# Microsoft Exchange Client Access Server Information Disclosure

### EOL Check

{% embed url="<https://endoflife.date/msexchange>" %}

***

Connect to the open HTTPS port of your exchange server using OpenSSL and the command below.

```
openssl s_client -host hostname.domain.com -port 443 
```

<figure><img src="https://securitytutorials.co.uk/ezoimgfmt/i0.wp.com/securitytutorials.co.uk/wp-content/uploads/2019/11/openssl.png?resize=591%2C435&#x26;ssl=1&#x26;ezimgfmt=rs:591x435/rscb1/ng:webp/ngcb1" alt="Open SSL making conection to exchange server" height="435" width="591"><figcaption></figcaption></figure>

Once the connection is made, you will be prompted to input a command.

<figure><img src="https://securitytutorials.co.uk/ezoimgfmt/i0.wp.com/securitytutorials.co.uk/wp-content/uploads/2019/11/openSSL-handshake.png?resize=653%2C434&#x26;ssl=1&#x26;ezimgfmt=rs:653x434/rscb1/ng:webp/ngcb1" alt="Input GET request" height="434" width="653"><figcaption></figcaption></figure>

Paste or input the follows (this will make a GET request to autodiscover.xml using the command below.)

```
GET /autodiscover/autodiscover.xml HTTP/1.0
```

You need to hit Enter twice after you typed the GET request; before the server will respond.

<figure><img src="https://securitytutorials.co.uk/ezoimgfmt/i0.wp.com/securitytutorials.co.uk/wp-content/uploads/2019/11/openssl-realm-new.png?resize=602%2C339&#x26;ssl=1&#x26;ezimgfmt=rs:602x339/rscb1/ng:webp/ngcb1" alt="Internal IP" height="339" width="602"><figcaption></figcaption></figure>

This spits out its local IP address under the header **WWW-Authenticate: Basic realm=**.

***

## Remediation

The rule will match any WWW-Authenticate Header which includes an IP address in the WWW-Authenticate field and replace this with the domain name.

### Header Modification

```
Rule Type: Replace Header
Header Field: WWW-Authenticate
Match String: /(Basic realm=)(\"[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\")/
Replacement: \1"domain.com"
```

![](https://support.kemptechnologies.com/hc/en-us/article_attachments/202044856/RemoveInt.PNG)

This can then be added to the Virtual Service: **Virtual Services > View/Modify Services > Advanced Properties > HTTP Header Modifications > Response Rules**.

![](https://support.kemptechnologies.com/hc/en-us/article_attachments/202199063/Header_Mod_INTAddress.PNG)

The internal address is now hidden in all responses and replaced with [www.domain.com](http://www.domain.com):

### URL Rewrite

IIS server to deny requests made without the Host header set. They achieve this by using the URL rewrite module for IIS.

{% embed url="<https://www.iis.net/downloads/microsoft/url-rewrite>" %}

URL Rewrite Download the URL Rewrite module onto your exchange server and install it.&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wiki.smhuda.com/pentesting/infrastructure-security/network-infrastructure/microsoft-exchange-client-access-server-information-disclosure.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.