Land #10964, add initial golang modules for enumerating owa/o365

documentation/modules/auxiliary/scanner/msmail/exchange_enum.md

@@ -0,0 +1,21 @@
+OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks.
+This module leverages all known, and even some lesser-known services exposed by default
+Exchange installations to enumerate email.
+
+Error-based user enumeration for Office 365 integrated email addresses
+
+## Verification
+
+- Start `msfconsole`
+- `use auxiliary/scanner/msmail/exchange_enum`
+- `set (`EMAIL` or `EMAIL_FILE`)`
+- `run`
+- `creds`
+
+*Results should look something like below if valid users were found:*
+
+```
+host      origin    service        public  private  realm  private_type
+----      ------    -------        ------  -------  -----  ------------
+<ip>      <ip>      443/tcp (owa)  chris@somecompany.com
+```

documentation/modules/auxiliary/scanner/msmail/host_id.md

@@ -0,0 +1,42 @@
+OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks.
+ This module leverages all known, and even some lesser-known services exposed by default
+ Exchange installations to enumerate users. It also targets Office 365 for error-based user enumeration.
+
+**Identify Command**
+- Used for gathering information about a host that may be pointed towards an Exchange or o365 tied domain
+- Queries for specific DNS records related to Office 365 integration
+- Attempts to extract internal domain name for onprem instance of Exchange
+- Identifies services vulnerable to time-based user enumeration for onprem Exchange
+- Lists password-sprayable services exposed for onprem Exchange host
+
+**Note:**  Currently uses RHOSTS which resolves to an IP which is NOT desired, this is currently being fixed 
+
+## Verification
+
+- Start `msfconsole`
+- `use auxiliary/scanner/msmail/host_id`
+- `set RHOSTS <target>`
+- `run`
+
+*Results should look like below:*
+
+```
+msf5 > use auxiliary/scanner/msmail/host_id
+msf5 auxiliary(scanner/msmail/host_id) > set RHOSTS <host>
+RHOSTS => <host>
+msf5 auxiliary(scanner/msmail/host_id) > run
+
+[*] Running for <ip>...
+[*] Attempting to harvest internal domain:
+[*] Internal Domain:
+[*] <domain>
+[*] [-] Domain is not using o365 resources.
+[*] Identifying endpoints vulnerable to time-based enumeration:
+[*] [+] https://<host>/Microsoft-Server-ActiveSync
+[*] [+] https://<host>/autodiscover/autodiscover.xml
+[*] [+] https://<host>/owa
+[*] Identifying exposed Exchange endpoints for potential spraying:
+[*] [+] https://<host>/oab
+[*] [+] https://<host>/ews
+
+```

documentation/modules/auxiliary/scanner/msmail/onprem_enum.md

@@ -0,0 +1,25 @@
+OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks.
+ This module leverages all known, and even some lesser-known services exposed by default
+ Exchange installations to enumerate users. It also targets Office 365 for error-based user enumeration.
+
+- Error-based user enumeration for on premise Exchange services
+
+**Note:**  Currently uses RHOSTS which resolves to an IP which is NOT desired, this is currently being fixed 
+
+## Verification
+
+- Start `msfconsole`
+- `use auxiliary/scanner/msmail/onprem_enum`
+- `set RHOSTS <target>`
+- `set (`USER` or `USER_FILE`)
+- `run`
+- `creds`
+
+*Results should look something like below if valid users were found:*
+
+```
+host      origin    service        public  private  realm  private_type
+----      ------    -------        ------  -------  -----  ------------
+10.1.1.1  10.1.1.1  443/tcp (owa)
+10.1.1.1  10.1.1.1  443/tcp (owa)  chris
+```

lib/msf/core/module/external.rb

@@ -119,8 +119,44 @@ def process_report(m, mod)
       })
 
       invalidate_login(**cred)
+
+    when 'credential_login'
+      handle_credential_login(data, mod)
     else
       print_warning "Skipping unrecognized report type #{m.params['type']}"
     end
   end
 end
+
+#
+# Handles login report that does not necessarily need to include a password
+#
+def handle_credential_login(data, mod)
+  # Required
+  service_data = {
+      address: data['address'],
+      port: data['port'],
+      protocol: data['protocol'],
+      service_name: data['service_name'],
+      module_fullname: self.fullname,
+      workspace_id: myworkspace_id
+  }
+
+  # Optional
+  credential_data = {
+      origin_type: :service,
+      username: data['username']
+  }.merge(service_data)
+
+  if data.has_key?(:password)
+    credential_data[:private_data] = data['password']
+    credential_data[:private_type] = :password
+  end
+
+  login_data = {
+      core: create_credential(credential_data),
+      last_attempted_at: DateTime.now,
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+  }.merge(service_data)
+  create_credential_login(login_data)
+end

lib/msf/core/modules/external/bridge.rb

@@ -142,7 +142,7 @@ def harvest_process
         elsif Process.kill('TERM', self.wait_thread.pid) && self.wait_thread.join(10)
           self.exit_status = self.wait_thread.value
         else
-          Procoess.kill('KILL', self.wait_thread.pid)
+          Process.kill('KILL', self.wait_thread.pid)
           self.exit_status = self.wait_thread.value
         end
       end
@@ -197,8 +197,19 @@ def self.applies?(module_name)
 
   def initialize(module_path, framework: nil)
     super
-    gopath = ENV['GOPATH'] || ''
-    self.env = self.env.merge({ 'GOPATH' => File.expand_path('../go', __FILE__) + File::PATH_SEPARATOR + gopath})
+    default_go_path = ENV['GOPATH'] || ''
+    shared_module_lib_path = File.dirname(module_path) + "/shared"
+    go_path = File.expand_path('../go', __FILE__)
+
+    if File.exist?(default_go_path)
+      go_path = go_path + File::PATH_SEPARATOR + default_go_path
+    end
+
+    if File.exist?(shared_module_lib_path)
+      go_path = go_path + File::PATH_SEPARATOR + shared_module_lib_path
+    end
+
+    self.env = self.env.merge({'GOPATH' => go_path})
     self.cmd = ['go', 'run', self.path]
   end
 end