MS Exchange

Outlook Web Access

Enum

Authentication Request
Kerberos Process
Response Time

Non-existing realm

KDC searches for realm

2-3 seconds

Realm exists but username does not exist

Pre-authentication ticket created to verify username

5-60 seconds

Realm and username exists

Pre-authentication ticket created to verify password

< 2 seconds

Enum spray endpoints

./msmailprobe identify -t site.com

Get Realm

$ ~ curl -Isk -X POST -H 'Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAKANc6AAAADw==' -H 'Content-Length: 0' https://autodiscover.exmaple.com/ews

$ ~ echo 'TlRMTVNTUAACAAAADAAMAD...' | python2 ./ntlmdecoder.py

If activesync is accesseble:

$ ~ curl -Isk https://autodiscover.exmaple.com/microsoft-server-activesync/healthcheck.htm

Postexploit

LogoAttacking MS Exchange Web InterfacesPT SWARM

Username generator

https://github.com/cR4-sh/owa-userenumgithub.com

Links

https://pentestnotes.ru/notes/owa_pentest_guide/

PreviousChecklistNextNextcloud

Last updated