Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Advice on succeeding with Invoke-DomainHarvestOWA? #52

Open
7MinSec opened this issue Jul 14, 2017 · 8 comments
Open

Advice on succeeding with Invoke-DomainHarvestOWA? #52

7MinSec opened this issue Jul 14, 2017 · 8 comments
Labels
bug

Comments

@7MinSec
Copy link

7MinSec commented Jul 14, 2017

Hey Beau,

Finally got a chance to use MailSniper on an engagement this week, and tried out the Invoke-DomainHarvest module with a list of about 8 domain names I thought would be possibly valid for the customer's environment. The module returned no valid domains, but later the customer confirmed that the valid domain was indeed one in my "guess" list. Are you aware of any tuning/protections/patches/etc. that could be in place from preventing MailSniper from identifying the valid domain through timing?

Also, I went one step further and tried the Invoke-UsernameHarvestOWA with a valid user (as well as a bunch of invalid users in the same file) and it was not identified as valid.

Thanks!
Brian / @7MinSec
@dafthack
Copy link
Owner

Hey Brian! Thanks for the note. I have heard some mixed results with that module. I modified it so it should just get the domain from a response header. If you just run Invoke-DomainHarvestOWA -ExchHostname mail.whatever.com it will try that method first. Let me know if that part isn't working for the server you are hitting as well. Do you happen to know what version of Exchange the server is running?

-Beau

@7MinSec
Copy link
Author

7MinSec commented Jul 20, 2017

Hey there,

Ok so I found out it's an Exchange 2010 box (no specific version info known, but I can get that if it would be helpful).

I had been running Invoke-DomainHarvestOWA -ExchHostname customers.owa.portal.com -DomainList domains.txt -OutFile out.file . The domains.txt has about 5 bogus domain names but also the correct domain name, but MailSniper reports 0 valid domains.

Per your note above, it sounds like you wanted me to run just Invoke-DomainHarvest OWA -ExchHostname customers.owa.portal.com which I did, but it asks for either a DomainList or CompanyName to complete. I tried providing one - as well as both - but the end result was the same.

Brian

@7MinSec
Copy link
Author

7MinSec commented Jul 20, 2017

Oh sorry, maybe you were saying you made changes and that I should pull latest version? I was just going to send you a ping that the tool says ...provide either a DomainList or a *ComapnyName*... but that spelling has been fixed to CompanyName, so I'm thinking I don't have the latest version. Let me know what info I can provide.

@dafthack
Copy link
Owner

Yeah it's been updated to have different functionality. Go grab the latest and try with just "Invoke-DomainHarvestOWA -ExchHostname customers.owa.portal.com". It should try to automatically grab the domain from an http header returned from the server.

@7MinSec
Copy link
Author

7MinSec commented Aug 4, 2017

Hiya Beau,

Happy Friday. Pardon the delay, but I did try running the latest MailSniper and what got returned was:

The domain appears to be: *INTERNAL-SERVERNAME.somedomain.local

I then tried:

Invoke-UsernameHarvestOWA -ExchHostname owa.customer.com -UserList .\users.txt - Domain somedomain.local

Also tried the same thing but with Domain somedomain

Still, even with legit users in my users.txt MailSniper didn't say I had a winner.

I'm actually done with this current project but could certainly test other things if you want. And I've got some new assessments coming in the next week and will try MailSniper there as well.

Thanks!
Brian

@techspence
Copy link

Piggybacking on this issue. I seem to be experiencing the same response time issue in my test lab. All usernames regardless if they are "real" or not are receiving the same response time back from OWA.

  • Usernames are combination of known valid and made up
  • Domain is known valid
  • Tested in both VMware and VirtualBox environments

Response Times for Case 1
Baseline Response: 207.6
Average Time: 207.6
Threshold: 124.56

Typical response for this case was between 202 to 219 ms

Response Times for Case 2
Baseline Response: 5
Average Time: 5
Threshold: 3
Typical response for this case was between 5-21 ms

Using command
Invoke-UsernameHarvestOWA -ExchHostname mail.domain.com -Domain THEDOMAIN -UserList .\userlist.txt -OutFile test.txt -verbose -debug

Using -debug and -verbose I was able to see the following output
VERBOSE: POST https://mail.domain.com/owa/auth.owa with -1-byte payload
VERBOSE: received 0-byte response of content type

@leebaird leebaird added the bug label Mar 4, 2021
@0x62797465
Copy link

For anyone still experiencing this, try this method instead: https://grimhacker.com/2017/07/24/office365-activesync-username-enumeration/
It may be more reliable

@7MinSec
Copy link
Author

7MinSec commented Jan 23, 2023

Thanks @Boberttt !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dafthack @leebaird @techspence @7MinSec @0x62797465