Re: [PEN-TEST] Penetration of OWA servers

From: Mike Sues (msuesat_private)
Date: Thu Apr 26 2001 - 18:21:02 PDT

  • Next message: Brian: "[PEN-TEST] Software Test Procedures Request for Assistance"

    Try all the IIS vulnerabilities (e.g. RDS, UNICODE, etc.); I've
    successfully applied both the RDS and UNICODE exploits against OWA
    servers. Check out the vulnerability database at http://www.security.focus
    for details. If you can get a shell with system or administrative
    privileges try running a packet sniffer such as winsniff. If user's
    email sessions are not buried under SSL you may be able to collect
    usernames and plaintext passwords.
    
    If SSL (TCP 443) is the only entry point available to you, use tools
    such as stunnel or curl to execute the exploits.
    
    Of course, once you do get a shell, dump the hashes from the sam
    using pwdump2 or equivalent and do some local profiling of the box.
    You should be able to access a domain controller over netbios from the
    OWA server.
    
    If they allow anonymous access to the address book you can collect
    some good information on users, the organization, titles and phone
    numbers.
    
    Mike Sues
    Senior Network Security Analyst
    Cinnabar Networks Inc
    http://www.cinnabar.ca
    ph :613.720.4842
    fax:613.236.2506
    
    > -----Original Message-----
    > From: Penetration Testers [mailto:PEN-TESTat_private]On Behalf
    > Of Javier Fernandez-Sanguino Pena
    > Sent: Wednesday, April 25, 2001 11:41 AM
    > To: PEN-TESTat_private
    > Subject: [PEN-TEST] Penetration of OWA servers
    >
    >
    > I am currently testing an OWA (Outlook Web Access) server, and
    > would like to
    > know if people are aware of vulnerabilities for this webmail
    > front-end. After
    > reading some literature (thanks to google) I've found that it's a
    > security risk
    > on network topologies since it has to access the NT Domain Server
    > in order to
    > authenticate users. There are also recommendations to restrict
    > anonymous access
    > to the front-end.
    >
    > I have been able to succesful exploit the latests vulnerability
    > through access
    > to
    > /exchange/finduser/details.asp?obj=XXXX. I've also been able to
    > automize this
    > access to take a look at all the users (the XXX besides the obj
    > seems to have
    > some kind of regularity (a 64-hex number with changes around the
    > last 8 hex).
    > It's not as easy as it might look at first (you have to first
    > access the logon
    > form and take a cookie for the session).
    >
    > The webmail uses a twostep process for authentication. First it
    > asks for mailbox
    > name, I figure it's the user's e-mail, and the second seems to be
    > NTdomain/user+password...
    >
    > Does anyone have experience with OWA penetration? I think it's
    > not much in use
    > there...
    >
    >
    > 	Regards
    >
    > 	Javi
    >
    



    This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 20:06:29 PDT