OWA/EWS Plugins Authentication Failed with Valid Credentials

[webofsnyderman]

While attempting to use the OWA/EWS plugins I am getting "Authentication Failed:" with a valid credential. O365 module works as expected for the same credentials. Possibly an issue with NTLM auth?

I'm curious if anyone has had success with these plugins before or have seen the same issue.

[knavesec]

Thanks for reaching out!

Been tracking a few of these issues, NTLM auth seems to be having issues but appears to be failing inconsistently. In your experience are you seeing a false negative repeatably or simply one-off/semi-random?

[knavesec]

Second comment, are you 100% positive that OWA and O365 are connected (same auth, sometimes OWA is separate)? Also verify the OWA username format is correct. O365 username is email, but for OWA the username format (user@domain.com, DOMAIN\user, user) is dependent on the configuration

[knavesec]

Leaving this open for if anyone else sees this issue. Any info possible wold be great to help fix it

[kpomeroy1979]

Hey guys,

I'm new to this tool but I think it's great so far.

I correctly setup my AWS API Gateway and tried spraying using the 'o365' plugin with username of myemail@gmail.com and my password which I confirmed is correct. The tool reported 0 valid credentials even though I know 100% the credentials are valid. Any idea as to why?

Thanks :)

[knavesec]

Hey @kpomeroy1979

Sounds like your issue is with the o365 module, not the owa/ews. Would you please open a new issue regarding this issue for organizational purposes?

The office365 spraying method is specifically targeting emails whose domain's authentication schema is either managed by office365 or federated through some onsite STS/ADFS solution. My guess is (potentially wrong), myemail@gmail.com is a personal email that you used to set up your account, which I'm not sure is 100% covered within this scenario.

Steps to reproduce:

• Navigate to https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml, this is the authentication method the o365 plugin uses
• Fill out the authentication pop-up with your myemail@gmail.com credentials

If the authentication fails, this is not a credmaster problem, you are simply attempting to authenticate to the wrong endpoint. If the authentication succeeds, then we can discuss this on the new issue

[puzzlepeaches]

So just some thoughts on this:

• The autodiscover/autodiscover.xml isn't always going to be there on OWA instances based on config
• The 200 response code success condition will also not always be true dependent on if the user has a mailbox hosted on-prem
• I may be missing this, but I'm not seeing the domain collected with init.py and ntlmdecode.py being passed to the EWS module at least. Could be causing issues.

I don't have a ton of time to look into this, but I would recommend modifying the OWA module to actually do the form-based auth instead of NTLM through autodiscover.

[techspence]

In response to @puzzlepeaches recommendation, I've been looking at this lately. In my forked version I've changed the OWA plugin slightly to use forms auth against the /owa/owa.auth endpoint and it appears to be working. Would a PR be welcomed?

[knavesec]

@techspence a PR is always welcome!

[techspence]

@techspence a PR is always welcome!

@knavesec see update owa plugin to use forms auth. Please let me know what you think!

[ghost]

Having same issues tested with most plugins. Valid cred's getting valid user name invalid password response. with/without MFA enabled it doesn't say so based on response. Tested with this tool and the ones it uses outside of framework. It might not be the tool/plugin.