SV: OWA configurations

["Bo Voigt" <bov () rfcdata dk>]

Note the following:

When Exchange is installed at a Domain Controller or on a Small Business
server. The doman\name is not necessary.

//Bo

-----Oprindelig meddelelse-----
Fra: Rogan Dawes [mailto:discard () dawes za net] 
Sendt: 11. marts 2006 16:39
Til: pen-test () lists securityfocus com
Emne: Re: OWA configurations

arian.evans wrote:

> The form of authentication is NTLM over HTTP. Integrated Windows 
> Authentication uses Kerberos where possible (e.g.
> --if meets client dependencies like >= IE 5.5, W2K, etc.) and where not

> prompts with a basic auth type box.
>
> You can submit only 'domain\user' and 'password'. In AD domains you can

> often use 'user () domain tld' as well for the username (in addition to 
> the password). I do not recall ever having to submit domain-field 
> exclusively.
>
> You are correct, this is a result of server-side configurations done to

> IIS to enable 'integrated auth'.
> It has been called "integrated authentication" for quite some time...at

> least prior to IIS 4 IIRC.
>
> You should be able to brute this just fine with Brutus, Hydra, look at 
> Cain & Able as well, but you will have to prepend 'domain\' to your 
> username dictionary entries.
>
> For more, google for Amit Klein's papers on NTLM over HTTP and his 
> papers will also link to some of the work at decomposing the 
> specification for NTLM.
>
> -ae
>
>  

For what it is worth, the current (source only) version of WebScarab
available on my personal website can do NTLM authentication, as well as
scripting arbitrary multi-threaded requests using the Scripted plugin.

Combining these two features, you can implement your own brute force
scripts. The key to brute forcing NTLM using WebScarab is to know that
if you specify a Authorization header of "NTLM
base64(domain\user:password)", WebScarab will automatically decompose
that and use those credentials in an NTLM handshake before sending the
request.

Rogan

> > -----Original Message-----
> > From: Justin Dearing [mailto:justind () invision net]
> > Sent: Friday, March 10, 2006 9:42 AM
> > To: pen-test () lists securityfocus com
> > Subject: RE: OWA configurations
> >
> > This form of authentication is a Microsoft proprietary extension to 
> > http that apparently uses some kind of challenge response it was 
> > called NTML but in IIS 6 was rebranded Integrated Windows 
> > Authentication.
> >
> > http://www.microsoft.com/technet/prodtechnol/WindowsServer2003
> > /Library/I
> > IS/523ae943-5e6a-4200-9103-9808baa00157.mspx
> >
> > The previous technote provides some information. It does not go into 
> > protocol implementation details but will give you a bit more info to 
> > know what to ask google.
> >
> > As to how to brute force test it, I would recommend getting a bute 
> > forcer that supports that protocol.
> >
> >
> > -----Original Message-----
> > From: Bryan Miller [mailto:BMiller () sycomtech com]
> > Sent: Friday, March 10, 2006 9:30 AM
> > To: pen-test () lists securityfocus com
> > Subject: OWA configurations
> >
> > In doing pen tests against various configurations of OWA, I have seen 
> > two major flavors.  One, you receive the standard authentication 
> > request for a username and password.  In those cases if you have a 
> > specific domain you can prepend it to the domain name.  Other times 
> > you see the request for a username, password and domain name as three 
> > separate inputs.  In the second case can I prepend the domain name to 
> > the login name, or am I required to enter all 3 pieces of information 
> > separately?
> >
> >
> > Am I correct in assuming that the choice of which form of 
> > authentication you receive is set by the administrator?  If I have to 
> > enter all 3 pieces of information separately, does anyone know of a 
> > tool to do this?
> > Brutus/Hydra....tried both and neither has the option of specifying 
> > the domain name as part of the brute force attempt.
> >
> > --------------------------------------------------------------
> > ----------
> > ------
> > This List Sponsored by: Cenzic
> >
> > Concerned about Web Application Security? 
> > As attacks through web applications continue to rise, you need to 
> > proactively protect your applications from hackers. Cenzic has the 
> > most comprehensive solutions to meet your application security 
> > penetration testing and vulnerability management needs. You have an 
> > option to go with a managed service (Cenzic ClickToSecure) or an 
> > enterprise software (Cenzic Hailstorm).
> > Download FREE whitepaper on how a managed service can help you: 
> > http://www.cenzic.com/news_events/wpappsec.php
> > And, now for a limited time we can do a FREE audit for you to confirm 
> > your results from other product. Contact us at request () cenzic com
> > --------------------------------------------------------------
> > ----------
> > ------
> >
> >
> > --------------------------------------------------------------
> > ----------------
> > This List Sponsored by: Cenzic
> >
> > Concerned about Web Application Security? 
> > As attacks through web applications continue to rise, you need to 
> > proactively protect your applications from hackers. Cenzic has the 
> > most comprehensive solutions to meet your application security 
> > penetration testing and vulnerability management needs. You have an 
> > option to go with a managed service (Cenzic ClickToSecure) or an 
> > enterprise software (Cenzic Hailstorm).
> > Download FREE whitepaper on how a managed service can help you: 
> > http://www.cenzic.com/news_events/wpappsec.php
> > And, now for a limited time we can do a FREE audit for you to confirm 
> > your results from other product. Contact us at request () cenzic com
> > --------------------------------------------------------------
> > ----------------
> >    
>
>
> -----------------------------------------------------------------------
> -------
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security? 
> As attacks through web applications continue to rise, you need to 
> proactively protect your applications from hackers. Cenzic has the most

> comprehensive solutions to meet your application security penetration 
> testing and vulnerability management needs. You have an option to go 
> with a managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm).
> Download FREE whitepaper on how a managed service can help you: 
> http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit for you to confirm 
> your results from other product. Contact us at request () cenzic com
> -----------------------------------------------------------------------
> -------
>
>  


------------------------------------------------------------------------
------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
As attacks through web applications continue to rise, you need to
proactively protect your applications from hackers. Cenzic has the most
comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go
with a managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). 
Download FREE whitepaper on how a managed service can help you: 
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm
your results from other product. Contact us at request () cenzic com
------------------------------------------------------------------------
------


------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
As attacks through web applications continue to rise, you need to proactively
protect your applications from hackers. Cenzic has the most comprehensive
solutions to meet your application security penetration testing and
vulnerability management needs. You have an option to go with a managed
service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request () cenzic com
------------------------------------------------------------------------------