New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add timing options to owa_ews_login #10779

Closed
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
2 participants
@rwhitcroft
Contributor

rwhitcroft commented Oct 10, 2018

The module now accepts options PASSWORDS_PER_CYCLE and CYCLE_DELAY which can be used with long-running jobs to avoid account lockouts, e.g., if the AD lockout policy is 3 failures in 30 minutes, you might set these to 1 and 31 respectively.

Better code welcome. FWIW, I tried using MaxGuessesPerUser but it seems busto.

msf5 auxiliary(scanner/http/owa_ews_login) > cat /tmp/u /tmp/p
[*] exec: cat /tmp/u /tmp/p

user1
user2
user3
pass1
pass2
pass3
msf5 auxiliary(scanner/http/owa_ews_login) > set user_file /tmp/u
user_file => /tmp/u
msf5 auxiliary(scanner/http/owa_ews_login) > set pass_file /tmp/p
pass_file => /tmp/p
msf5 auxiliary(scanner/http/owa_ews_login) > set cycle_delay 0
cycle_delay => 0
msf5 auxiliary(scanner/http/owa_ews_login) > set passwords_per_cycle 2
passwords_per_cycle => 2
msf5 auxiliary(scanner/http/owa_ews_login) > set verbose true
verbose => true
msf5 auxiliary(scanner/http/owa_ews_login) > run

[+] Found NTLM service at /ews/ for domain ADTEST.
[-] 10.1.4.18:443 - [1/9] - Failed login: user1:pass1
[-] 10.1.4.18:443 - [2/9] - Failed login: user2:pass1
[-] 10.1.4.18:443 - [3/9] - Failed login: user3:pass1
[-] 10.1.4.18:443 - [4/9] - Failed login: user1:pass2
[-] 10.1.4.18:443 - [5/9] - Failed login: user2:pass2
[-] 10.1.4.18:443 - [6/9] - Failed login: user3:pass2
[*] Sleeping 0 minutes between cycles
[-] 10.1.4.18:443 - [7/9] - Failed login: user1:pass3
[-] 10.1.4.18:443 - [8/9] - Failed login: user2:pass3
[-] 10.1.4.18:443 - [9/9] - Failed login: user3:pass3
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
@acammack-r7

This comment has been minimized.

Show comment
Hide comment
@acammack-r7

acammack-r7 Oct 10, 2018

Contributor

Hmm, it looks like this is using a bit of a mix of the old-style scanning and the new credential stuff. Since a lot of services could take advantage of this sort of pattern, I think the first step would be to put this code into a login scanner class, like these Buffalo NAS ones:
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/buffalo_login.rb
https://github.com/rapid7/metasploit-framework/blob/master/lib/metasploit/framework/login_scanner/buffalo.rb

Then, we can add the cycle options to the #scan! method of all login scanners.

Contributor

acammack-r7 commented Oct 10, 2018

Hmm, it looks like this is using a bit of a mix of the old-style scanning and the new credential stuff. Since a lot of services could take advantage of this sort of pattern, I think the first step would be to put this code into a login scanner class, like these Buffalo NAS ones:
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/buffalo_login.rb
https://github.com/rapid7/metasploit-framework/blob/master/lib/metasploit/framework/login_scanner/buffalo.rb

Then, we can add the cycle options to the #scan! method of all login scanners.

@rwhitcroft

This comment has been minimized.

Show comment
Hide comment
@rwhitcroft

rwhitcroft Oct 12, 2018

Contributor

Opening a new PR for this.

Contributor

rwhitcroft commented Oct 12, 2018

Opening a new PR for this.

@rwhitcroft rwhitcroft closed this Oct 12, 2018

@rwhitcroft rwhitcroft deleted the rwhitcroft:update_owa_ews_login branch Oct 12, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment