MailSniper icon indicating copy to clipboard operation
MailSniper copied to clipboard

Published 20 hours ago verified publisher icon dafthack

Advice on succeeding with Invoke-DomainHarvestOWA?

Open 7MinSec opened this issue 8 years ago • 8 comments

Hey Beau,

Finally got a chance to use MailSniper on an engagement this week, and tried out the Invoke-DomainHarvest module with a list of about 8 domain names I thought would be possibly valid for the customer's environment. The module returned no valid domains, but later the customer confirmed that the valid domain was indeed one in my "guess" list. Are you aware of any tuning/protections/patches/etc. that could be in place from preventing MailSniper from identifying the valid domain through timing?

Also, I went one step further and tried the Invoke-UsernameHarvestOWA with a valid user (as well as a bunch of invalid users in the same file) and it was not identified as valid.

Thanks! Brian / @7MinSec

7MinSec avatar Jul 14 '17 14:07 7MinSec

Hey Brian! Thanks for the note. I have heard some mixed results with that module. I modified it so it should just get the domain from a response header. If you just run Invoke-DomainHarvestOWA -ExchHostname mail.whatever.com it will try that method first. Let me know if that part isn't working for the server you are hitting as well. Do you happen to know what version of Exchange the server is running?

-Beau

dafthack avatar Jul 16 '17 14:07 dafthack

Hey there,

Ok so I found out it's an Exchange 2010 box (no specific version info known, but I can get that if it would be helpful).

I had been running Invoke-DomainHarvestOWA -ExchHostname customers.owa.portal.com -DomainList domains.txt -OutFile out.file . The domains.txt has about 5 bogus domain names but also the correct domain name, but MailSniper reports 0 valid domains.

Per your note above, it sounds like you wanted me to run just Invoke-DomainHarvest OWA -ExchHostname customers.owa.portal.com which I did, but it asks for either a DomainList or CompanyName to complete. I tried providing one - as well as both - but the end result was the same.

Brian

7MinSec avatar Jul 20 '17 18:07 7MinSec

Oh sorry, maybe you were saying you made changes and that I should pull latest version? I was just going to send you a ping that the tool says ...provide either a DomainList or a *ComapnyName*... but that spelling has been fixed to CompanyName, so I'm thinking I don't have the latest version. Let me know what info I can provide.

7MinSec avatar Jul 20 '17 18:07 7MinSec

Yeah it's been updated to have different functionality. Go grab the latest and try with just "Invoke-DomainHarvestOWA -ExchHostname customers.owa.portal.com". It should try to automatically grab the domain from an http header returned from the server.

dafthack avatar Jul 20 '17 19:07 dafthack

Hiya Beau,

Happy Friday. Pardon the delay, but I did try running the latest MailSniper and what got returned was:

The domain appears to be: *INTERNAL-SERVERNAME.somedomain.local

I then tried:

Invoke-UsernameHarvestOWA -ExchHostname owa.customer.com -UserList .\users.txt - Domain somedomain.local

Also tried the same thing but with Domain somedomain

Still, even with legit users in my users.txt MailSniper didn't say I had a winner.

I'm actually done with this current project but could certainly test other things if you want. And I've got some new assessments coming in the next week and will try MailSniper there as well.

Thanks! Brian

7MinSec avatar Aug 04 '17 14:08 7MinSec

Piggybacking on this issue. I seem to be experiencing the same response time issue in my test lab. All usernames regardless if they are "real" or not are receiving the same response time back from OWA.

  • Usernames are combination of known valid and made up
  • Domain is known valid
  • Tested in both VMware and VirtualBox environments

Response Times for Case 1 Baseline Response: 207.6 Average Time: 207.6 Threshold: 124.56

Typical response for this case was between 202 to 219 ms

Response Times for Case 2 Baseline Response: 5 Average Time: 5 Threshold: 3 Typical response for this case was between 5-21 ms

Using command Invoke-UsernameHarvestOWA -ExchHostname mail.domain.com -Domain THEDOMAIN -UserList .\userlist.txt -OutFile test.txt -verbose -debug

Using -debug and -verbose I was able to see the following output VERBOSE: POST https://mail.domain.com/owa/auth.owa with -1-byte payload VERBOSE: received 0-byte response of content type

techspence avatar Apr 03 '18 18:04 techspence

For anyone still experiencing this, try this method instead: https://grimhacker.com/2017/07/24/office365-activesync-username-enumeration/ It may be more reliable

0x62797465 avatar Jan 21 '23 22:01 0x62797465

Thanks @Boberttt !

7MinSec avatar Jan 23 '23 12:01 7MinSec