Using latest release (d/l today 7/11/2019) running under Powershell 5.1 on Win10, both elevated and non-elevated; on import-module I'm seeing multiple errors such as "'<' operator reserved for future use" and "ampersand (&) character not allowed", unexpected tokens, and missing file specs after redirection. I'm sure it's something basic with powershell, perhaps it needs 32-bit vs 64-bit? Need an older version? Something to modify in source file? Suggestions would be appreciated!

Thanks!
Steve

There is a typo in the function Invoke-GlobalO365MailSearch parameter:
Imperonsation should be impersonation

Change:
UsePrtImperonsationAccount -> UsePrtImpersonationAccount

Is this working with Exchange Online?

here is the command i typed :
" Invoke-DomainHarvestOWA -ExchHostname "mail.****.com" -DomainList .\domainlist.txt -OutFile potential-domains.txt -Brute"
i have tried without " -Brute " also the same error message

here is the error i got :
" Invoke-WebRequest : The underlying connection was closed: A connection that was expected to be kept alive was closed by the server.
At C:\Users\fm2\Desktop\MailSniper-master\MailSniper.ps1:2166 char:21

• ... $owalogin = Invoke-WebRequest -Uri $OWAURL -Method POST -Body $POSTpa ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
  • FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand"

Add -Output flag to support a file output location. Store all results in CSV.

Having the ability to export findings to pst could be useful.

After specifying -Threads 15, when the script runs it sometimes shows different results: 45 threads.

when i do this command : ( Invoke-PasswordSprayOWA -ExchHostname mail.**.com -Domain *** -UserList .\user
s.txt -Password ** )

return :

[] Now spraying the OWA portal at https://mail.****.com/owa/
[] Current date and time: 10/24/2017 23:36:44
You cannot call a method on a null-valued expression.
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
+ PSComputerName : localhost

You cannot call a method on a null-valued expression.
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
+ PSComputerName : localhost

You cannot call a method on a null-valued expression.
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
+ PSComputerName : localhost

You cannot call a method on a null-valued expression.
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
+ PSComputerName : localhost

You cannot call a method on a null-valued expression.
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
+ PSComputerName : localhost

what should i do to resolve this issue.

Hey Beau,

Finally got a chance to use MailSniper on an engagement this week, and tried out the Invoke-DomainHarvest module with a list of about 8 domain names I thought would be possibly valid for the customer's environment. The module returned no valid domains, but later the customer confirmed that the valid domain was indeed one in my "guess" list. Are you aware of any tuning/protections/patches/etc. that could be in place from preventing MailSniper from identifying the valid domain through timing?

Also, I went one step further and tried the Invoke-UsernameHarvestOWA with a valid user (as well as a bunch of invalid users in the same file) and it was not identified as valid.

Thanks!
Brian / @7MinSec

I couldn't find proxy support. I don't always have a Windows machine that I can put in the right position for running powershell, it would be nice if I could proxy my web requests through a machine in the right location.

Domain can be get from HTTP header which is encoded by base64,Invoke-GlobalMailSearch can not be used by exchange2007_sp2

I could not find support for a rate limiter in MailSniper. I have had issues with taking down client infrastructure with too many requests at once. It would be nice if there was a way to slow down some of the commands such as Invoke-DomainHarvestOWA.

I am getting following error when running Invoke-PasswordSprayEWS
Invoke-PasswordSprayEWS -ExchHostname outlook.office365.com -UserList .\userlist.txt -Password P@ssw0rd -Threads 15 -OutFile ews-sprayed1.txt

Exception calling ".ctor" with "2" argument(s): "Cannot process argument because the value of argument "userName" is
not valid. Change the value of the "userName" argument and run the operation again."
+ CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvocationException
+ FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand
+ PSComputerName : localhost

You cannot call a method on a null-valued expression.
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
+ PSComputerName : localhost

PS C:\demo> $psversiontable

Name Value

PSVersion 5.1.17763.134
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.134
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

in userlist.txt I have two usernames:
[email protected]
[email protected]

Hello,

I have already impersonation account on Exchange. So, Can I set impersonate account credentials on the parameters? I can't find any parameter for this operation.

The script is very noisy to the terminal in current form. Some suppression on the verbosity of the command outputs needs to be added in.

Is this limited to only wildcard search or can it do regex searches?

Invoke-GlobalMailSearch iterates through each mailbox and attempts to append the results of the search to a CSV file with "Export-Csv -Append $OutputCsv". This fails on systems running PowerShell version 2 due to a lack of the "-Append" flag. An alternate solution to append the results to a CSV needs to be added in.

