Nmap Development mailing list archives
Re: Get Outlook Web Access URL - revised and improved
From: Dan <cdcdanielctin () gmail com>
Date: Tue, 25 Oct 2011 14:03:39 +0300
Hello David,
So far this is my understanding: Outlook Web Access is a webmail application. But if someone is already configured to use Microsoft Exchange, they don't necessarily know the OWA URL to do webmail or configure push email.
Outlook Web Access is a webmail service of Microsoft Exchange Server and indeed the users don't necessarily know the OWA URL. Because I did not found any other program that retrieves the URL and because nmap has the ability to detect the SSL encryption protocol and then launch an encrypted session and automatically parallelizes network operations, I've decided it would be a very good candidate for implementing my script.
The OWA application is commonly found at an MX domain plus "/exchange" or "/owa".
It is not at all uncommon for a exchange admin to configure a hostname for the OWA that is not easily found through normal DNS queries in order to limit possible attacks. Although the url is a trivial information, you can't access the webmail service or configure a push service without it.
I still don't understand what the script is good for. Can you give a an example, start to finish, of someone having a problem, running the script, and solving the problem? Include output of the script (you can replace domains with "example.com" or whatever).
An example of usage is when a user with user () example com tries to configure a push email service but the input url server isn't validated. He tries to guess the url using the mx but the MX query returns no hostname (the domain has no MX record). In this case I believe this script will help in finding the OWA URL and using a simple interface for nmap, the script can be used as a validation tool.
Is this situation likely to happen to many people?
Although the script was good practice, I did developed it to be used and it is used by my and my colleagues.
-- function to perform web crawling using google's search engine function search(spath) local request = http.get( 'www.google.com', '80', spath ) for w in string.gfind(request.body, "\<span%s+class\=\"c\"\>%s?(([%w]*)([\.%w-]*)([\.%w]*))") do if not (exist(raw_subdomains, w)) then table.insert(raw_subdomains, w) end end endPlease remove this feature of searching Google. These kinds of automatic queries can be problematic, and scraping HTML is fragile. Also, for privacy reasons it's not good to send to Google the address of hosts you're scanning.
I've removed the function and all callbacks to it
Something like this would be better done in a dedicated script for finding alternate domain names. (Maybe something like hostmap.nse.) Your OWA script could depend on such a dedicated script.
Tried hostmap.nse but it retrieves hostnames that resolve to the target's IP address and it isn't useful to me because an Exchange Server can have a different IP address then the domain name.
-- in a 301 response case (Moved Permanently) -- returns the link refered in the body function ref_link(body) for link in string.gfind(body, "<a [hH][rR][eE][fF]=\"(.*)\"") do return link end endUse response.header.location instead. See http-title.nse for an example.
Done. Thank you for your feedback. Daniel.
Attachment:
get-owa.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Get Outlook Web Access URL - revised and improved Dan (Oct 14)
- Re: Get Outlook Web Access URL - revised and improved David Fifield (Oct 15)
- Re: Get Outlook Web Access URL - revised and improved Dan (Oct 25)
- Re: Get Outlook Web Access URL - revised and improved David Fifield (Oct 15)