2018-11-30 11:36:39 -06:00
|
|
|
OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks.
|
|
|
|
|
This module leverages all known, and even some lesser-known services exposed by default
|
|
|
|
|
Exchange installations to enumerate users. It also targets Office 365 for error-based user enumeration.
|
|
|
|
|
|
2018-12-03 10:25:21 -06:00
|
|
|
- Error-based user enumeration for on premise Exchange services
|
2018-11-30 11:36:39 -06:00
|
|
|
|
|
|
|
|
**Note:** Currently uses RHOSTS which resolves to an IP which is NOT desired, this is currently being fixed
|
|
|
|
|
|
2020-01-16 10:41:12 -05:00
|
|
|
## Verification Steps
|
2018-11-30 11:36:39 -06:00
|
|
|
|
|
|
|
|
- Start `msfconsole`
|
2018-12-03 10:25:21 -06:00
|
|
|
- `use auxiliary/scanner/msmail/onprem_enum`
|
2018-11-30 11:36:39 -06:00
|
|
|
- `set RHOSTS <target>`
|
2018-12-03 10:25:21 -06:00
|
|
|
- `set (`USER` or `USER_FILE`)
|
2018-11-30 11:36:39 -06:00
|
|
|
- `run`
|
2018-11-30 13:18:02 -06:00
|
|
|
- `creds`
|
|
|
|
|
|
|
|
|
|
*Results should look something like below if valid users were found:*
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
host origin service public private realm private_type
|
|
|
|
|
---- ------ ------- ------ ------- ----- ------------
|
|
|
|
|
10.1.1.1 10.1.1.1 443/tcp (owa)
|
|
|
|
|
10.1.1.1 10.1.1.1 443/tcp (owa) chris
|
|
|
|
|
```
|
