Re: [PEN-TEST] examining exchange mail

[Conor Crowley <ccrowley () CONORCROWLEY COM>]

Andrew,
Firstly, make sure the organization has a published policy that allows for
this, otherwise (under US law) *you* would be committing a felony. I've no
clue about .za.
Personally, I never get involved in such matters without a
"get-out-jail-free-card"  (hand signed authorization from an officer of the
company. If you have doubts about the person, check public records). People
take a *really* dim view of this kind of thing so make sure you/they have a
*good* (& legal/moral) reason.

If, as I assume, you're consulting, there can be circumstances where it
might be an idea to consider being hired be the organization's legal
counsel. That way, whatever you find can be protected by attorney/client
privilege. Again, .za might be different..

The Exchange Service account is the super-user in Exchange and you need to
either use this account or make a similar one with appropriate rights in
various different spots. You'll then be able to log into every mailbox as
Ryan describes. The Exchange agents of commercial virus scanners and backup
tools all must use service accounts set up like this.

You'll be able to get basic admin access to Exchange server which is needed
to make the appropriate permissions changes with the Exchange Administrator
program using the admin account that was used to install Exchange in the
first place. This is usually "Administrator"....although Domain Admins may
have subsequently been given access and generally messed around with it.

If you simply take ownership of the mailbox (from within Exchange Admin),
the user might notice ("hey, I can't get into my mail!!"), so use advanced
"exchange service account" style permissions.

If you have a lot of mailboxes to search, this can be extremely tedious, so
if you're looking for particular strings, as opposed to casually browsing
(you snoop!! ;) you would be well advised to install a full text indexing
program (which would also need to run under this ExService account) such as
the one from Fulcrum. If you're looking for a larger-scale/longer-term
solution, let me know.

Check Q168753, Q182900 or any decent Exchange admin book for more detailed
info on service accounts.

Lots of this will show up in log files, but assuming you have permission,
that shouldn't be an issue.

..Conor

----- Original Message -----
From: "Ryan Russell" <ryan () SECURITYFOCUS COM>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Wednesday, December 06, 2000 10:11 AM
Subject: Re: [PEN-TEST] examining exchange mail


> On Wed, 6 Dec 2000, Andrew Thomas wrote:
>
> > I have domain admin on a network, and I want to know how I would go
about
> > viewing mail *stored* on the Exchange Server, if this is possible.
>
> Run Outlook, and Go to File->Open->Other User's Folders.  It's possible
> that you might need the password & account that Exchange runs under, which
> you should be able to get and crack if you've got Admin.
>
> I've only been able to get to people's Inbox this way, but I'm probably
> just doing something stupid that prevents me from getting to their other
> folders.
>
> The actual mail is all stored in one monolithic file on the Exchange
> server, in some sort of DB format.
>
> Ryan