In order to communicate with Exchange Web Services a specific DLL is required. To assist with portability of the script we've base64 encoded it into the script. When the script is run it decodes the DLL to a new file in $env:temp. Using Add-Type the DLL is imported into the the app domain. The issue is that once the script completes running it is unable to delete the DLL from disk due to an open file handle on it by the PowerShell process. Relevant code below:

$Base64 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAA... <snip> ...iqWxqvMgAAAAA="
#Decoding DLL
$Content = [System.Convert]::FromBase64String($Base64)
Set-Content -Path $env:temp\ews.dll -Value $Content -Encoding Byte
Add-Type -Path $env:temp\ews.dll

<snip> rest of script <snip>

#Attempt at removing EWS DLL
Remove-Item $env:temp\ews.dll -Force```

The OutputCsv functionality of Invoke-GlobalMailSearch is not appending to the CSV correctly for all emails. Some are being appended correctly where there is a column for each header (Sender, ReceivedBy, Subject, Body) but some rows are not populating the columns correctly.

Invoke-GlobalMailSearch -ImpersonationAccount "[email protected]" -ExchHostname "outlook.office365.com" -AdminUserName "[email protected]" -AdminPassword "password" -Terms * -MailsPerUser 500 -OutputCsv searchedmatches.csv

^^^ Here is the code that I am running ^^^

Specifically, my issue is that Invoke-GlobalMailSearch is searching/exporting every single email twice. When I run (Get-Mailbox).count it returns 37, aka 37 users. However when I run the above code it will give a display of [1/76] mailboxes, [2/76], [3/76]... [76/76].

Basically how, if I only have 37 users, does MailSniper search 76 total mailboxes? And how can I solve this?

Huge thanks for any responses!

Hi,

I just had recently to check thousands of emails from a breach with each a different password.

would it be possible to tweak the Invoke-PasswordSprayOWA to grab a file like :

user@domain:password

Thanks

👍

Currently, both Invoke-SelfSearch and Invoke-GlobalMailSearch only search the 'Inbox' of each user. Many users might store messages in different folders. It is possible to search these other folders, or even recurse through all folders starting at the $rootfolder.

I have installed Microsoft Exchange Web Services Managed API 2.1. The exception always occured when run " Invoke-SelfSearch -Remote -Mailbox [email protected] -Folder all -Terms "password","party" -CheckAttachments". Are there anything I overlooked?

Add the ability to search specific date ranges.

Hey, I am getting the below error when using the Invoke-InjectGEventAPI. I have refreshed my access token and supplied a new one. I was able to get the function to work earlier. I'm sure it's probably Google rate limiting me possibly. Just wondering if anyone else may have ran into this issue.

At C:\Users\n0auth\Documents\WindowsPowerShell\Modules\MailSniper\MailSniper.psm1:3367 char:34
+ ... Injection = Invoke-RestMethod -Uri "https://www.googleapis.com/calend ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand```

Doing a selfsearch on O365 works like this

Invoke-SelfSearch -Remote -ExchHostname outlook.office365.com

And according to this issue #42 using GlobalMailSearch does not work. The work around is to use O365 eDiscovery feature called Content search, sadly that search is only keyword based.

Is it even possible to do a GlobalMailSearch using regex against O365?

Right now Invoke-GlobalMailSearch pops up a login prompt for domain administrator credentials. This is not going to work for command line only access (i.e. a remote shell).

Add -DAUserName and -DAPassword flag to pass D.A username/pass so no prompting is necessary.

It seems the code always loads 1.000 items.

Hi,

I tried following command.

Invoke-SelfSearch -Remote -ExchHostname outlook.office365.com -Regex '.*3[47][0-9]{13}.*|.*(?:5[15][0-9]{2}|222[1-9]|22[3-9][0-9]|2[3-6][09]{2}|27[01][0-9]|2720)[0-9]{12}.*|.*4[0-9]{12}(?:[09]{3}).*' -CheckAttachments -MailsPerUser 1000

But it Returns nothing. Any idea? There are a lot of mails with credit Cards in my Mailbox.

It seems that it does not working. In my PowerShell It tries to connect and then Exit

[] Trying Exchange version Exchange2010
[] Using EWS URL https://outlook.office365.com/EWS/Exchange.asmx

i need to testing the Invoke-PasswordSprayEWS
but using list of password and single username

command will connect to the Exchange Web Services server at https://mail.domain.com/EWS/Exchange.asmx and attempt to password spray a list of password with a single username

i cannot make the changes in this code so, please help me

Having some trouble with the module. looks like there is something missing in the code several places?

It would be nice if there was an option to ignore SSL errors:
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

I tried it and didn't seem to work:

Create a separate function that includes the Base64 encoded EWS DLL that can be called by other functions so that it only appears once in the script.

Get-Help -Examples needs a few more examples for various use cases.

