What are the main methods to extract the Exchange GlobalAddressList during penetration testing, and which one requires only an NTLM hash instead of plaintext credentials?

Question

What are the main methods to extract the Exchange GlobalAddressList during penetration testing, and which one requires only an NTLM hash instead of plaintext credentials?

Accepted Answer

The main methods include Outlook Web Access (OWA), Exchange Web Service (EWS) using FindPeople or ResolveName operations, Outlook client protocols such as MAPI over HTTP or RPC over HTTP, the Offline Address Book (OAB), and LDAP queries against the domain controller. The EWS method also supports using an NTLM hash (via Pass the Hash with Exchange Web Service) in tools like the ewsM Python script, whereas most other methods require plaintext passwords.

What are the main methods to extract the Exchange GlobalAddressList during penetration testing, and which one requires only an NTLM hash instead of plaintext credentials?

Explore More Q&A