Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #10964, add initial golang modules for enumerating owa/o365
- Loading branch information
Showing
14 changed files
with
940 additions
and
198 deletions.
There are no files selected for viewing
21 changes: 21 additions & 0 deletions
21
documentation/modules/auxiliary/scanner/msmail/exchange_enum.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,21 @@ | |||
OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks. | |||
This module leverages all known, and even some lesser-known services exposed by default | |||
Exchange installations to enumerate email. | |||
|
|||
Error-based user enumeration for Office 365 integrated email addresses | |||
|
|||
## Verification | |||
|
|||
- Start `msfconsole` | |||
- `use auxiliary/scanner/msmail/exchange_enum` | |||
- `set (`EMAIL` or `EMAIL_FILE`)` | |||
- `run` | |||
- `creds` | |||
|
|||
*Results should look something like below if valid users were found:* | |||
|
|||
``` | |||
host origin service public private realm private_type | |||
---- ------ ------- ------ ------- ----- ------------ | |||
<ip> <ip> 443/tcp (owa) chris@somecompany.com | |||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,42 @@ | |||
OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks. | |||
This module leverages all known, and even some lesser-known services exposed by default | |||
Exchange installations to enumerate users. It also targets Office 365 for error-based user enumeration. | |||
|
|||
**Identify Command** | |||
- Used for gathering information about a host that may be pointed towards an Exchange or o365 tied domain | |||
- Queries for specific DNS records related to Office 365 integration | |||
- Attempts to extract internal domain name for onprem instance of Exchange | |||
- Identifies services vulnerable to time-based user enumeration for onprem Exchange | |||
- Lists password-sprayable services exposed for onprem Exchange host | |||
|
|||
**Note:** Currently uses RHOSTS which resolves to an IP which is NOT desired, this is currently being fixed | |||
|
|||
## Verification | |||
|
|||
- Start `msfconsole` | |||
- `use auxiliary/scanner/msmail/host_id` | |||
- `set RHOSTS <target>` | |||
- `run` | |||
|
|||
*Results should look like below:* | |||
|
|||
``` | |||
msf5 > use auxiliary/scanner/msmail/host_id | |||
msf5 auxiliary(scanner/msmail/host_id) > set RHOSTS <host> | |||
RHOSTS => <host> | |||
msf5 auxiliary(scanner/msmail/host_id) > run | |||
[*] Running for <ip>... | |||
[*] Attempting to harvest internal domain: | |||
[*] Internal Domain: | |||
[*] <domain> | |||
[*] [-] Domain is not using o365 resources. | |||
[*] Identifying endpoints vulnerable to time-based enumeration: | |||
[*] [+] https://<host>/Microsoft-Server-ActiveSync | |||
[*] [+] https://<host>/autodiscover/autodiscover.xml | |||
[*] [+] https://<host>/owa | |||
[*] Identifying exposed Exchange endpoints for potential spraying: | |||
[*] [+] https://<host>/oab | |||
[*] [+] https://<host>/ews | |||
``` |
25 changes: 25 additions & 0 deletions
25
documentation/modules/auxiliary/scanner/msmail/onprem_enum.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,25 @@ | |||
OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks. | |||
This module leverages all known, and even some lesser-known services exposed by default | |||
Exchange installations to enumerate users. It also targets Office 365 for error-based user enumeration. | |||
|
|||
- Error-based user enumeration for on premise Exchange services | |||
|
|||
**Note:** Currently uses RHOSTS which resolves to an IP which is NOT desired, this is currently being fixed | |||
|
|||
## Verification | |||
|
|||
- Start `msfconsole` | |||
- `use auxiliary/scanner/msmail/onprem_enum` | |||
- `set RHOSTS <target>` | |||
- `set (`USER` or `USER_FILE`) | |||
- `run` | |||
- `creds` | |||
|
|||
*Results should look something like below if valid users were found:* | |||
|
|||
``` | |||
host origin service public private realm private_type | |||
---- ------ ------- ------ ------- ----- ------------ | |||
10.1.1.1 10.1.1.1 443/tcp (owa) | |||
10.1.1.1 10.1.1.1 443/tcp (owa) chris | |||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
195 changes: 0 additions & 195 deletions
195
lib/msf/core/modules/external/go/src/metasploit/module.go
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.