September 5, 2019
Red Team ActiveSync, EWS, MailSniper, OWA, Password Spraying, Ruler
Outlook Web Access (OWA) portals typically are externally facing in order to allow users to get access to their emails from the Internet. This gives the opportunity to threat actors to use a common password against a valid list of usernames (Password Spraying) in order to get some initial access to the inbox of a user. This technique avoids locking down any accounts since the password will use only one time per account to perform the authentication.
In some cases Outlook Web Access portals might be protected by 2-factor authentication. However Microsoft Exchange installations support two more services ActiveSync and Exchange Web Service (EWS). ActiveSync is used for the synchronisation of data between mobile devices and Exchange mailboxes. The Exchange Web Service is an API which allows programmers to access Microsoft Exchange items such as emails, calendars and contacts. These services are enabled by default regardless if they are used or not and in the majority of the cases are not protected by 2-factor authentication like OWA portals.
MailSniper is a PowerShell script developed by Beau Bullock to interact with mailboxes and perform various operations. However it supports password spraying against OWA, EWS and ActiveSync services. The following command demonstrate how to conduct Password Spraying with MailSniper.
Invoke-PasswordSprayOWA -ExchHostname exchange.pentestlab.local -UserList .\users.txt -Password Password123 Invoke-PasswordSprayEAS -ExchHostname exchange.pentestlab.local -UserList .\users.txt -Password Password123 Invoke-PasswordSprayEWS -ExchHostname exchange.pentestlab.local -UserList .\users.txt -Password Password123
Ruler a tool developed in Go by Sensepost can be used to perform Password Spraying from a Linux, Windows or MacOSX since it is cross-platform.
./ruler-linux64 -domain pentestlab.local --insecure brute --userpass userpass.txt -v
Metasploit Framework contains two module which can be used to perform Password Spraying against Outlook Web Access portals and Exchange Web Services.
auxiliary/scanner/http/owa_login
The following module can be used for EWS.
auxiliary/scanner/http/owa_ews_login
Accessing the inbox of a user can lead to full domain compromise as it has been described in this cyber threat scenario. Therefore 2-factor authentication should be enabled across all Exchange services to prevent password spraying.