At Rapid7 we love a good pentest story. So often they show the cleverness, skill, resilience, and dedication to our customer’s security that can only come from actively trying to break it! In this series, we’re going to share some of our favorite tales from the pen test desk and hopefully highlight some ways you can improve your own organization’s security.
This is a story of how a well defended network was compromised through user enumeration; a vulnerability which many organizations do not consider to be a “real” vulnerability. For the uninitiated, user enumeration vulnerabilities are application behaviors that could allow a malicious actor to determine valid usernames on a service. They are commonly exploited to set up follow-on attempts to guess users’ passwords.
I was tasked with performing an external penetration test for a midsize company. I began the engagement by performing port scanning and service enumeration, and discovered a small number of accessible web services. This led to a wonderful discovery: Outlook Web Access (OWA) was exposed! OWA suffers from a user enumeration vulnerability in which authentication requests involving valid usernames produce different responses than authentication requests involving invalid usernames. This could allow a malicious actor to submit unlimited authentication requests with different usernames, and use the responses to determine whether a given user exists in Exchange or not. We believe that Microsoft has been aware of this problem since 2014 but has not yet patched it. Some security professionals speculate that this may be because Microsoft (like many other companies) does not consider user enumeration to be a vulnerability.
I quickly began user enumeration against this service. After harvesting employee names from LinkedIn, marketing databases, and password breach databases, I coerced the employee names into a username format and verified ..
Support the originator by clicking the read the rest link below.
