Cons of SprayingToolkit

  • Less focused on Exchange-specific enumeration and exploitation
  • May require more setup and configuration for specific use cases
  • Potentially steeper learning curve due to broader feature set

Code Comparison

MailSniper (PowerShell):

Invoke-PasswordSprayOWA -ExchHostname mail.domain.com -UserList .\users.txt -Password Spring2023!

SprayingToolkit (Python):

python3 atomizer.py owa mail.domain.com ./users.txt Spring2023! --threads 3 --delay 0

Both tools offer password spraying functionality, but SprayingToolkit provides more options for customization and supports multiple protocols. MailSniper is more focused on Exchange-specific tasks and offers additional features like GAL enumeration and mailbox searching.

SprayingToolkit is written in Python, making it more platform-independent, while MailSniper is PowerShell-based, which may be more convenient for Windows environments. The choice between the two depends on the specific requirements of the task at hand and the user's familiarity with the respective languages and environments.

2,147

A tool to abuse Exchange services

Pros of ruler

  • More comprehensive Exchange/Outlook manipulation capabilities
  • Supports a wider range of attack vectors and techniques
  • Actively maintained with regular updates

Cons of ruler

  • Steeper learning curve due to more complex functionality
  • May require more setup and configuration for certain operations
  • Potentially more likely to trigger security alerts due to its extensive features

Code Comparison

MailSniper (PowerShell):

Invoke-GlobalMailSearch -ImpersonationAccount "admin@domain.com" -ExchHostname "mail.domain.com" -AdminUserName "admin" -AdminPassword "password" -EmailList "emails.txt" -OutputCsv "results.csv"

ruler (Go):

ruler --email user@domain.com --password Pass123 --verbose --debug --nocache --url https://outlook.office365.com/EWS/Exchange.asmx display --folder Inbox

Summary

MailSniper focuses primarily on searching and retrieving emails from Exchange servers, while ruler offers a broader set of features for manipulating Exchange and Outlook. MailSniper is generally easier to use for basic email searching tasks, but ruler provides more advanced capabilities for experienced users. Both tools have their strengths and are valuable in different scenarios, depending on the specific requirements of the task at hand.

A toolkit to attack Office365

Pros of o365-attack-toolkit

  • Specifically designed for Office 365 environments, offering more targeted functionality
  • Includes features for password spraying and user enumeration
  • Supports multi-factor authentication (MFA) bypass techniques

Cons of o365-attack-toolkit

  • Less versatile than MailSniper, focusing solely on Office 365
  • May require more frequent updates to keep up with Office 365 security changes
  • Potentially more complex to use for beginners due to its specialized nature

Code Comparison

MailSniper (PowerShell):

$Password = ConvertTo-SecureString -AsPlainText "Password123!" -Force
$Cred = New-Object System.Management.Automation.PSCredential -ArgumentList "user@domain.com",$Password
Invoke-PasswordSprayOWA -ExchHostname mail.domain.com -UserList .\userlist.txt -Password Spring2023! -Threads 15 -OutFile owa-sprayed-creds.txt

o365-attack-toolkit (Python):

from core import auth, enum
usernames = enum.get_valid_usernames(filename="users.txt")
auth.password_spray(usernames, password="Spring2023!")

Both tools offer password spraying capabilities, but o365-attack-toolkit's code is more concise and Python-based, while MailSniper uses PowerShell and provides more detailed options in its function call.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

MailSniper

MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email or by an Exchange administrator to search the mailboxes of every user in a domain.

MailSniper also includes additional modules for password spraying, enumerating users and domains, gathering the Global Address List (GAL) from OWA and EWS and checking mailbox permissions for every Exchange user at an organization.

For more information about the primary MailSniper functionality check out blog post.

For more information about additional MailSniper modules check out:

Download the MailSniper Field Manual to quickly reference various MailSniper functions.

Quick Start Guide

There are two main functions in MailSniper. These two functions are Invoke-GlobalMailSearch and Invoke-SelfSearch.

