Attacking Webmail User Accounts

OWA

Webmail is absolutely everywhere.  I rarely come across a corporate network that doesn’t have Outlook Web Access, Groupwise, or some other variant of webmail listening.  Being able to get at email accounts from the Internet can save employees a lot of time and headache, but using those accounts with weak passwords can result in an even larger headache.  Knowing how the majority of the planet uses email (sending some pretty sensitive data) this creates a large risk for most any company.  I’ll run through a quick list of tools and processes that I use to test the strength of webmail logins.

The first part of any password attack is gathering valid usernames.  For attacks against webmail, this usually means scouring the target’s web sites looking for either specific usernames, or the naming structure for their accounts.  The latter is easy – you can dig through the targets website and collect names of employees, and rewrite them to fit the company’s standard account naming policy(Joe User becomes joe.user, juser, joeuser,  etc).  There are also  some tools that automate the gathering of this information:

  • Metagoofil – Metagoofil will search a particular domain or website, download all the documents from it, and parse the metadata looking for usernames, internal file locations, and lots of other info.  You can get an absolutely incredible amount of information from metadata.

  • FOCA – Much like Metagoofil, but appears to strip out even more information from documents.  This tool recently debuted at Defcon17.

  • theHarvester – This tool also does a good job of utilizing search engines to gather email addresses and usernames.  It searches social networking sites, the PGP key repositories, and uses general search engine tactics as well.

There are many other ways to enumerate usernames from public resources,  but these tools should give a good starting point.  Use them in combination along with some manual searching to create a username list.

Once we have our list of users, we can move on to creating a password list.  There are many ways to construct a valid password list for a specific target.  I like to start by grabbing the DPL (Default Password List) and stripping out any vendor specific stuff.  Ill then add in the old favorites such as all the variations on Password1.  Then, ill start looking for some more specific words.  Ill do some research on the target, and include things like the business name, local sports teams, addresses and universities.  Ill then use a application like John the Ripper to run permutations on the list we just created.  John lets you specify custom permutations rules, and can take the word ‘redspin’ and output redspin, Redspin, red-spin, redspin1, Red-spin1, etc.

Now that we have some valid usernames and a relevant password list, we can move into the attack.  There are few tools to help automate password attacks against webmail login pages, but the few that exist are quite handy:

  • OWABF – Outlook Web Access Brute Force.  A nice script that automates attacks against Outlook Web Access.

  • WMAT – Web Mail Auth Tool.  A tool that supports multiple ‘patterns’ for setting up attacks against different webmail services.  It currently includes patterns for horde, hordeIMP, kerio, mdaemon and squirrelmail.  The structure is pretty easy to write new patterns for if you need to test a unique login page.

That’s all there is to it.  We have collected valid usernames from the target, created some customized password lists, and have listed some tools you can use to tie it all together.  One thing to keep in mind is the use of lockout policies.  The last thing you want to do it lock out a bunch of live email accounts, so unless you know the lockout threshold (if there is one), you might want to limit the password guesses per account to something sane.

$ python owabf.py -s https://webmail.example.com -u userlist -p top100.pass
***********************************
***    OWA Brute Forcer    ***
***    OWABF v 1.3        ***
***    Dejan Levaja        ***
***    http://www.netsec.rs    ***
***    dejan.levaja@netsec.rs    ***
***********************************
Outlook Web Access Brute Forcer
Login unsuccessful
joe.user     654321
Login unsuccessful
joe.user     abc12345
Login unsuccessful
joe.user     123456
Login unsuccessful
joe.user     Password?
Login unsuccessful
joe.user     password
Login unsuccessful
joe.user     welcome1
Login unsuccessful
joe.user     Password1
Login unsuccessful
joe.user     Mailbox1
...
Posted on by Nathan Drier Posted in Redspin Labs | Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>