Re: [PEN-TEST] Penetration of OWA servers

From: Mike Sues (msuesat_private)
Date: Thu Apr 26 2001 - 18:21:02 PDT

Next message: Brian: "[PEN-TEST] Software Test Procedures Request for Assistance"

Previous message: Ed Rolison: "Re: [PEN-TEST] websence bypass ?"
In reply to: Javier Fernandez-Sanguino Peña: "[PEN-TEST] Penetration of OWA servers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Try all the IIS vulnerabilities (e.g. RDS, UNICODE, etc.); I've
successfully applied both the RDS and UNICODE exploits against OWA
servers. Check out the vulnerability database at http://www.security.focus
for details. If you can get a shell with system or administrative
privileges try running a packet sniffer such as winsniff. If user's
email sessions are not buried under SSL you may be able to collect
usernames and plaintext passwords.

If SSL (TCP 443) is the only entry point available to you, use tools
such as stunnel or curl to execute the exploits.

Of course, once you do get a shell, dump the hashes from the sam
using pwdump2 or equivalent and do some local profiling of the box.
You should be able to access a domain controller over netbios from the
OWA server.

If they allow anonymous access to the address book you can collect
some good information on users, the organization, titles and phone
numbers.

Mike Sues
Senior Network Security Analyst
Cinnabar Networks Inc
http://www.cinnabar.ca
ph :613.720.4842
fax:613.236.2506

> -----Original Message-----
> From: Penetration Testers [mailto:PEN-TESTat_private]On Behalf
> Of Javier Fernandez-Sanguino Pena
> Sent: Wednesday, April 25, 2001 11:41 AM
> To: PEN-TESTat_private
> Subject: [PEN-TEST] Penetration of OWA servers
>
>
> I am currently testing an OWA (Outlook Web Access) server, and
> would like to
> know if people are aware of vulnerabilities for this webmail
> front-end. After
> reading some literature (thanks to google) I've found that it's a
> security risk
> on network topologies since it has to access the NT Domain Server
> in order to
> authenticate users. There are also recommendations to restrict
> anonymous access
> to the front-end.
>
> I have been able to succesful exploit the latests vulnerability
> through access
> to
> /exchange/finduser/details.asp?obj=XXXX. I've also been able to
> automize this
> access to take a look at all the users (the XXX besides the obj
> seems to have
> some kind of regularity (a 64-hex number with changes around the
> last 8 hex).
> It's not as easy as it might look at first (you have to first
> access the logon
> form and take a cookie for the session).
>
> The webmail uses a twostep process for authentication. First it
> asks for mailbox
> name, I figure it's the user's e-mail, and the second seems to be
> NTdomain/user+password...
>
> Does anyone have experience with OWA penetration? I think it's
> not much in use
> there...
>
>
> 	Regards
>
> 	Javi
>

Next message: Brian: "[PEN-TEST] Software Test Procedures Request for Assistance"
Previous message: Ed Rolison: "Re: [PEN-TEST] websence bypass ?"
In reply to: Javier Fernandez-Sanguino Peña: "[PEN-TEST] Penetration of OWA servers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 20:06:29 PDT