During a recent pentest I stumbled across an on premise exchange server. The server itself had no vulnerabilities and was running the latest patch. So I thought about other attack vectors and I remembered, that I read about time-based user enumeration against OWA (Outlook Webapp) in the past. The installation of the client Server had OWA exposed to the internet, so I began to gather info about the specific vulnerability.

User enumeration can be performed against OWA, because of the way it processes the users request. A request including a valid username has a much faster response time than a request with an invalid username. Due to that behaviour it is possible to gather internal usernames of any company that exposes Microsofts OWA to the internet. Even worse, not only OWA is vulnerable to these kind of attacks, also Microsofts EWS or Lync are affected.

After gathering the info I needed, I started to build a list of usernames.
First I used known OSINT technologies to gather the first- and lastname of valid employees.
Next I used a tool called username-anarchy to create a list of possible usernames that are based on the employees names.

./username-anarchy <firstname> <lastname>  >> /tmp/userlist
./username-anarchy <lastname> <firstname>  >> /tmp/userlist

I will use this list to get the naming scheme that is used by the target company.

To perform the user enumeration attack I will use a tool called msmailprobe. The tool supports 2 modes:

  • identify
  • userenum

First I will use the identify mode to determine if the target is vulnerable.

go run msmailprobe.go identify -t <TARGET>

The output will show us the internally used Domain and also the vulnerable endpoints (EWS, OWA, Active-Sync,…).
After the successfull usage of the identify mode, we are able to perform the user enumeration against the target.

For that we will use our list, that we made earlier and the userenum mode of msmailprobe.

go run msmailprobe.go userenum --onprem -t <TARGET> -U userlist.txt -o outputOfValidUsers.txt --threads 25

Our outputfile “outputOfValidUsers.txt” will hold the valid usernames. Optimally the list should only contain users with the same naming scheme. If that is the case we are now able to build a bigger list based on the found scheme and enumerate more users.

The next step would be to perform a password spraying attack against the found users.

-JP