Invoke-GlobalMailSearch is a module that will connect to a Microsoft Exchange server and grant the "ApplicationImpersonation" role to a specified user. Having the "ApplicationImpersonation" role allows that user to search through all other domain user's mailboxes. After this role has been granted, the Invoke-GlobalMailSearch function creates a list of all mailboxes in the Exchange database. It then connects to Exchange Web Services (EWS) using the impersonation role to gather a number of emails from each mailbox and ultimately searches through them for specific terms. By default, the script searches for "*password*","*creds*","*credentials*"

To search all mailboxes in a domain:

Invoke-GlobalMailSearch -ImpersonationAccount current-username -ExchHostname Exch01 -OutputCsv global-email-search.csv

This command will connect to the Exchange server located at 'Exch01' and prompt for administrative credentials (i.e. member of "Exchange Organization Administrators" or "Organization Management" group). Once administrative credentials have been entered, a PowerShell remoting session is setup with the Exchange server where the ApplicationImpersonation role is then granted to the "current-username" user. A list of all email addresses in the domain is then gathered, followed by a connection to EWS as "current-username" where by default, 100 of the latest emails from each mailbox will be searched through for the terms "*pass*","*creds*","*credentials*" and output to a CSV file called global-email-search.csv.

Invoke-SelfSearch is a module that will connect to a Microsoft Exchange server using EWS to gather a number of emails from the current user's mailbox. It then searches through them for specific terms. This could potentially assist in privilege escalation after obtaining a user's credentials or assist in locating sensitive data as a non-admin user.

To search the current user's mailbox:

Invoke-SelfSearch -Mailbox current-user@domain.com

This command will connect to the Exchange server autodiscovered from the email address entered using EWS where by default, 100 of the latest emails from the "Mailbox" will be searched through for the terms "*pass*","*creds*","*credentials*".

Invoke-GlobalO365MailSearch same as Invoke-GlobalMailSearch, with support for single sign-on (SSO) based authentication to O365.

Invoke-GlobalMailSearch Options

ImpersonationAccount  - This user will be granted the ApplicationImpersonation role on the Exchange server.
ExchHostname          - The hostname of the Exchange server to connect to (If $AutoDiscoverEmail is specified the server will be autodiscovered).
AutoDiscoverEmail     - A valid email address that will be used to autodiscover where the Exchange server is located.
MailsPerUser          - The total number of emails returned from each mailbox.
Terms                 - Specific search terms used to search through each email subject and body. By default, the script searches for "*password*","*creds*","*credentials*".
OutputCsv             - Outputs the results of the search to a CSV file.
ExchangeVersion       - Specify the version of Exchange server to connect to. By default the script tries Exchange2010.
AdminUserName         - The username of an Exchange administator (i.e. member of the "Exchange Organization Administrators" or "Organization Management" group) including the domain (i.e. domain\adminusername).
AdminPassword         - The password to the Exchange administator (i.e. member of the "Exchange Organization Administrators" or "Organization Management" group) account specified with AdminUserName.
EmailList             - A text file listing email addresses to search (one per line).
Folder                - A specific folder within each mailbox to search. By default, the script only searches the "Inbox" folder. By specifying 'all', all folders and subfolders will be searched.
Regex                 - Use a regular expressions when performing searches. This will override the -Terms flag.
CheckAttachments      - Attempts to search through the contents of email attachements in addition to the default body and subject. These attachments can be downloaded by specifying the -DownloadDir option. Searches for the following extensions: .bat, .htm, .msg, .pdf, .txt, .ps1, .doc and .xls.
DownloadDir           - Download files to a specific location.

Invoke-SelfSearch Options

ExchHostname          - The hostname of the Exchange server to connect to (If $Mailbox is specified the server will be autodiscovered).
Mailbox               - Email address of the current user the PowerShell process is running as.
MailsPerUser          - Number of emails to return.
Terms                 - Specific search terms used to search through each email subject and body. By default, the script searches for "*password*","*creds*","*credentials*".
OutputCsv             - Outputs the results of the search to a CSV file.
ExchangeVersion       - Specify the version of Exchange server to connect to (default Exchange2010).
Remote                - A new credential box will pop up for accessing a remote EWS service from the internet.
Folder                - A specific folder within each mailbox to search. By default, the script only searches the "Inbox" folder. By specifying 'all', all folders and subfolders will be searched.
Regex                 - Use a regular expressions when performing searches. This will override the -Terms flag.
CheckAttachments      - Attempts to search through the contents of email attachements in addition to the default body and subject. These attachments can be downloaded by specifying the -DownloadDir option. Searches for the following extensions: .bat, .htm, .msg, .pdf, .txt, .ps1, .doc and .xls.
DownloadDir           - Download files to a specific location.
OtherUserMailbox      - Use this flag when attempting to read emails from a different user's mailbox
UsePrt                - Uses the current user's PRT to authenticate.
AccessToken           - Use provided oauth access token to authenticate.

