Re: Get Outlook Web Access URL - revised and improved

[David Fifield <david () bamsoftware com>]

On Fri, Oct 14, 2011 at 01:44:56PM +0300, Dan wrote:
> Hello everybody,
>
>
>   It's been a while since my first version of this script but now I'm
> back with a new version.
> In this version I've fixed some bugs for 302 or 301 HTTP response
> codes and added a function that will check the page redirected to and
> validates a typical OWA login page.
> I've added to the script a web crawler that retrieves the subdomains
> using google's search engine [1] bringing to a total of four different
> mechanisms for searching the URL and also I've optimized the code and
> documentation to.
>
> Microsoft Outlook Web Access is the most adopted solution for
> accessing corporate web mail (wherever MS Exchange is the mail server)
> thus the script was created because I needed a validation/retrieval
> tool for the URL, information that for example is a must when
> configuring a push e-mail service and although this information can be
> considered to be trivial, few users know it. Once retrieved, the URL
> can provide information about the configuration of the Outlook Web
> Access, to be more exact if it is behind an Internet Security and
> Acceleration Server.
>
> Thus, please run the script and send me your feedback.

Thanks for keeping up work on this script.

I still don't understand what the script is good for. Can you give a an
example, start to finish, of someone having a problem, running the
script, and solving the problem? Include output of the script (you can
replace domains with "example.com" or whatever). Is this situation
likely to happen to many people?

So far this is my understanding: Outlook Web Access is a webmail
application. But if someone is already configured to use Microsoft
Exchange, they don't necessarily know the OWA URL to do webmail or
configure push email. The OWA application is commonly found at an MX
domain plus "/exchange" or "/owa".

> -- function to perform web crawling using google's search engine
> function search(spath)
>  local request = http.get( 'www.google.com', '80', spath )
>   for w in string.gfind(request.body, "\<span%s+class\=\"c\"\>%s?(([%w]*)([\.%w-]*)([\.%w]*))") do
>     if not (exist(raw_subdomains, w)) then
>         table.insert(raw_subdomains, w)
>     end
>   end
> end

Please remove this feature of searching Google. These kinds of automatic
queries can be problematic, and scraping HTML is fragile. Also, for
privacy reasons it's not good to send to Google the address of hosts
you're scanning.

Something like this would be better done in a dedicated script for
finding alternate domain names. (Maybe something like hostmap.nse.) Your
OWA script could depend on such a dedicated script.

> -- in a 301 response case (Moved Permanently)
> -- returns the link refered in the body
> function ref_link(body)
>   for link in string.gfind(body, "<a [hH][rR][eE][fF]=\"(.*)\"") do
>    return link
>   end
> end

Use response.header.location instead. See http-title.nse for an example.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/