Exchange and OWA attacks - Step by Step

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

formation securities webcasts recording yet but we thought we would share kind of with some of us at black house information security are going through right now by the way welcome to the basement of my house that we're building and finishing up so Sierra who usually moderates these things and myself we need South Dakota she's up by Terapeak by the ski area and I'm kind of always from there which is why we sound so terrible it's pretty cool so this webcast Sierra myself made disappear I'm just gonna drop off the face of the planet if we do that's what we're doing today this webcast is also a little bit different in the fact that we've got probably the largest representation of BH is on a mess that we've ever really had so that's that's kind of cool we have Kerry Brian go and see all on myself Ron that the show is pretty much going to be ran by Mike Carey Brian and humbo since they're the main researchers of BH is and put this whole thing together which is which is pretty pretty cool we behind Mon snow and some of us like skiing so thank you very much for joining this a little bit more background on what's coming up we apparently I'm giving a webcast with Pony Express on social engineering and Internet of Things hacking which is interesting because I have no idea what that topic is about that I'm presenting on it so that's going to be fun however closing out this year kind of right before Christmas we're going to do our sacred cash cow tipping and this is probably a surprise too to bowl Kerry and Brian but sacred cash cow tipping is where we where we is where we go through and bypass a bunch of AV engines will talk about bypassing silence and a bunch of products and things that work for VH is and our penetration test and that'll be kind of how sweet how we closed off this year so we have two big webcasts to come and I also think that we're going to be doing some videos and things like that Arita as well so we still got people rolling in we're at about 270 to live this is one of the biggest webcasts ever which is pretty exciting I'll give you guys a little bit more background on the webcast as well here in just a little bit so let's kind of quick do a sound off Kerri oh you guys also on yes hey everybody was all sad he came on like 10 minutes ago and he's like oh there's only 50 people and you know and now we're at like 300 so really though out of a lot of the people of eh I asked has a tremendous amount invested in this he took a lot of flack for the disclosure as far as bypassing two-factor authentication and then they'll talk about that here in a little bit so Brian or tario VOC and one of you guys please hit the Brian I've been trying to convince Bo to move off to South Dakota for a long time and I think the snow outside is probably not helping that situation at all Gary's out tuning up the snows the snowmobiles and getting ready so she's gonna be ready to rock and roll I'll stick with my hurricanes thank you very much coming to this webcast we're gonna be talking about something that's a little bit different we're gonna be talking about kind of the anatomy of attacking and applications throughout the course of the year throughout the course of 2016 we really focused on Outlook Web Access it is something that is constantly available on the outside of networks anytime you stand it is almost always a low/medium vulnerability if it's not patched but there really isn't actually used as an attack point because it's everywhere because it is a direct access into sensitive data we kind of double down we're gonna go through the chronology of how that actually happened throughout the course of the Uniform user name domain harvesting still harvesting passwords one of the two factor authentication is enabled and then finally accessing data even one over two factors and they enable through exchange web services and the reason why this webcast is important is you've heard me talk about architecture we got beams and things like that behind me and architecture is predicated on food and understanding failure points this is one of those examples whenever we release the portability of weeks ago Microsoft said it's not that big of a deal the people had exchange expert said it's not that big of a deal but it is we're actively exporting environments today and it's a very successful attack it works for us and everything that we do so it's very very important for all of us to pay attention because this is the type of vulnerability that it's not just right and Metasploit module export and also maybe part of the reason why it is not something that is being addressed and fixed as fast as it should be with that I'm gonna hand it over who do you thought it was going to go first this particular round I came to meet John oh all right dude I'm gonna hand you over the presenter and I'm going to go on mute take it away guys bundle up John there you go let me share my screen one second all right ok so as John mentioned you know we've been spending a good amount of time basically just hacking away at Ola for the last year or so now so we decided to kind of put a webcast together to kind of cover all the different avenues of attack that we've been talking about for the last year so let's go ahead and just get started with it so just a quick overview you know going into performing ins any sort of external attack against an organization you know the the typical attack surface for most organizations traditionally pretty slim you know there's definitely the occasional you know remotely exploitable flaw you might run into but you know if you've ever run you know an s2 scan or anything against an external public facing network for most organizations you're not going to get a whole lot of things that you're gonna be like oh my god I can take over this network remotely so you know we started looking at you know other avenues to to getting in which you know obviously fishings gonna be one of the biggest ones you hear about because it's just so common but you know when you talk about just directly accessing a network remotely directly trying to compromise through through a firewall you know quote-unquote hacking in the firewall this this kind of attack where we're basically just attacking a public facing server such as Ola it is becoming more more common so let's talk about just straight-up exchanging no just for a minute so in the last year there have been a number of different attacks it's not necessarily that they're new attacks as in like they're you know a revolutionary new brand new thing that nobody's ever heard of before it's just the way that they've been incorporated into - - specifically for oa itself have become kind of like a new thing and again you know because it is a publicly facing infrastructure for the most part it's readily available for people to attack so like like I said you know some of these things we've been talking about for the last year they're pretty minor but when you combine them they can be really devastating it's it's you know it's the death by a thousand cuts kind of thing so you know it's we kind of believe that Allah is quickly becoming you know the weak point of a public facing Network and it's it's not necessarily