OWA

Enumerate Users

• https://www.triaxiomsecurity.com/2019/03/15/vulnerability-walkthrough-timing-based-username-enumeration/

• https://www.intruder.io/blog/user-enumeration-in-microsoft-products-an-incident-waiting-to-happen

"Responses in different environments may have different response times but the pattern in the timing response behavior still exist." (ref)

MSF

msf > use auxiliary/scanner/http/owa_login
msf > set RHOST mx.megacorp.local
msf > set USER_FILE owa-users.txt
msf > set PASSWORD dummyPassword
msf > set THREADS 15
msf > run

MailSniper

• https://github.com/dafthack/MailSniper

Password Spray

Ruler

• https://github.com/sensepost/ruler/wiki/Brute-Force#brute-force-for-credentials

Autodiscover URL implicit:

Autodiscover URL explicit:

Notes:

• In users.txt there's only "username" on a line, not "DOMAIN\username".

• Errors like ERROR: 04:27:43 brute.go:193: An error occured in connection - Get https://autodiscover.megacorp.com/autodiscover/autodiscover.xml: Get https://autodiscover.megacorp.com/autodiscover/autodiscover.xml: net/http: request canceled do not affect the current password probe.

Enumerate NTLM

• https://github.com/nyxgeek/ntlmscan

• https://gist.github.com/aseering/829a2270b72345a1dc42

Nmap

MSF

MailSniper

• https://github.com/dafthack/MailSniper