-
Abusing Exchange Mailbox Permissions with MailSniper
OverviewMicrosoft Exchange users have the power to grant other users various levels of access to their mailbox folders. For example, a user can grant other users access to read emails from their Inbox. If a user (or Exchange administrator) isn’t careful and sets permissions incorrectly they might grant access to their mailbox to everyone at an organization. This creates a situation where any user at the organization can now read email from the mailbox with too broad permissions.Using MailSniper, it is possible to quickly enumerate mailboxes like this that are accessible by any user. In this blog post, I’ll be describing how this problem can occur, how to locate mailboxes with permission issues, and ultimately how ...
Posted May 18, 2017, 11:46 AM by Beau Bullock
-
HostRecon: A Situational Awareness Tool
OverviewHostRecon is a tool I wrote in PowerShell to assist with quickly enumerating a number of items that I would typically check after gaining access to a system. It can assist in providing situational awareness to a penetration tester during the reconnaissance phase of an engagement. It gathers information about the local system, users, and domain information. Probably the most important thing about it is that it does not use any ‘net’, ‘ipconfig’, ‘whoami’, ‘netstat’, or other system commands. I’ve had some security products alert on the use of those common commands/tools. Instead, those commands have been replaced with PowerShell and WMI queries.On many pentests we are still seeing Windows 7 systems that only have PowerShell ...
Posted Apr 19, 2017, 10:30 AM by Beau Bullock
-
Bypassing Two-Factor Authentication on OWA and Office365 Portals
FULL DISCLOSURE: BLACK HILLS INFORMATION SECURITY BELIEVES IN RESPONSIBLE DISCLOSURE OF VULNERABILITIES. THIS VULNERABILITY WAS REPORTED TO MICROSOFT ON SEPTEMBER 28TH, 2016. AS OF THE PUBLICATION DATE OF THIS POST(NOVEMBER 2ND, 2016) MICROSOFT HAVE NOT RESPONDED WITH ANY UPDATES OTHER THAN TO SAY THERE ARE NO UPDATES. THE FULL TIMELINE OF THIS DISCLOSURE CAN BE FOUND IN A SECTION AT THE END OF THE BLOG POST.UPDATE as of 3pm MST 11/2/16: This blog post demonstrates a two-factor authentication bypass technique against Microsoft Outlook Web Access where the third-party 2FA vendor was DUO Security. It should be stated that this is NOT a vulnerability in DUO Security’s product. It is a problem in which ...
Posted Nov 7, 2016, 5:52 AM by Beau Bullock
-
Attacking Exchange With MailSniper
I’ve added in a few modules to MailSniper that will assist in remote attacks against organizations that are hosting an externally facing Exchange server (OWA or EWS). Specifically, the modules are Get-GlobalAddressList, Invoke-PasswordSprayOWA, and Invoke-PasswordSprayEWS.Very often on external penetration tests we perform a reconnaissance phase that might yield us some email addresses or usernames of an organization. If we can successfully find valid credentials for any one of them, and the organization has an Outlook Web Access or Exchange Web Services portal it is possible to download the entire Global Address List from the Exchange server. So, from one valid credential we can now have access to all email addresses for every employee of an ...
Posted Oct 7, 2016, 9:15 AM by Beau Bullock
-
Introducing MailSniper: A Tool For Searching Every User's Email for Sensitive Data
TL;DRMailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an Exchange administrator to search the mailboxes of every user in a domain.MailSniper is available for download here: https://github.com/dafthack/MailSniperOverviewOftentimes, on penetration tests we find ourselves having elevated access (Domain Admin) within an organization. Some firms stop there thinking that DA is the end goal. But it’s not. “Getting DA” means nothing to most members of the C-suite level if you can’t provide a picture of what that ...
Posted Sep 29, 2016, 6:52 AM by Beau Bullock
-
How to Build Your Own Penetration Testing Drop Box
TL;DRI compared three single-board computers (SBC) against each other with a specific goal of finding which one would serve best as a “penetration testing drop box”, and maintain an overall price of around $110. Spoiler Alert: At the time I tested these Hardkernel’s ODROID-C2 absolutely destroyed the competition in this space. If you want to skip the SBC comparison and jump right to building your own pentest drop box you can find the instructions below and also here.OverviewA few weeks ago I was scheduled for an upcoming Red Team exercise for a retail organization. In preparation for that assessment I started gathering all the gear I might need to properly infiltrate the organization ...
Posted Sep 29, 2016, 6:48 AM by Beau Bullock
-
Storm Chasing: How We Hacked Your Cloud
This is a cross-post from the Black Hills Information Security blog. You can read it here: http://www.blackhillsinfosec.com/?p=4975OverviewThe traditional methodology of a remote attacker who has no preconceptions of a target network used to be fairly static. With organizations moving to “the cloud”, the approach attackers are taking is going to change drastically if it hasn’t already. In this blog post I am going to detail why, if your organization has moved its assets to the cloud, an attacker is likely going to make that their primary attack focus. They will likely succeed, and you will likely not know that it happened.Cloud Computing PrimerScalable storage, easy collaboration between employees, and ...
Posted Jun 2, 2016, 11:53 AM by Beau Bullock
-
Poking Holes in the Firewall: Egress Testing With AllPorts.Exposed
If you have been even remotely in touch with technology in the past thirty years you have probably heard of this thing called a “firewall”. If not, a “firewall” decides what does and does not get to proceed through it. Most organizations have one of these protecting their network from the rest of the Internet. Some organizations place them in the most opportune spots to segment off specific areas of their internal network. The system you are using right now to read this blog post most likely has a firewall built-in.The general consensus about what a firewall does is that it keeps “bad stuff” from entering a protected network or system. But firewalls can also keep things from ...
Posted May 3, 2016, 9:59 AM by Beau Bullock
-
REVIEW: Kali Linux Web Penetration Testing Cookbook
I perform pentests against web applications on a regular basis amongst other types of pentesting including internal network assessments, external network assessments, phishing, wireless, C2, pivot tests and more. In the past two years I've pentested around 40 different web applications for various organizations. I read the Kali Linux Web Penetration Testing Cookbook, and wanted to share my thoughts on the book.TL;DRThis is a great book for introducing webapp attack vectors to new pentesters. There might be a section or two that seasoned pentesters find useful. I felt the author did a great job describing the tools and techniques in the book. The book lacks details into the underlying web protocols so don't expect to ...
Posted Mar 29, 2016, 9:13 PM by Beau Bullock
-
Password Spraying Outlook Web Access - How to Gain Access to Domain Credentials Without Being on a Target's Network: Part 2
This is a cross-post from the Black Hills Information Security blog. You can read it here: http://www.blackhillsinfosec.com/#!Password-Spraying-Outlook-Web-Access-How-to-Gain-Access-to-Domain-Credentials-Without-Being-on-a-Targets-Network-Part-2/c1592/56c1f10e0cf2365fef58cce1This is part two of a series of posts (See part 1 here) where I am detailing multiple ways to gain access to domain user credentials without ever being on a target organization's network. The first method involves exploiting password reuse issues where a user might have reused the same password they used for their corporate domain account on another external service. The second method is what I think is a far more interesting way of ...
Posted Mar 9, 2016, 5:21 PM by Beau Bullock
|
|