due to any specific vulnerability it's due to a number of them put together which we're going to talk about this entire attack flow through in this entire webcast so you know specifically talking about oh uh you know additionally really anything that touches ad that's publicly facing so you know VPNs Citrix environments that kind of stuff a lot of those this type of portals have a lot of these same issues that were going to talk about today we're talk about user name a numerator we're gonna talk about password spraying and you know really being able to talk to you an internal DC of sorts you know being able to talk to ad remotely is really one of the first steps that we need when we go into attacking an organization so let's just quick overview of just what pretty much everything we're going to talk about and kind of what we'll end up wrapping up with by the end of this you know with with Ella these are some of the things you can do you can obtain valid domain credentials through password sprang which we'll talk about in detail you can pillage employees email obviously it's it's meant for email you know in o365 environments you can potentially gain access to other services so such as SharePoint which we'll talk about why that's important later and then you know internal internal phishing it can be really successful if you know you have that trust relationship already built between users of an organization and you have credentials to login it's one of them you know basically attacking that trust relationship can be devastating and then you know obviously being able to search for VPN or remote access type of details within emails is gonna end up being important and then lastly we'll talk about just straight-up gaining remote compromised being a remote shell through OA and outlook which it's a very very fun attack which so one thing I want to forget to mention is within this presentation I think we have a total of maybe like 25 slides or something because most of this presentation is going to be demo and you'll see that very soon so reconnaissance so you know with it with going into any attack against an organization remotely what's first up recon so before we even look at that attacking an OS server or attacking organization we try to just gain some information about the user base gains information about the employees gain information about externally facing host hosts on the network and some of the ways we do that is through you know obviously recon ng is very very popular tool that you know has a lot of different modules built tend to do various various searches through public resources and open source resources and then there's also Foca which this is one of our favorites because what Foca does is essentially does some google dorks of sorts to to find public documents on web servers so what i mean by that is like if you were to go to let google calm and you were to do site : let's say Black Hills in post a comment basically that that specific search parameter is only going to search Michaels in post a calm now if you tack on another parameter called file type so if you say site : black chasm physic comm file type : PDF it's gonna find only the PDF files that are publicly facing that Google knows about and you know if you start to look for all kinds of different files you'll find that you can gain you get access to a lot of these different publicly facing documents and PDFs now why is that important well you know while they might be publicly facing they generally were generated by someone on an internal network and whenever you generate a document or a PDF or an Excel spreadsheet a lot of times there's metadata associated with your user and your workstation on that document itself so you know you as an internal employee generating these documents or PDFs and then posting them on a publicly available site it allows an attacker to find those documents download them extract the metadata from them which a lot of times can actually include things like actual valid user names of internal employees which you know we'll talk about why we want to know the user names schema later I mean obviously like having access to one user 1 user name is really not gonna be all that important but knowing that user name schema is very important so you know will craft a potential employee name list from from that as well as things that we can find on sites like LinkedIn you know every every employee pretty much from any organization these days has a LinkedIn account and you know by just basically harvesting all of the different names from LinkedIn you can start to craft like a very very much targeted list of actual employee user names that we'll use later when we go to attack oh uh so you know identifying the target finding where a mail service is generally pretty easy because you know for the most part organizations want their employees to know where their mail server is so they can access their email remotely so from the the extent of just basically brute forcing subdomains for the most part you can find a mail server by just doing you know mail domain.com web no domain.com oh I don't mean I'm a lot of times like there's no more common ones but you can also for some domains if they've set up what's called autodiscover dns records they can actually if you just basically search for audit or you you know with the browser go to auto discover domain comm it will actually redirect you to where the mail server is it's um it's a function that is built to basically help web clients or email clients to find the mail server so in a lot of cases you can actually locate I may also adjust from auto discover itself so you know once we have like our you know general recon we know you know a few usernames we might know the username schema we know where the the target mail server is then it comes to how we're gonna actually you know go and attack Oh so for the first part you know we're going to be using a tool that we wrote called mail sniper for the most part there's definitely there's a few other pieces to this that don't necessarily use this but for the most part we've we've tried to kind of code this entire attack process into this tool so it's powershell tool for the most part it you know it was generally written for for searching email so to begin with it was basically the tool that we wrote to say hey i'm on an internal network i can now search through everybody's mailbox on this domain so we actually coded in a few other modules to it as well to allow more more advanced searching and more advanced attacking of itself so that's mail sniper we're gonna be talking about that soon and i'm actually going to pass it off to brian now so he can talk about one of his attacks so here let me see where's Brian cool awesome everyone oh should because I just gotta show my switch my screen here there was one question from Rob for bow it was can this exploit allow X Philip pub and private files I don't say the one with them can this exploit allow exfil of pub and private files of pub and private files I mean I I guess the question is a little vague there because like of and public files absolutely you can get them if they're readily available on on a web server but I mean private files meaning you know if they're not readily available then probably not I've said I would say if it's any you know we can get to it um that's kind of that's the focus of all of this is focusing on email array also as precaution just work against Office 365 with multi-factor weird conflicting the reason why you've heard conflicting is because it does work for a short period of time after two-factor is enabled and what do we find out was the timeframe between enabling two-factor and then it finally being pushed out all the way through I mean I didn't find like the max value time value but it was at least like an hour or so yeah so that's what you got conflicting answers is when burr went through and tested it he created account setup two-factor tested it it worked but if it's running let's say for a day then it does not work so that's why there was conflicting and that's why we have it set off that way let's continue on and talk about this a little bit more so Brian take it away awesome so yeah so as I mentioned one of the many things we can do with a lot portals is we can try to attempt to enumerate the internal domain name the domain name that users would depend on to their user name when attempting to log into the portal and it's important on a lot of these logins because without knowing the correct internal domain name you're probably not going to have much success and some of the later attacks that we're going to talk about and so this is an issue that we kind of discover through researching and testing and what we found is that wouldn't you try to log into an OA portal and actually this this issue exists on internal ad as well to its and you can see it there but what we found is that we need when you attempt to log in that there's some anomalies in terms of the response time for that authentication process and basically the gist of it for the domain enumeration is that if you try to authenticate with an invalid domain name and some arbitrary username that response time is going to be shorter it's going to be predictably shorter than the response time that you're going to see if you give a valid internal domain name with some arbitrary user name cool so just a quick overview of the general algorithm that you can follow for enumerated out that the internal domain names is basically generate yourself a list of random domain names and random user names and take these take these combos of invalid domain names what are likely in those domains and user names and use those to authenticate against against the portal look at all the response times and use that to get kind of a baseline response time of what you would expect an invalid domain name to give you in terms of that response time next you're going to want to generate up a list of what you think might be likely domain names it's usually based upon the company name and I'll show that in the module demo here shortly and when you do this you want to go ahead and want to use a randomly generated user now it's important that you use a randomly generated user name when you're trying to guess the correct internal domain name because if you happen to guess a correct user name on the internal domain with the correct internal domain name it's going to throw you off a little bit and that actually ties into the next part that we'll get into which is using an enumeration so we'll get there later so essentially once you get to that you can attempt to authenticate with your newly formed likely domain names and user name combos and basically just compare the response time so go through and look to see which one pops out as being a little bit different than all the other ones and so just kind of quick disclosure timeline basically we've sent for emails to Microsoft started in October 7th and throughout this entire thing we received absolutely no response so we figured we go ahead and I tell everyone about what we found so with that let's do a demo all right so I'm gonna go ahead and the the portal that we're going to be attacking um is going to be nailed nanobots Inc comp if you heard a load of this page basically what you're going to get is you're gonna get this I is default server page and if you append on a while you can see that we do have an OAuth portal here at mailed nanobots ENCOM cool so the first thing I'm going to do is I'm going to hop onto my command prompt here I'm gonna open up our shell with the exact bypass flag I'm going to import the mail sniper framework and now I'm going to run a newly added module it's not it's not out on public public release yet but will begin to that soon so in both the main harvest OWA and what I need to give it I need to give it the exchange host hand which in this case is mail dot nanobots in comm I need to give it the alpha Bo just going to be I don't you just call a potential old and to believe think that's it let's see oh right and accompanying notes forgetting something all right so now we also give it the name of the company which in this case is going to be nanobots inked go ahead and throw in the spaces enter all right so I'll kind of walk through this as it's going and we can set back through for anything that goes too quickly but basically up here we can see that we generated a list of what we think might be the internal domain name so we've got like the acronym and bi nano nanobots nanobots Inc box Inc and then we've taken all those and appended on things like calm dot Korb dot biz and all that all that good stuff up here what has happened as we determine the baseline response time so this is what I was talking about we're days Judas generate up a random internal domain name and append on a random randomly generated username so we take all those response times which are milliseconds over on that side well it's certainly good away for me and we go ahead and we average them and then after we average them we go ahead and set a threshold in this case I think I chose like two and a half something like that you might have to play around with it a little bit but once we've got that baseline we've got the threshold now we go through and we take that list of domain names that we've generated based upon the company name we append on a random randomly generated username then we go through your try to authenticate and look at the response times again and in this case we can see here we got a response time of eight thirteen which is substantially higher than any of the other response times that we see and and our and our experience this typically indicates that that is the correct internal domain name for this server and in this case since we we have this server if I could tell you that is the correct internal domain name so because that puts Jeff I'll you've got the internal domain name and now you can kind of continue on so one other quick note is something that I can't from from our organization pointed out but there it is sometimes you can actually get the internal domain name by looking at if the company has a self-signed SSL certificate by inspecting that certificate sometimes it'll have the correct internal domain name right on that so just a quick note there before moving on so the next thing this is kind of belong similar lines to the internal domain name enumeration but in this case we're going to try to enumerate discover not only valid user names but before we even get to that to try to determine the valid kind of the naming convention that companies use because many companies will use some some form of you know a first name last initial first name last name last name by first name and so on and so forth and one thing we can do is we can either try to figure out this form by taking user names or taking first names last names that we've gathered up the recon or user names we've got about the Avery comp and use those or what we can do is we can also mangle together a list of mingle together common first names and last names and try to figure it off than that so even if you don't have any other information about the company you might assume that they have somebody with one of these common names that works there and try to figure out the the user names gain from that and so when looking at the user name and immer a ssin issue it is similar to the domain enumeration issue it is it's a timing based attack essentially but in this case the timing is actually flipped and so what we see here is that if you attempt to authenticate with a valid domain name and some arbitrary user name so some invalid user name that response time is going to be longer than if you have the correct domain name with a valid user name and so that's what I was talking about earlier that when you're trying to enumerate the domain name it's important to use a user name that you do not think actually exists otherwise it's going to mess with your results if you just happen to guess the apology for them as well and so on the next one here and so the overall algorithm technique is that we're going to generate up our list of random user names we're going to use the valid domain name that we obtained in the previous step so when we did the domain enumeration we're going to take that domain name we're going to use that here and again we're going to generate up a list of what we think are in biology surnames and we're going to use this combo of valid domain and value snails to get our baseline response time and so from there what we're going to do is we're going to attempt to authenticate with a list of Lists form using common and so common first names common last names or the names you found from recon we're going to try multiple formats for each name so we're going to take this list we're going to look at the response time so we're going to compare that response time to our baseline response time to try to figure out which of these names is potentially about and once we have that so once we know the form then we can go from there and we can generate up a larger list using the email address Mangler or some other method once we know the correct form so disclosure actually disclosed this to Microsoft at the same time that I disclosed the domain enumeration issue and so response over time lines the same and again no response so I'm gonna hop back over here we're gonna switch in Rome I mean somebody was asking about thread gateway from Microsoft and I saw we don't see that very much and in fact those products have an end-of-life since 2014 I'm sure that they're still there but we just don't see them all that often as well most people are asking questions about other products that allow you to access your email outside event like exchange web services pretty much anything that you can authenticate through without using two-factor and that would be something that we need to be worried about and then when you asked a question and Brian I'll throw this to you so should a company keep the office 365 an internal Active Directory separate instead of moving its federated services the users are going to most likely use the same password anyway and I think that's prove that all three over to you mine outlook and office 365 and excuse me Active Directory separate so if you using office 365 you shouldn't should you or should you not be federating into your internal active directory structure um that is a good question cuz I'm gonna probably go ended up using the same password anyways but I'll I hate just left that off and I'm gonna pass it over to Poe and Kerry to see what their thoughts are on that Robert asked he said what could microsoft do to fix this I would say this one's easy they should read the Olas top 10 top 10 has been around for a very long time you should not have messages that we can easily identify user IDs and passwords and demands despite timing or response sizes so basically they should go back to some basic web application security and take those classes and make sure that they implement them okay excellent so the next thing we look at here is the essentially the username enumeration and the first thing I'm going to do is I'm going to use this script that Bo actually wrote but he was nice enough to let me demo it just since the ties in with with kind of what we're what we're talking about here so basically what this is going to do as a script and then here we have these name lists so we have top five first names not five last names and then a couple other different iterations of this so you know male female and so on and so forth and so we're going to use these two to form potential user names using common formats for those user names and so the first thing I'm going to do here so I'm an import module and by the way my lowercase D on my keyboard has suddenly stopped working so I will be putting uppercase T's in case you're wondering thankfully it still works so I'm going to import module email address mingler and then we're going to invoke email address Spangler and I'm going to give it first name list just going to be game list top five first names and it's going to be named list five last names and then it's going to be all combos I'm gonna pipe that out two out file coding ASCII and then we'll just call it a name txt name stuck to you alright so we run that you can see it mangled up names for Elise that's what told us so user name list up in here and we can see we have various combinations of names starting with James - be John - B so basically first name - something first name last initial and quite a few other combinations here but basically we have a list that we can we can try out against this portal so I've already got the mail sniper module imported so I'm going to go ahead and I'm just going to run another module from matched oops get my D working and though sorry enumerate there we go username harvest alright so I'm gonna give it user list which is going to be nameless I'm going to give it the exchange server which is mail.com nanobots Inc and I'm going to give it the domain and in the last step we found that to be nanobots and I'm going to pipe the results sexually all right so go ahead and run it and again we're getting a baseline response time by taking the valid domain name that we determined and not produced up a pendant and on a random user name and then averaging those out and then setting the threshold remembering at this time a valid username with a valid domain name will give us a shorter response time than a valid domain name with an invalid username so here we're going through the dashes it's looking like it might not be the dashes we have those response times they're all above the threshold that we set so let it keep going now we're getting into the next format so we're moving on from that - format oh look look we got a hit so we've got John s we've got Michael J we've got Robert B and looking at the response time so we see 299 333 11 so we have we can see that those are substantially shorter and that these are potentially valid user names on the domain and so at this point now that you know the format you can go through and you can generate up a larger list of user names either a big that you gather via a recon or by doing this mangle method with common names and then continue on to the next step and so with that I can go pass it over to Kerry are you up next now I think it's back to me for just a moment there Brian and then then they care of it next to you all right oh you are the present yes okay so if you've ever seen us give a webcast you know we talked about password spraying quite a bit and the reason is because we you know it's it's pretty successful attack for us you know very commonly will perform password spraying attacks against organizations and gain access to a ton of credentials so when it comes to powering if you if you haven't actually heard us talking about before basically what that means is we are going to try one password attempt per user so we're going to try to stay out of the bounds of actually walking out accounts you know most organizations have some sort of account lockout policy whether it be you know five attends ten attempts and we're gonna try to maintain some sort of level under that and basically you you Jenner up generate up a nice user list which you know as he just discovered we know the user name format now so it becomes like okay let's let's now generate up with the usernames we found a recon as well as brute force just like let's say we take the top 100 first names the top 200 last names and mangle that together into a you know a fairly large sized list of potential user names and then run a password spraying attack against Oh with that so I will go ahead and demonstrate what that looks like real quick all right so you know he whenever Brun just performed his enumeration attack we saw that you know we had like Michael J was the correct format you know first name last initial so I went ahead and I just generated a very small list of common names just so we can kind of prove a point here but you know in the real attack what you would do is you would take all the names you found a recon mangle those into a list somewhere to this as well as brute force together a bunch of different common names so what I'll do is I will go ahead and import male sniper here and to perform a password spraying attack with male sniper is actually two different modules one for Allah and 140w s I'm gonna show you how it looks against Noah so that module is invoked - password spray oh whoa and - pastor spree oh of what you need to do is you got to give it your user list the the list of users you want to password spray which in this case is gonna be our common names list we're gonna give it a password so you know in in the grand scheme of common passwords what do we find most often season and year so we're going to go with summer 2016 and then we're gonna point it at the exchange host which in our case is male about a no BOTS ink.com so whenever this runs what's gonna happen is for each of these users it's going to attempt to login to OA so it'll connect to the male nanobot singh kham it will attempt to actually log in as each one and if it obtains a valid credential if it was successful in logging into OA we should get a result here so in this case we were successful with one user you know in this case we have Michael J at nanobot Singh Kham whose password was summer 2016 and again you know that while this you know this demo is ver much us you know constructing it to just prove a point this is how it looks in real life and whenever we generate these lists and we try ten thousand different user names this happens so what's why is it okay I mean why does it matter that we only got one credential so let's talk about the next step so we gained access to one credential now now now that we have one credential we can actually pull down something from oh uh called the global address list so within Outlook Web Access you actually have the functionality to see everyone else's email address it's it's a you know a feature of oh uh right - you know if you were to go to send an email to somebody else you you know click the to field and you can you know auto typically autocomplete somebody's email address from that so you know we wrote a module called get - global address list to do that so let me show you that real quick so get - global address list so now that we have the one credential of Michael Michael J so we'll give his user name here Michael J at nanobots inc.com will give his password of summer 2016 pointer data Xchange host name no BOTS ink.com and it's gonna go it's gonna login to OA it has to retrieve a couple different cookies and then basically pulls down the the global address list right here so in our a little test oh man this is all the users we have but you can see this is this is every single mailbox that wasn't exchanged and you know if you were to do this against you know a larger environment let's say the house like 3,000 users you're gonna be able to get all the user accounts doing the exact same technique so from here you know one of the next steps would be to go back and perform more password spring with your valid list now so you know we've we've gone and with one credential now have access to every single email address from the organization which you know from from having that we can now perform extremely more targeted password spraying attacks and potentially get access to a lot more credentials you know we're not just guessing based off of recon and May together usernames anymore we actually have the exact username list now from the global address list so let me show you what that looks like real quick and then I'm gonna hand it off to Carrie to show you another way of doing this so I'm gonna go ahead and copy in those addresses so these are our our our normal or our actual user addresses here let me just save that and then we'll go back up to our password spray and instead of our typical just common names list will actually give it them more to more targeted global address list now and run let's run with the same password and see what we get it so again you know we've now obtained the actual gopal address list we're gonna try one password attempt for each of these users and you know once it's done will potentially have more credentials here we go so you see we got three now so now we have Vladdy at nanobot ENCOM bandless at nanobot Singh Kham and Michael J they all have the password of summer 2016 and you know again this is just a prove a point this is this how it looks in real life but one of the things that we wanted to kind of point out and what Kerry's gonna talk about a little bit more is that this works against two-factor as well so the fact that I was able to just connect to Ola and submit a password login request like for this account here Vladdy let me show you what what is actually going on in the background there so if we go actually try to log in as Vladdy so let's login Vladdy and see what happens we get a two-factor authentication prompt so we're not getting into his account here but two factors enabled and we were able to successfully guess his password and we're going to talk a little bit more about getting around this in a little bit but Kari also has something that she would like to talk about right now so John can you pass it over to Carrie please sure well I also want to point out very very very very clearly that what we're going to discuss moving forward is not a vulnerability in duo or any two-factor authentication vendor in fact the duo was awesome to work with if we got a little bit to begin with okay so they freaked out a lot but they didn't hope we lost a job for the next few minutes for the rest of this webcast that is a vulnerability in you oh I can't your carrot okay so what is gonna demo here is a little bit of a different way cheating guys are spray using burp just as another option and also how it works against two factors so I'm gonna put in a made-up username xxx summer 2016 it's gonna be our guest for this spray and I'm gonna intercept this request and I'm gonna send it to intruder and I'm gonna mark the spot the spot where he wants to substitute the username so instead of xxx we're gonna whoops we're gonna substitute in whatever usernames we have on our list and I'm just going to type in a few but you can import a list here okay so as Bhoja stowed if the passwords correct you get a secondary screen that says in this case something about duo how you want to get your two-factor authentication you don't actually get in but it's different than if the password is wrong which you get something that says sorry wrong username password so the response is different so please start this attack we we see that the length of the response is different and that's a giveaway that this may have worked so if we went and looked at this response we would see that we get it redirected to that dual page so that's a simple way to do it the intruder tool to look for that difference in response one thing that's different with Microsoft MFA multi-factor authentication is you don't get that secondary screen so with if they're two-factor solution is MFA it when you log in it'll just sit here and spin like it is here it won't return anything until the user accepts their push notification you'll get a text or a phone caller and push a notification on their phone and until they respond to that you won't get a server response so you can't look for that difference in response link but there is a little flaw with Outlook in that case too and so I've got this blog post here on our site what can I learn from a password brain 2fa the first part is Bryan's discoveries with username and numeration and the second part just points out that if you look at the responses there's a slight difference from Microsoft if the password is correct versus incorrect so the password is incorrect you get redirected to slash OWA but if it's correct you get redirected to off slash OWA and so when you're doing that attack you want to go in here to the options and choose to follow the redirects and we'll repeat this again for what we've got going process cookies in redirect and then repeat the attack and and we see that in the case where the password is right we got two redirects that we follow and and so that's where you can look in those responses and determine whether you got you got that different response so even with Microsoft MFA that doesn't give you a different second screen you can tell that the password is right and you might be thinking that you can just look at the response time because it takes a while for a user to respond but what I found is that some users aren't set up with to factor in that case that it immediately rejects the password even though it's correct the response is immediate so you can't rely on response time completely or you'll miss some correct passwords that you have found just because the user hasn't been set up with two-factor I'll and then just one other thing with Burke that I wanted to show if we actually log in we actually log in as one of these people but will you be able to accept the two-factor authentication just send a push I do think it's hilarious Jordan just got back to me and he said that we've got over 100 active connections to our exchange environment nanobots ENCOM so so that's that's fine we're literally giving people hacked by numbers to one of our dev environments okay so yeah I'm showing a secondary way to download the address book it's harder than using both solution with PowerShell but sometimes it may be the only option that works so here if we got to the target tab and we look at mail nanobots there's this finding that says email addresses disclosed and it starts listing out all email address that's it seem so what I do if I'm trying to get the address book this way as I start a new mail and I say - and it usually comes up defaulting to your local contacts but if you if you go to the global address list it'll list them all and you see they're populating verb has extracted those for you based on the address book and the only trick here is if it's got a lot of entries in the address book you actually have to scroll through it holding down on the down arrow key through the whole address book because it only loads as it needs to be seen so it's on demand loadings so to get all those like thousands of interests to show up you actually have to scroll down through the whole list and then it's easy to copy and paste into Excel from this for binding here and there's also a blog post on that called downloading an address book from OWA on a black Hill site ok back to you Bob alright John can pass about please or Sierra Syria somebody all right you got sweet okay so you know to kind of follow up on on what you're just shown a little bit you know with a two-factor off this is something we kind of released a couple weeks ago where we kind of discovered that you know a lot of the different software's for two-factor aren't actually covering all the protocols that are alongside of OA in exchange in general so with exchange you know a lot of people just have like the mentality that you know got this this Outlook Web Access front-end and that's that's the only way that people are gonna be able to log in and actually obtain emails from my organization the fact the matter is there's a number of other protocols right alongside OA and a lot of times those are not actually covered by two factor authentication so I'm gonna demo that in just a moment but um I also want to talk about like how you know you can basically read emails through this and that's that's why I like why we think it's so important is because you can not only just bypass ufa but you know we have the power to just straight-up read emails through the secondary protocol you know it's basically you know you have all these clients like you know outlook for Mac that do not have the ability to connect to exchange using the traditional method of you know talking to Allah so they have to actually use these secondary it's basically like a secondary API for obtaining emails and sending emails so let's let's Tim it out real quick so you can see here you know I got the the duo hit a little bit ago and like let's say I don't have you know the secondary method of authenticating what you can do is talk to you WS which is right alongside right alongside oh uh so if we go to mail that nanobot Singh Kham slash EWS and again this is a default thing on most most exchanges says you get this this prompt right so if I log in here as Vlad iya at nano bots ENCOM its password it should give us the XML a something happened they're not sure why I got redirected but we'll see how to see if it works if I actually try to read his email so invokes self search is the module that we're gonna run we need his his user or email address mailbox so we'll give it his mailbox of Vladdy at nanobots inc.com we'll give it his password or actually we're gonna since this is a remote attack we're gonna give it the exchange hostname first which is mail dot and abouts ink.com and then we'll give it at the - remote flag which will basically prompt us for credentials so here we are logging essentially directly into essentially directly into EWS so if this is successful what should happen is instead of trying to connect to OA we're gonna basically go right alongside at the EWS yeah so basically what's happening here is it's connected to his inbox and EWS and searching for the terms password credits and credentials so you know - to the you know sysadmin who implemented this they basically said oh you know what I want to factor authentication on my own portal but most of these software's they basically say they don't even cover these you know right alongside it it's not necessarily that's a vulnerability it's just it in the two-factor authentication software it's that they're basically just not covering these other protocols and which you know traditionally there have been other attacks similar to this where on internal networks some two-factor authentication software's won't cover all the protocols for a given system right so what I'm talking about is for example RDP you know a lot of times you have like RDP that's covered by like let's say an RSA two-factor but right alongside you've got SMB on a different port which might not be covered and you could connect in a recipe but in this example the the thing that I think is kind of the bigger problem here is it's it's that they're all on the same port on the same web server just a different URL but you can see here that we were actually able to read his email and we you know found one that had the subject of VPN login info secret password inside etc so you know whenever you know whenever we get to this point in the attack what we're essentially going to try to do now is you know find emails that would help us get remote access right help us find where's a VPN are there any other passwords we can get through that could we potentially send up an email as this person but let's say we didn't get VPN access let's say we didn't get remote access through that technique that's okay there's there's a brilliant attack that was released about a year ago that Nick Landers from silent break security discovered where he found that outlook clients sync outlook rules across clients and so so why is that important he found that you know for some reason outlook you can actually set a rule that when you get an email when somebody sends you an email with a subject of whatever or you can set a number of different triggers whenever you get that email you can actually start an application now the thing about this is like if I have Outlook if I have your credentials and I have an outlook instance set up and I'm not on your network I can load up Outlook I can create this rule that says hey whenever you receive this email with this subject run this payload on my web map server out on the internet so it becomes you don't have to fish anybody anymore all you have to have is a valid credential to log into to Outlook and so there been a couple tools have been released one of them is ruler that right now that one only works over map you over HTTP which that actually will only work in exchange sp1 and above but they I have noticed they've been working on getting it working with our PC which is Outlook anywhere which there's a question earlier about Outlook anywhere and you know potential attacks through outlook anywhere so this this specific attack is the the one that you know for legacy versions of exchange will sink over Outlook anywhere and Carrie is actually going to walk through a demo right now of how this actually looks so Carrie take it away rightness in a second second share my screen here okay so what we're looking at is the VM that represents our attacking machine it's just my local machine it's not on the customers domain it's not the victims machine it's my own machine so I can start up Outlook Web Access and I can start up Outlook and first time I start up it'll ask me to enter the email and password so we just discovered that through our prior efforts and password spring and then you just continue through that and it will set it up for you automatically I've already done that so here I have access to Darth be at nanobots eight so we're gonna go in and create a rule and when we do this we're just gonna go to options and import and rule and I've already made the real file I'm gonna go back and show you how later but I wanted to get it in there and get it going cuz it takes a few minutes to get the shell so we're gonna import our pond rule and what it says it's apply this rule after the message arrives with phone you in the subjects and start 22 dec 2013 2 get a shell on the box and it's out on a WebDAV server on the internet and so we're gonna apply that and say ok now the magic is that this is going to get automatically synced to the victims computer where they run outlook so on internal domain and it happens very quickly I'm I'm not showing the victim VM right now but I just checked and it's already synchronized over there so I'm going to close the armed outlook here so I don't get a shell on my own box when I send the email and I'm just pressing send on the email with calling you in the subject ok then while we're waiting on directly to the sign that breaks security blog post it's very good and it's watching through this and including how to create your your shell exe to work with PowerShell Empire there are a few little gotchas and a few places where the instructions weren't verbose so I added another blog post on the Black Hills site malicious outlet rules and actions and it gets you past the first gotchas that you have to actually use python 3 when you run it and said if I thump you or you get that error and then it gives really detailed instructions on setting up your WebDAV server to work with this attack so you've got that there so if we go over and we download we're using Python version three but we've downloaded the the silent break security rules that PI script to generate that rules file so we're gonna run that and we're gonna call it my rule and then just ask you some questions what's the real name so we give it a name and what's the trigger so what do you want to put in the subject of the email that will make this role fire off and so we could do anything here so you get the subject of anything and then here you have put your web ID a turn here and then wherever your file is so no we not 22 that XE and then that created your profile my rule dot rwz and so I showed how to import that at the beginning let's see I think I covered everything here so I'm gonna switch over to the victim yeah okay so here's here's the victim it just barely got that email that phone you email so we should be getting a shell soon on this plot so this represents a system that I don't currently have access to on Vladek or Darby's system on that internal to domain presumably right and he's running outlook for will be running outlet in order to get that mail and fire that rule we can see we got to manage rules on his system it's got that rule in there so and of course I haven't got to show you will wait on that one other thing that I'll show while we're waiting go back to that other VM is is that you can go in and edit that rule to do things like after it runs the executable immediately delete the file and so that makes it less likely that someone would see this and report it and there is one trick when you do that if we go back to our rule so click on it and say edit rule it does something tricky when you edit though let's say we wanted to add in delete it afterwards and adds in this on this computer only which we don't want because we want to sync up to the synchronize it to the other computer but you have to actually go ahead with this and finish and then you have to go and edit it one more time and remove that setting so uncheck on this computer only and now you have a more slave rule here to work with and that's all I have that would give me the power show session on that victim machine which I'm not able to show you at the moment and then I could do whatever you do once you get internal access on them on a machine so back to you Bo alright let's see I'm sure screen ok all right so we've only had a couple more minutes left so let's go ahead and kind of summarize everything that we could just talked about you know we started with nothing we had no access whatsoever we performed recon we gathered a bunch of usernames and various employee names we mangled those into you know a user list to use later we found the the OS server which is not a hard on most environments anyway we performed internal domain enumeration so we were able to discover an internal domain name we're able to figure out a user name convention by basically just forcing greatest conventions we were able to perform user name enumeration then password spring so once we had some valid user names they're able to actually perform password spring to gain access to just one credential that's all we needed once you have one credential you can then acquire the global address list from from exchange now they have the global address list you perform more password spring and you know with more password sprang comes more credentials comes more access to various different resources so you know one of things we didn't actually talk about much here was you know if if the organization's let's say it's 365 and they have SharePoint and a number of other services in the cloud you know at this point once you've got credentials you might actually be able to you know start searching around some more internal resources and SharePoint and a lot of times we've actually had tests that I've been on where in SharePoint alone we found you know information about how to VPN into the network you know including like pins you might need is like a quote unquote second factor to get in so you know being able to have credentials is important and then secondly we were able to bypass two-factor authentication just to really know and then you know the rest of the attacks basically lead us to remote compromise so you know whether or not we found how to VPN n how to our dart EPN how to actually just straight up get remote access or ever whether or not we ran the malicious outlook rules or even at this point we could perform employee to employee phishing meaning you know once we have an account of somebody they can log into o up we can all start looking through their email and figure out their trust relationships and start abusing those between employee to employee so just kind of wrap it up I mean basically like this is our whole attack flow here there were a lot of links in this webcast so I I created this one slide that kind of encompasses all of them you know highly recommend definitely checking them out well again you know this is stuff we've been talking about for the past year so we thought it'd be nice and should kind of throw it all together in one single webcast but that is it so for now that that's it if there are any questions I mean John you can take it away all right so a couple of quick things we're gonna need to clarify thing number one this has nothing to do with the oil security once again we're very nice they could have freaked out a little bit more than they did pretty cool just as long as we clarified that we were just using duo for articulating purposes they number two there's a lot of people that are asking how do we stop this and that's kind of why we're doing this webcast learn who they went to exchange experts we went to Microsoft and they basically looked at all of this and they said nothing to see here this is not a concern well that's the way it's the architecture is broken I usually don't like picking fights very often in computer security but I think I think we'll pick one now Microsoft has the fixes and this is simply is an easy fix again this is something that organizations that have been developing web applications have been doing sections of years we should be able to assure should not be able to a new more passwords into factor authentication and the size of the response from your web server this is this is city level computer security stuff that these dyes 10-6 on Microsoft's also is they have direct access the most sensitive parts of an organization not just files emails and we'll sensitive things we find all our emails within organizations from again there are penetration testing you know kind of what we do trying to find true risk and so far as exploitation this is [Music] this can be done years ago somebody has to be p.m. then they can access their email WS they can access their email through through we need to put some protection sensitive directly against the open Internet the more vulnerabilities were going to we've been trying to answer a tremendous amount of questions as we've gone through I think that we have but but no absolutely please thank you very much for coming please check out our next webcast that's coming through and please start putting pressure on Microsoft to try to get this fixed hopefully they get effects we could have just sat on that for the next five years and continue to exploit environments remember the goal of home testing firmest things improve that they can explain it's to make things better and that's ultimately what we are trying to do so thank you so much everyone and get out of here and for those of you that are in bad weather or about to be bad in bad weather stay warm take care everybody

Info

Channel: Black Hills Information Security

Views: 9,067

Rating: undefined out of 5

Keywords: outlook web app, outlook, MS outlook, OWA bypass, OWA 2fa bypass, outlook 2fa bypass, ms, Microsoft

Id: yaq_JTN1oSo

Channel Id: undefined

Length: 68min 36sec (4116 seconds)

Published: Wed Jan 11 2017