Password Spray
Toolkit
Sprayingtoolkit/atomizer.py
Potential Targets
Skype4Business
OWA Portals
VPN Portals
Jboss/Jira/Zoho other work management portals.
Employee portals
Username Generator
IP Rotation
Attacking OWA
Metasploit:
scanner/http/owa_login
Automatically detects valid users based on faster server response.
Attacking O365
Trevorspray : Microsoft 365 password sprayer
Skype4Business [Lync Servers]
Skype4B provides a bridge from The Internet into a company’s internal network, allowing an attacker to interact with the internal Active Directory environment.
Lync servers can provide many goodies for an attacker. All the same treasures that can be had with Outlook Web Access (OWA) portals can be had with Lync servers. This includes: internal-domain name disclosure, user enumeration via the AD timing attack, and even password spraying.
Reference:
Tool
LyncSniper : Github
Locating the Front-End Server
Microsoft’s recommended naming format for the autodiscover URL is:
https://lyncdiscover.<domain>.com (external)
https://lyncdiscoverinternal.<domain>.com (internal)
If the ‘lyncdiscover’ subdomain does not exist, all is not lost. The following subdomains will often point to the Front-End server and are worth investigating.
dialin.contoso.com
scheduler.contoso.com
meet.contoso.com
If XML references the domain ‘online.lync.com’, then the Skype server in question is hosted by Microsoft and these attacks will not work.
Web Login Portals
Two login portals that are commonly enabled in Skype4B installations:
Dial-in Conferencing :
lyncdiscover.domain.com\dialin
dialin.domain.com
Web Scheduler:
lyncdiscover.domain.com\scheduler
scheduler.domain.com
Other paths that will likely be protected with NTLM authentication include:
/WebTicket/WebTicketService.svc /abs/ /GroupExpansion /CertProv /RgsClients /RequestHandlerExt /mcx
Bypass 2-FA
MFASweep : Detect MFA for various Microsoft Servers
Credsniper
Re-using valid credentials on alternate services
Mailsniper
Exchange Server
If you get access to email, pull down the global address list.
Perform password spray with this new list of targets.
Using credsniper to grep for "Keywords" within mail.
Last updated