ExchangeRelayX – OWA for hackers

This instrument provides the attacker having an OWA looking interface, using the user’s contacts and mailbox.


  • Raw XML accessibility to the EWS host, so you can send requests to features and functions that Weren’t pre-programmed in exchangeRelayx
  • Insert redirecting rules into the sufferer’s email for backdooring
  • Download all attachments of this consumer, inbox and delivered
  • Hunt the international address book connected to Active Directory
  • Send emails, with attachments, since the sufferer — the mails Won’t be saved in the user’s sent folder

Program Structure

The program breaks apart to the OWA server, the relay servers, and also the HTTPAttack customer (exchange plugin) which is created for every new relayed connection.


The OWA server is a flask established web server that listens on by default. This web server works static HTML documents of index.html, OWA.html, and ComposeEmail.html — and everything else is packed with JSON asks (from EWS.js) into the OWA server endpoints. When a petition is made to the owaServer, the OWA server will create the suitable EWS telephone and enter it into the shared-memory dictionary that’s utilized by the OWA server along with the exchange plugin. When the exchange plugin receives the petition, it is going to ship it off to Exchange then load the answer in precisely the exact same shared-memory dictionary. Finally, once the owaServer receives the answer from the diet, it parses the information and returns the results. You’ll observe that the file-download performance isn’t that of a typical site, and that is because of the asynchronous nature of the program.

relay servers

The relay servers are regular impact HTTP and SMB established NTLM relay servers, and They’ll create a new exchange plugin case for every newly uninstalled link

exchange plugin

The exchange plugin is also summary, the true HTTPClient manufacturing and receiving the requests in the EWS server. Each of exchange plugins is passed on exactly the exact same shared-memory dictionary on initialization, and they use this dictionary for interprocess communication. This permits the requests in the owaServer to be passed to the proper user’s relayed link — that provides additional flexibility for multi-victim managing.

You May Also Like

About the Author: Steve West