SV: OWA configurations



Note the following:

When Exchange is installed at a Domain Controller or on a Small Business
server. The doman\name is not necessary.

//Bo

-----Oprindelig meddelelse-----
Fra: Rogan Dawes [mailto:discard@xxxxxxxxxxxx]
Sendt: 11. marts 2006 16:39
Til: pen-test@xxxxxxxxxxxxxxxxxxxxxxx
Emne: Re: OWA configurations

arian.evans wrote:

The form of authentication is NTLM over HTTP. Integrated Windows
Authentication uses Kerberos where possible (e.g.
--if meets client dependencies like >= IE 5.5, W2K, etc.) and where not

prompts with a basic auth type box.

You can submit only 'domain\user' and 'password'. In AD domains you can

often use 'user@xxxxxxxxxx' as well for the username (in addition to
the password). I do not recall ever having to submit domain-field
exclusively.

You are correct, this is a result of server-side configurations done to

IIS to enable 'integrated auth'.
It has been called "integrated authentication" for quite some time...at

least prior to IIS 4 IIRC.

You should be able to brute this just fine with Brutus, Hydra, look at
Cain & Able as well, but you will have to prepend 'domain\' to your
username dictionary entries.

For more, google for Amit Klein's papers on NTLM over HTTP and his
papers will also link to some of the work at decomposing the
specification for NTLM.

-ae




For what it is worth, the current (source only) version of WebScarab
available on my personal website can do NTLM authentication, as well as
scripting arbitrary multi-threaded requests using the Scripted plugin.

Combining these two features, you can implement your own brute force
scripts. The key to brute forcing NTLM using WebScarab is to know that
if you specify a Authorization header of "NTLM
base64(domain\user:password)", WebScarab will automatically decompose
that and use those credentials in an NTLM handshake before sending the
request.

Rogan

-----Original Message-----
From: Justin Dearing [mailto:justind@xxxxxxxxxxxx]
Sent: Friday, March 10, 2006 9:42 AM
To: pen-test@xxxxxxxxxxxxxxxxxxxxxxx
Subject: RE: OWA configurations

This form of authentication is a Microsoft proprietary extension to
http that apparently uses some kind of challenge response it was
called NTML but in IIS 6 was rebranded Integrated Windows
Authentication.

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003
/Library/I
IS/523ae943-5e6a-4200-9103-9808baa00157.mspx

The previous technote provides some information. It does not go into
protocol implementation details but will give you a bit more info to
know what to ask google.

As to how to brute force test it, I would recommend getting a bute
forcer that supports that protocol.


-----Original Message-----
From: Bryan Miller [mailto:BMiller@xxxxxxxxxxxxx]
Sent: Friday, March 10, 2006 9:30 AM
To: pen-test@xxxxxxxxxxxxxxxxxxxxxxx
Subject: OWA configurations

In doing pen tests against various configurations of OWA, I have seen
two major flavors. One, you receive the standard authentication
request for a username and password. In those cases if you have a
specific domain you can prepend it to the domain name. Other times
you see the request for a username, password and domain name as three
separate inputs. In the second case can I prepend the domain name to
the login name, or am I required to enter all 3 pieces of information
separately?


Am I correct in assuming that the choice of which form of
authentication you receive is set by the administrator? If I have to
enter all 3 pieces of information separately, does anyone know of a
tool to do this?
Brutus/Hydra....tried both and neither has the option of specifying
the domain name as part of the brute force attempt.

--------------------------------------------------------------
----------
------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
As attacks through web applications continue to rise, you need to
proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security
penetration testing and vulnerability management needs. You have an
option to go with a managed service (Cenzic ClickToSecure) or an
enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm
your results from other product. Contact us at request@xxxxxxxxxx
--------------------------------------------------------------
----------
------


--------------------------------------------------------------
----------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
As attacks through web applications continue to rise, you need to
proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security
penetration testing and vulnerability management needs. You have an
option to go with a managed service (Cenzic ClickToSecure) or an
enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm
your results from other product. Contact us at request@xxxxxxxxxx
--------------------------------------------------------------
----------------




-----------------------------------------------------------------------
-------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
As attacks through web applications continue to rise, you need to
proactively protect your applications from hackers. Cenzic has the most

comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go
with a managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm
your results from other product. Contact us at request@xxxxxxxxxx
-----------------------------------------------------------------------
-------





------------------------------------------------------------------------
------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
As attacks through web applications continue to rise, you need to
proactively protect your applications from hackers. Cenzic has the most
comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go
with a managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm
your results from other product. Contact us at request@xxxxxxxxxx
------------------------------------------------------------------------
------


------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
As attacks through web applications continue to rise, you need to proactively
protect your applications from hackers. Cenzic has the most comprehensive
solutions to meet your application security penetration testing and
vulnerability management needs. You have an option to go with a managed
service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@xxxxxxxxxx
------------------------------------------------------------------------------



Relevant Pages

  • RE: Covert Microphone Application
    ... Next you are stating that as a trusted sys admin you can break an organisations security. ... managed service or an enterprise software ... As attacks through web applications continue to ... Download FREE whitepaper on how a managed service ...
    (Pen-Test)
  • Re: pentesting and macbook pro
    ... > Concerned about Web Application Security? ... > managed service or an enterprise software ... As attacks through web applications continue to ... Download FREE whitepaper on how a managed service can ...
    (Pen-Test)
  • RE: Hidden Copying Software
    ... Concerned about Web Application Security? ... Download FREE whitepaper on how a managed service ... As attacks through web applications continue to rise, ... Download FREE whitepaper on how a managed service can ...
    (Pen-Test)
  • RE: pentesting and macbook pro
    ... > Concerned about Web Application Security? ... > managed service or an enterprise software ... As attacks through web applications continue to ... Download FREE whitepaper on how a managed service can ...
    (Pen-Test)
  • Re: SV: Security test of firewall dose not show UDP port 500 is open
    ... Concerned about Web Application Security? ... As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. ... You have an option to go with a managed service or an enterprise software. ... Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/forms/ec.php?pubid=10025 ...
    (Pen-Test)