Attacking Exchange/OWA to Gain Access to AD Accounts - Tradecraft Security Weekly #3
05/24/17 • 12 min
Microsoft Exchange and Office365 are extremely popular products that organizations use for enterprise email. These services can be exploited by remote attackers to potentially gain access to Active Directory user credentials. In this Tradecraft Security Weekly episode Beau Bullock (@dafthack) demonstrates how to utilize MailSniper to enumerate internal domains, enumerate usernames, perform password spraying attacks, and get the global address list from Exchange and Office365 portals.
Links: MailSniper - https://github.com/dafthack/MailSniper
Microsoft Exchange and Office365 are extremely popular products that organizations use for enterprise email. These services can be exploited by remote attackers to potentially gain access to Active Directory user credentials. In this Tradecraft Security Weekly episode Beau Bullock (@dafthack) demonstrates how to utilize MailSniper to enumerate internal domains, enumerate usernames, perform password spraying attacks, and get the global address list from Exchange and Office365 portals.
Links: MailSniper - https://github.com/dafthack/MailSniper
Previous Episode
Public File Metadata Analysis - Tradecraft Security Weekly #1
Public File Metadata Analysis with PowerMeta - It is very common for organizations to post files (docx, pdf, xlsx, etc.) to publicly available websites on the Internet. Often times these organizations have not taken the time to strip the metadata attached to these files. This leaves the potential for remote attackers to discover sensitive information from them including usernames, software used to create them, or system names. In this episode Beau demonstrates a PowerShell tool called PowerMeta that can be used to discover these files on a target site and extract the metadata from them.
PowerMeta: https://github.com/dafthack/PowerMeta
Strip Word Docs of Metadata: https://support.office.com/en-us/article/Remove-hidden-data-and-personal-information-by-inspecting-documents-356b7b5d-77af-44fe-a07f-9aa4d085966f
Strip PDFs of Metadata: https://blog.joshlemon.com.au/protecting-your-pdf-files-and-metadata/
Strip Photos of Metadata: http://www.makeuseof.com/tag/3-ways-to-remove-exif-metadata-from-photos-and-why-you-might-want-to/
Next Episode
Meterpreter with Categorized Domains & Trusted Certs - Tradecraft Security Weekly #4
It is common for organizations to proxy web traffic so they can place restrictions on what websites can be visited by employees. To make the management of allowing or denying access to a large number of sites easier many web proxies utilize categorization engines to group sites into various subjects. Uncategorized sites are generally blocked. In this episode I show how it's easy to locate recently expired domains that have been categorized already, and can be utilized to get past web proxy filters. Additionally, I show how easy it is to set up a trusted certificate on the payload handler to encrypt the session using a custom cert.
Links: DomainHunter - https://github.com/minisllc/domainhunter
Brian Fehrman Blog Post - http://www.blackhillsinfosec.com/?p=5831
If you like this episode you’ll love
Episode Comments
Generate a badge
Get a badge for your website that links back to this episode
<a href="https://goodpods.com/podcasts/tradecraft-security-weekly-audio-309913/attacking-exchangeowa-to-gain-access-to-ad-accounts-tradecraft-securit-44711531"> <img src="https://storage.googleapis.com/goodpods-images-bucket/badges/generic-badge-1.svg" alt="listen to attacking exchange/owa to gain access to ad accounts - tradecraft security weekly #3 on goodpods" style="width: 225px" /> </a>
Copy