Hi,

I came accross your tool a few days ago and it looks great. I'm having some trouble getting it to work though.
I'm currently testing with my AD user account, to ensure that it exists and works.
When I import the module and run the Invoke-SelfSearch command, I get this output:

PS C:\Users*\Desktop\powershell\MailSniper> Invoke-SelfSearch -Mailbox [email protected]
[] Trying Exchange version Exchange2010
[] Autodiscovering email server for [email protected]
PS C:\Users*\Desktop\powershell\MailSniper>

I tried setting the Exchange server explicitly, tried all the versions, etc. I don't get any additionnal output to point me in the right direction.

Do you have any ideas? Thanks!

Add "-resultsize unlimited" to the get-mailbox command, by default Get-mailbox only returns the first 1000 mailboxes in Exchange.

The blogpost here: http://www.blackhillsinfosec.com/?p=5296, says that the default Exchange version is Exchange2013. While in fact, the code seems to use Exchange2010.

I am getting the error as below . When i am using the command as "($Credential =new-object -typename System.Management.Automation.PSCredential -argumentlist @($username,$pwd) "

Error:"new-object : Cannot find an overload for "PSCredential" and the argument count: "2".
At line:10 char:14

• ... Credential =new-object -typename System.Management.Automation.PSCrede ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (:) [New-Object], MethodException
  • FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand"

When attempting to retrieve the GAL from a server with both OWA and EWS enabled it fails with

Get-GlobalAddressList : Exception calling "ResolveName" with "1" argument(s): "The request failed. The remote server returned an error: (403) Forbidden."
At line:1 char:1

• Get-GlobalAddressList -ExchHostname webmail.redacted.com -UserName DOMAIN ...

•   + CategoryInfo          : NotSpecified: (:) [Get-GlobalAddressList], MethodInvocationException
    + FullyQualifiedErrorId : ServiceRequestException,Get-GlobalAddressList
  
  

The FindPeople method fails, and it tries the EWS method which fails as above.

If I run Invoke-SelfSearch -Mailbox myusername@domain, I start to get results, and then the powershell window closes.

The correct Microsoft Exchange version must be specified when connecting to Exchange Web Services. Currently the script is hardcoded just for Exchange 2013.

Relevant code:

$ExchangeVersion = [Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2013

$service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService($ExchangeVersion)

When running Get-GlobalAddressList I would receive the error Could not create SSL/TLS secure channel.
I came across this post when searching for a solution.
A response suggested adding [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 before Invoke-WebRequest, which worked for me.
I'm not too familiar with powershell so I added that line before all Invoke-WebRequest calls but there is probably a better way to do this. Maybe a command line option could be added to change the TLS version used for connections.

Hi, i was testing the feature of owa bypass. And when i targeted i got the prompt for username and password, however with correct user name pass also its asked again and again. And also if i try to run the invoke self search command its not working. The domain used in the environment looks like below. Please help me on this.
The actual owa site is like: outlook.office.com/owa/?realm=xxx.com
On browser:
https://outlook.office365.com/EWS/Exchange.asmx/relam=xxx.com ---> This asked for username and password again and again.

I used the below command on mailsniper module:
i tested couple of options with no results.
PS C:> Invoke-SelfSearch -Mailbox [email protected] -ExchHostname outloo
k.office365.com Remote

PS C:> Invoke-SelfSearch -Mailbox [email protected] -ExchHostname https:
//outlook.office365.com/EWS/Exchange.asmx/relam=xxx.com Remote

Error:
Exception calling "Bind" with "2" argument(s): "The request failed. The remote
server returned an error: (404) Not Found."
At C:\MailSniper.ps1:778 char:73

•     $rootFolder = [Microsoft.Exchange.WebServices.Data.Folder]::Bind <<<<
  

($service,$FolderId)
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
Let me know.

The problem is google changed api to V2 and not enough of a power shell wizz kid to troubleshoot myself. 400 errors across the board and entire user list is false positive

Hi there,

is it possible to search for open inboxes/calenders with MailSniper? Like some user grants access to "everybody" on their inbox via permissions. Would be nice for larger organizations to get an idea of how many of their users misconfigure their inbox settings.

I guess it would be a two step attack:

• get all users from domain/exchange
• check every user for access to his/her inbox

Best Regards
G

Having the ability to search the content within attachments (docx, pdf, xls, txt, etc.) would be very useful.

Currently, Invoke-GlobalMailSearch uses the EMS cmdlet Get-Mailbox to get a list of all email addresses in a domain. It would be useful to pass in a custom list of email addresses to search instead of an entire domains worth.

When ever I use Invoke-SelfSearch -Mailbox [email protected] -ExchHostname outlook.office365.com -Remote it shows this error
the email and password I have are correct.

Can you please help?

Haven't seen this one before - any ideas?