search

knavesec / CredMaster

Refactored & improved CredKing password spraying tool, uses FireProx APIs to rotate IP addresses, stay anonymous, and beat throttling
939 stars 124 forks source link

OWA Module #2

Closed puzzlepeaches closed 3 years ago

puzzlepeaches commented 3 years ago

Hey there!

Just finished up with this. It works well and should be a good start. It currently doesn't do:

The first two are fairly difficult to implement, especially the NTLM challenge-response parsing needed for domain extraction. If you have any ideas on integrating either let me know and I can help out. The third issue is a lack of Python knowledge on my part. Not sure what I'm missing. Take a look if you get the chance. Additionally, up next I plan to create modules for Exchange Web Services (EWS) and Dell SonicWall VPN.

A proposed new wiki page is included below:

Plugin Overview

This module facilitates Outlook Web Application (OWA) password spraying.

Unique Command Line Options

This module adds two new plugin args: --url and --domain. Both are required for usage.

Throttle Notes

Throttle settings may depend on a per-application basis. The safe bet is two login attempts every hour.

Example Command

credmaster.py <usual arguments> --plugin owa  \
     --url https://owa.acme.com --domain ACME
knavesec commented 3 years ago

Hey @puzzlepeaches, Happy to have the module, but there are a few things that could be improved/fixed before merging:

Firstly, in the testconnect you should have some sort of domain enumeration, for example if a domain isn't provided it will enum and use whatever it finds. I know you said you didn't know how to do that, you can find an example here: https://github.com/byt3bl33d3r/SprayingToolkit/blob/master/core/sprayers/owa.py#L62. This does use a different auth method, I'd be curious to see if that works as well for general auth...

Additionally, the method you use is great, but it is only valid for exchange version 2010+, would be great to have compatibility for 2003/2007 as well. Though ideally no one will be using something that old lol, but still good to have everything for it. See the Metasploit example here: https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/owa_login.rb, they have different endpoints. Enum of the version could be added into the testconnect function, which then also selects the correct uri.

Lastly, a coding error should be addressed. In the init file, the second conditional checking the domain variable will never be executed because the first conditional checking the url variable will always return first. Make sure the domain var is checked correctly.

Looking forward to seeing the edits, feel free to reach out on twitter/keybase/etc

puzzlepeaches commented 3 years ago

I think I got a little too excited and made pull request before this was ready to go! Realized pretty quickly yesterday that it didn't work well with different versions and I will make sure to get that fixed.

The NTLM auth domain extraction used by SprayingToolkit proved quite difficult to implement. I will probably reach out with some questions. I have a valid method for pulling the internal domain name, but actually parsing it is much more difficult. I'll keep messing with it though.

I will get everything fixed up and let you know when it's ready for testing. Thanks for the quick response!

knavesec commented 3 years ago

Sounds good, going to close this for now. Reach out if you need any help!