Reading Outlook using Metasploitwesley
In penetration tests, it sometimes can be hard to escalate privileges on a (Windows) target system. In this situation it can be useful to gain access to resources with sensitive information, such as passwords.
Metasploit does not have any module to read email messages from a local Outlook installation. Outlook can however contain a lot of sensitive and useful information in a penetration test, such as networkcredentials. I decided to create a Metasploit module which can read and/or search the local Outlook email messages.
In order to do this, the module is using powershell. The following powershell script is used by the Metasploit module:
The function ‘List-Folder’ displays all the available mailboxes and associated folders in a local Outlook installation. The function ‘Get-Emails’ is used to display messages in a specified folder, these messages can also be filtered by a keyword (for example ‘password’).
A problem which i stumbled on was a security popup when connecting to Outlook using powershell. The popup looks like this:
It was quite a challenge to bypass this message, because it has to be clicked by the user manually. In the module i used WinAPI in order to accomplish the bypass. Please note, that a user behind the target system, can notice these activities. So keep in mind that they might be able to detect your activities when using this module. The following function is checking the “allow access for” box and clicking the “allow” button.
The module can be installed by updating Metasploit. The module has two ‘ACTIONS’:
- LIST: Display the available mailboxes and folders in a local Outlook installation
- SEARCH: Display messages in a specified FOLDER, can be filtered by a KEYWORD
The LIST action requires only the options ‘SESSION’ to be set.
In order to use the SEARCH action, the module has several options which can be set. The following options are present in the module:
ACF_TRANSLATION: Fill in the translation of the phrase "Allow access for" in the targets system language, to click on the security popup.
A_TRANSLATION: Fill in the translation of the word "Allow" in the targets system language, to click on the security popup.
FOLDER:The e-mailfolder to read (e.g. Inbox)
KEYWORD: The keyword to search in the emails
LIST_FOLDERS: List folders available in the mailbox
SESSION: Session to run the MSF module on
The options FOLDER (folder to search, e.g. “Inbox”) and KEYWORD (filter on a keyword like “password”) are pretty straightforward.
The options A_TRANSLATION and ACF_TRANSLATION are required to click on Outlooks security notification, when the language is not supported by the module (en-US, NL and DE are supported). Fill in the translation present on the target system of “Allow” into the option “A_TRANSLATION” and “Allow access for” in “ACF_TRANSLATION”.
The following output is a example snippet of output which is generated by the Metasploit module when using the ‘LIST’ action:
The following output is a example snippet of output which is generated by the Metasploit module when using the ‘SEARCH’ action, on the folder ‘Inbox’ with a keyword ‘password’:
I’ve submitted the module to the official master github of Metasploit. The module has been merged, and the code can be found at: