Professional Documents
Culture Documents
Introduction
“mail.domain.com/autodiscover/autodiscover.xml”
“webmail.domain.com/autodiscover/autodiscover.xml”
“domain.com/autodiscover/autodiscover.xml”
When the server side wants the client side to perform the
actions associated with a rule, it actually puts an action
message in that folder.
Finally, Outlook will look up that rule locally and execute the
actions associated with it. So, the server is supplying a
message to Outlook, so that it knows it needs to execute
rules.
1. The VBScript engine that Outlook forms use is separate from the VBA
Macro script engine. So, disabling macros won’t affect us.
2. When an Outlook form gets published into a folder, this form will be
synced down to all instances of Outlook by the Exchange server. Just like
Outlook rules do.
Internal Phishing
More Password Discovery Username Enumeration
Internal Phishing
More Password Discovery Username Enumeration
Internal Phishing
More Password Spraying Username Enumeration
BHIS brought to light that any internet facing OWA portal can
assist us in performing internal domain name enumeration,
due to the OWA user authentication process having
anomalies in terms of response times.
Internal Phishing
More Password Spraying Username Enumeration
Internal Phishing
More Password Spraying Username Enumeration
Internal Phishing
More Password Discovery Username Enumeration
Internal Phishing
More Password Discovery Username Enumeration
For the same procedure using Burp, simply proxy your web
traffic through Burp, enable “Live Scanning”, open OWA and
browse the corporation’s address book in its entirety. Every
e-mail account will be documented in Burp’s issues report
(“Email addresses disclosed”).
Internal Phishing
More Password Discovery Username Enumeration
Internal Phishing
More Password Discovery Username Enumeration
• .PARAMETER Terms
Certain terms to search through each email subject and body for.
• .PARAMETER Folder
The folder of each mailbox to search.
• .PARAMETER Regex
The regex parameter allows for the use of regular expressions when doing searches.
• .PARAMETER CheckAttachments
This option will attempt to search through the contents of email attachments in addition
to the default body/subject.
PT e treme - Caendra Inc. © 2017
Reconnaissance OWA Discovery
Internal Phishing
More Password Discovery Username Enumeration
Attack Prerequisites
• Identification of valid credentials
• Exchange service access (via RPC or MAPI over HTTP)
• Malicious file dropped on disk (through WebDAV share
using UNC or local SMB share when physically inside)
Disadvantages
• Microsoft has released a patch for Outlook 2016 that
disables both Run Application and Run Script rules by
default
https://github.com/mwrlabs/XRulez
If the target has applied the Outlook patch that disables both
Run Application and Run Script rules, we could perform
another powerful attack that misuses Outlook forms. This
phishing attack will result in code execution, leveraging the
VBScript engine that Outlook forms use.
Attack Prerequisites
• Identification of valid credentials
• Exchange service access
Disadvantages
• Some interaction with the target is required
• KB4011091 for Outlook 2016 seems to block VBScript in
forms
fierce EmailAddressMangler
recon-ng OWA-Toolkit
theHarvester owaDump
BHIS EmailRaider
XRulez Ruler