Didier Stevens

Friday 12 March 2021

Quickpost: “ProxyLogon PoC” Capture File

Filed under: Forensics,Networking,Quickpost,Vulnerabilities — Didier Stevens @ 18:43

I was able to get the “ProxyLogon PoC” Python script running against a vulnerable Exchange server in a VM. It required some tweaks to the code, and also a change in Exchange permissions, as explained in this tweet by @irsdl.

I created a capture file:

More details will follow.

Update: I added a second capture file (proxylogon-poc-capture-with-keys-and-webshell.pcapng), this one includes a request to the webshell that was installed.

proxylogon-poc-capture-with-keys_V2.zip (https)
MD5: A005AC9CCE0F833C99B5113E79005C7D
SHA256: AA092E099141F8A09F62C3529D8B27624CD11FF348738F78CA9A1E657F999755

Quickpost info


  1. hello, there is no ssl keys on the zip file.

    Comment by Anonymous — Friday 12 March 2021 @ 20:10

  2. That is correct, the TLS keys are embedded in the PCAPNG file. Open it with a recent version of Wireshark, and it will decrypt the TLS traffic.

    More info: blog.didierstevens.com/2021/01/11/decrypting-tls-streams-with-wireshark-part-3/

    Comment by Didier Stevens — Friday 12 March 2021 @ 20:13

  3. Oh right! The file can be viewed on recent wireshark version. Thanks

    Comment by Anonymous — Friday 12 March 2021 @ 20:27

  4. […] Quickpost: “ProxyLogon PoC” Capture File […]

    Pingback by Week 11 – 2021 – This Week In 4n6 — Sunday 14 March 2021 @ 0:44

  5. Which log file does the POST request to the webshell appear in?

    Comment by JM — Monday 15 March 2021 @ 13:21

  6. On a default install:
    C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Owa

    Comment by Didier Stevens — Monday 15 March 2021 @ 13:33

  7. Awesome, thanks for sharing!! Would love to see more!

    Comment by P — Saturday 20 March 2021 @ 9:09

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.