Meet MailSniper, a new pen tester tool that may be of interest to you if you need to find sensitive data such as passwords, credit card numbers and healthcare data, or need to access databases, or even to discover insider and network architecture information.
MailSniper is a penetration testing tool, written in PowerShell, to allow for mass searching through email across every mailbox of an organization’s Microsoft Exchange environment.
Beau Bullock, from the penetration testing firm Black Hills Information Security, cited a 2016 Mandiant M-Trends Report (pdf) which claimed organizations are compromised an average of 146 days before detecting a breach. That long of a window gives attackers plenty of time to locate, compromise and exfiltrate sensitive data; pen testers, however, may only have a window of five days or less to do the same thing in order to prove risk to an organization.
While Microsoft Exchange does have tools for searching email, Bullock was intent on creating a tool which could provide a new search function capable of searching every mailbox in a domain for specific terms. “I wanted this to be a tool that could operate completely remote from any host on the network to the Exchange server, meaning an interactive session (RDP, VNC, etc.) was not required,” he wrote. His research, however, led to a second function of searching a current user’s email.
Invoke-GlobalMailSearch and Invoke-SelfSearch are the two main functions in MailSniper.
Search a single mailbox
Regarding Invoke-SelfSearch, Bullock said, “The ability to search your own email in a pentesting situation may seem at first like something that wouldn’t be all that useful. But when you start to consider how often we as pentesters gain access to other user’s credentials during engagements, and combine that then with the ability to search their email from a PowerShell script, it becomes much more powerful. It becomes a brand new privilege escalation vector.”
Search every mailbox on an Exchange server
Invoke-GlobalMailSearch searches through all mailboxes on an Exchange server. Bullock steps readers through how to obtain “full access” rights since getting a Domain Admin account doesn’t necessarily grant those rights. Options within the global mail search function include such things as impersonation, gaining the Exchange administrator’s username and password, as well as terms to search for in the email subject and body. “By default, the script looks for ‘*password*’, ‘*creds*’, ‘*credentials*’,” he explained.
Bullock had plenty of other search suggestions which could be used to discover sensitive information, insider intel and network architecture information. He explained:
Having the power to search through email is huge when hunting for sensitive data. For example, a simple search for the term “*password*” in the body and subject of every email might return instructions on how to access certain systems along with what credentials to use. At an energy company a search for “*scada*” or “*industrial control system*” might return a conversation detailing the location of sensitive ICS devices. At a financial institution a search for “*credit card*” might reveal where employees have been sending credit card numbers in cleartext over email. At a healthcare organization searching for “*SSN*” or “*Social Security number*” could return potential healthcare data.
He gave a real world example of searching for “*database*” in emails and finding one in which the system administrator told his team where to locate the migrated internal KeePass database. The key file was in the same directory, so Bullock ended up with “pretty much every credential you would ever want at an organization.”
The video below shows a MailSniper demonstration.
MailSniper may prove useful to pen testers needing to quickly find sensitive data on a network as well as escalate privileges. People other than pen testers may also be inclined to try it out since it could also be used to search a single user’s mailbox, such as when a non-admin wants to search her own email; an Exchange admin might use it to search the mailboxes of every user in a domain. Bullock suggested that a blue team might use it to discover if employees are blowing off company policy and sending sensitive info in emails.
The tool is “very much in beta,” but you’re not afraid of beta…alpha maybe, but surely beta is worth a go? You can grab MailSniper on GitHub.