search

byt3bl33d3r / SprayingToolkit

Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient
GNU General Public License v3.0
1.45k stars 267 forks source link

* Parse positionally independent WWW-Authentication header #26

Open coffeegist opened 4 years ago

coffeegist commented 4 years ago

Most of the time, the WWW-Authentication header comes back looking like this:

'WWW-Authenticate': 'NTLM Tl<..snip...>A=, Negotiate, Basic realm="autodiscover.site.com"'

The original code handled this fine. However, sometimes the header can come back in the following form:

'Www-Authenticate': 'Negotiate, Basic realm="autodiscover.site.com", NTLM Tl<...snip...>A='

When this happens, the program would throw an error during parsing: Error parsing internal domain name using OWA. This usually means OWA is being hosted on-prem or the target has a hybrid AD deployment.

This pull aims to reduce these false negatives by parsing until reaching the NTLM section of the header.

byt3bl33d3r commented 4 years ago

@coffeegist good catch, thanks for this. I'm currently re-writing the entire thing (checkout the dev branch) and i'll make sure to add this in. Cheers