After watching «The Advanced Persistent Pentester (All Your Networks Are Belong 2 Us)» (http://www.irongeek.com/i.php?page=videos/derbycon6/416-the-advanced-persistent-pentester-all-your-networks-are-belong-2-us-beau-bullock-derek-banks-joff-thyer)and especially the release of mailsniper I was inspired to write about another method that I use to get access to all data from within mailboxes and Sharepoint sites during pentests. This is often an overlooked feature by pentesters and it is really powerful. Great session BTW. Loved it.
The feature is slightly different if the customer is only on-prem or if they are in the Office 365 cloud.
If the customer is in the Cloud you will have to get access to a Global Admin first. After that is done you can logon on to portal.office.com and go into the Compliance portal (there is also possibility to use PowerShell to automate the most of this):
Then you go further into the Content Search:
From here you hit the + icon and start to customize your search:
You can choose a specific mailbox or all mailboxes in the tenant. If you choose Search Everywhere you can also search content inside Sharepoint if you want to.
After you have choosen your scope you can go further in the wizard by clicking next.
Now you need to define what you want to search for:
A solid search word winner here is VPN, Password, Keepass, budget, helpdesk……
After you have defined your search you can Click the Search button.
The search will now start and you can watch the progress on the right side of the screen:
When the search is done you can either preview the results or export it to your local computer.
If the customer is on-premise you can use remote Powershell towards the Exchange server and use New-MailboxSearch – https://technet.microsoft.com/en-us/library/dd353189(v=exchg.160).aspx
You can also do it in the Exchange admin portal:
Hope you liked this post and it that it gave you an idea of what to test on your next pentest assignment. For the IT-Pros. Protect the Compliance / E-discovery of your environment. It really has all the power to view everything.