I was able to get the “ProxyLogon PoC” Python script running against a vulnerable Exchange server in a VM. It required some tweaks to the code, and also a change in Exchange permissions, as explained in this tweet by @irsdl.
I created a capture file:
More details will follow.
Update: I added a second capture file (proxylogon-poc-capture-with-keys-and-webshell.pcapng), this one includes a request to the webshell that was installed.
proxylogon-poc-capture-with-keys_V2.zip (https)
MD5: A005AC9CCE0F833C99B5113E79005C7D
SHA256: AA092E099141F8A09F62C3529D8B27624CD11FF348738F78CA9A1E657F999755
hello, there is no ssl keys on the zip file.
Comment by Anonymous — Friday 12 March 2021 @ 20:10
That is correct, the TLS keys are embedded in the PCAPNG file. Open it with a recent version of Wireshark, and it will decrypt the TLS traffic.
More info: blog.didierstevens.com/2021/01/11/decrypting-tls-streams-with-wireshark-part-3/
Comment by Didier Stevens — Friday 12 March 2021 @ 20:13
Oh right! The file can be viewed on recent wireshark version. Thanks
Comment by Anonymous — Friday 12 March 2021 @ 20:27
[…] Quickpost: “ProxyLogon PoC” Capture File […]
Pingback by Week 11 – 2021 – This Week In 4n6 — Sunday 14 March 2021 @ 0:44
Which log file does the POST request to the webshell appear in?
Comment by JM — Monday 15 March 2021 @ 13:21
On a default install:
C:\inetpub\logs\LogFiles\W3SVC1
C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Owa
Comment by Didier Stevens — Monday 15 March 2021 @ 13:33
Awesome, thanks for sharing!! Would love to see more!
Comment by P — Saturday 20 March 2021 @ 9:09