Try all the IIS vulnerabilities (e.g. RDS, UNICODE, etc.); I've successfully applied both the RDS and UNICODE exploits against OWA servers. Check out the vulnerability database at http://www.security.focus for details. If you can get a shell with system or administrative privileges try running a packet sniffer such as winsniff. If user's email sessions are not buried under SSL you may be able to collect usernames and plaintext passwords. If SSL (TCP 443) is the only entry point available to you, use tools such as stunnel or curl to execute the exploits. Of course, once you do get a shell, dump the hashes from the sam using pwdump2 or equivalent and do some local profiling of the box. You should be able to access a domain controller over netbios from the OWA server. If they allow anonymous access to the address book you can collect some good information on users, the organization, titles and phone numbers. Mike Sues Senior Network Security Analyst Cinnabar Networks Inc http://www.cinnabar.ca ph :613.720.4842 fax:613.236.2506 > -----Original Message----- > From: Penetration Testers [mailto:PEN-TESTat_private]On Behalf > Of Javier Fernandez-Sanguino Pena > Sent: Wednesday, April 25, 2001 11:41 AM > To: PEN-TESTat_private > Subject: [PEN-TEST] Penetration of OWA servers > > > I am currently testing an OWA (Outlook Web Access) server, and > would like to > know if people are aware of vulnerabilities for this webmail > front-end. After > reading some literature (thanks to google) I've found that it's a > security risk > on network topologies since it has to access the NT Domain Server > in order to > authenticate users. There are also recommendations to restrict > anonymous access > to the front-end. > > I have been able to succesful exploit the latests vulnerability > through access > to > /exchange/finduser/details.asp?obj=XXXX. I've also been able to > automize this > access to take a look at all the users (the XXX besides the obj > seems to have > some kind of regularity (a 64-hex number with changes around the > last 8 hex). > It's not as easy as it might look at first (you have to first > access the logon > form and take a cookie for the session). > > The webmail uses a twostep process for authentication. First it > asks for mailbox > name, I figure it's the user's e-mail, and the second seems to be > NTdomain/user+password... > > Does anyone have experience with OWA penetration? I think it's > not much in use > there... > > > Regards > > Javi >
This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 20:06:29 PDT