search
TwitterGitHubBlog

OWA

Outlook Web Access

hashtag
Enumerate Users

Authentication Request
Kerberos Process
Response Time

Non-existing realm

KDC searches for realm

2-3 seconds

Realm exists but username does not exist

Pre-authentication ticket created to verify username

5-60 seconds

Realm and username exists

Pre-authentication ticket created to verify password

< 2 seconds

"Responses in different environments may have different response times but the pattern in the timing response behavior still exist." (refarrow-up-right)

hashtag
MSF

msf > use auxiliary/scanner/http/owa_login
msf > set RHOST mx.megacorp.local
msf > set USER_FILE owa-users.txt
msf > set PASSWORD dummyPassword
msf > set THREADS 15
msf > run

hashtag
MailSniper

hashtag
Password Spray

hashtag
Ruler

Autodiscover URL implicit:

Autodiscover URL explicit:

Notes:

  • In users.txt there's only "username" on a line, not "DOMAIN\username".

  • Errors like ERROR: 04:27:43 brute.go:193: An error occured in connection - Get https://autodiscover.megacorp.com/autodiscover/autodiscover.xml: Get https://autodiscover.megacorp.com/autodiscover/autodiscover.xml: net/http: request canceled do not affect the current password probe.

hashtag
Enumerate NTLM

hashtag
Nmap

hashtag
MSF

hashtag
MailSniper

Last updated