Invoke-GlobalO365MailSearch Options

UsePrtImperonsationAccount       - Uses the current user's PRT to authenticate ImperonsationAccount.
AccessTokenImpersonationAccount  - Use provided oauth access token to authenticate ImperonsationAccount.
UsePrtAdminAccount               - Uses the current user's PRT to authenticate AdminAccount.
AccessTokenAdminAccount          - Use provided oauth access token to authenticate ImperonsationAccount.

Additional MailSniper Modules

Get-GlobalAddressList will attempt to connect to an Outlook Web Access (OWA) portal and utilize the "FindPeople" method (only available in Exchange2013 and up) of gathering email addresses from the GAL. If this does not succeed the script will attempt to connect to EWS and attempt to gather the GAL.

Get-GlobalAddressList -ExchHostname mail.domain.com -UserName domain\username -Password Spring2021 -OutFile gal.txt

Get-MailboxFolders will connect to a Microsoft Exchange server using EWS and gather a list of folders from the current user's mailbox.

Get-MailboxFolders -Mailbox current-user@domain.com

Invoke-PasswordSprayOWA will attempt to connect to an OWA portal and perform a password spraying attack using a userlist and a single password.

Invoke-PasswordSprayOWA -ExchHostname mail.domain.com -UserList .\userlist.txt -Password Spring2021 -Threads 15 -OutFile owa-sprayed-creds.txt

Invoke-PasswordSprayEWS will attempt to connect to an EWS portal and perform a password spraying attack using a userlist and a single password.

Invoke-PasswordSprayEWS -ExchHostname mail.domain.com -UserList .\userlist.txt -Password Spring2021 -Threads 15 -OutFile sprayed-ews-creds.txt

Invoke-PasswordSprayGmail This module will first attempt to connect to a Gmail Authentication portal and perform a password spraying attack using a userlist and a single password.

Invoke-PasswordSprayGmail -UserList .\userlist.txt -Password Fall2016 -Threads 15 -OutFile gmail-sprayed-creds.txt

Invoke-DomainHarvestOWA will attempt to connect to an OWA portal and determine a valid domain name for logging into the portal from the WWW-Authenticate header returned in a web response from the server or based off of small timing differences in login attempts.

Invoke-DomainHarvestOWA -ExchHostname mail.domain.com

Invoke-UsernameHarvestOWA will attempt to connect to an OWA portal and harvest valid usernames based off of small timing differences in login attempts.

Invoke-UsernameHarvestOWA -ExchHostname mail.domain.com -UserList .\userlist.txt -Threads 1 -OutFile owa-valid-users.txt

Invoke-UsernameHarvestGmail is a module that will attempt to enumerate Google Apps user accounts and potentially identify user accounts that opt-out of implemented 2FA solutions.

Invoke-UsernameHarvestGmail -Account
Invoke-UsernameHarvestGmail -UserFile .\emails.txt
Invoke-UsernameHarvestGmail -UserFile .\emails.txt -ProxyHosts 10.0.0.5:8080,10.0.0.6:8080,10.0.0.10:443
Invoke-UsernameHarvestGmail -UserFile .\emails.txt -Detailed
Get-Content emails.txt | % { Invoke-UsernameHarvestGmail $_ }

Invoke-OpenInboxFinder will attempt to determine if the current user has access to the Inbox of each email address in a list of addresses.

Invoke-OpenInboxFinder -EmailList email-list.txt

Get-ADUsernameFromEWS will attempt to determine the Active Directory username for a single email address or a list of addresses. Use the Get-GlobalAddressList module to harvest a full list of email addresses to use with Get-ADUsernameFromEWS.

Get-ADUsernameFromEWS -EmailList email-list.txt

Send-EWSEmail will attempt to connect to EWS and send an email.

Send-EWSEmail --ExchHostname substrate.office.com -Recipient $targetEmail -Subject "Foo" -EmailBody "Bar" -AccessToken $Accesstoken