Advice on succeeding with Invoke-DomainHarvestOWA? about mailsniper HOT 8 OPEN

Hey Brian! Thanks for the note. I have heard some mixed results with that module. I modified it so it should just get the domain from a response header. If you just run Invoke-DomainHarvestOWA -ExchHostname mail.whatever.com it will try that method first. Let me know if that part isn't working for the server you are hitting as well. Do you happen to know what version of Exchange the server is running?

-Beau

from mailsniper.

Hey there,

Ok so I found out it's an Exchange 2010 box (no specific version info known, but I can get that if it would be helpful).

I had been running Invoke-DomainHarvestOWA -ExchHostname customers.owa.portal.com -DomainList domains.txt -OutFile out.file . The domains.txt has about 5 bogus domain names but also the correct domain name, but MailSniper reports 0 valid domains.

Per your note above, it sounds like you wanted me to run just Invoke-DomainHarvest OWA -ExchHostname customers.owa.portal.com which I did, but it asks for either a DomainList or CompanyName to complete. I tried providing one - as well as both - but the end result was the same.

Brian

from mailsniper.

Oh sorry, maybe you were saying you made changes and that I should pull latest version? I was just going to send you a ping that the tool says ...provide either a DomainList or a *ComapnyName*... but that spelling has been fixed to CompanyName, so I'm thinking I don't have the latest version. Let me know what info I can provide.

from mailsniper.

Yeah it's been updated to have different functionality. Go grab the latest and try with just "Invoke-DomainHarvestOWA -ExchHostname customers.owa.portal.com". It should try to automatically grab the domain from an http header returned from the server.

from mailsniper.

Hiya Beau,

Happy Friday. Pardon the delay, but I did try running the latest MailSniper and what got returned was:

The domain appears to be: *INTERNAL-SERVERNAME.somedomain.local

I then tried:

Invoke-UsernameHarvestOWA -ExchHostname owa.customer.com -UserList .\users.txt - Domain somedomain.local

Also tried the same thing but with Domain somedomain

Still, even with legit users in my users.txt MailSniper didn't say I had a winner.

I'm actually done with this current project but could certainly test other things if you want. And I've got some new assessments coming in the next week and will try MailSniper there as well.

Thanks!
Brian

from mailsniper.

Piggybacking on this issue. I seem to be experiencing the same response time issue in my test lab. All usernames regardless if they are "real" or not are receiving the same response time back from OWA.

• Usernames are combination of known valid and made up
• Domain is known valid
• Tested in both VMware and VirtualBox environments

Response Times for Case 1
Baseline Response: 207.6
Average Time: 207.6
Threshold: 124.56

Typical response for this case was between 202 to 219 ms

Response Times for Case 2
Baseline Response: 5
Average Time: 5
Threshold: 3
Typical response for this case was between 5-21 ms

Using command
Invoke-UsernameHarvestOWA -ExchHostname mail.domain.com -Domain THEDOMAIN -UserList .\userlist.txt -OutFile test.txt -verbose -debug

Using -debug and -verbose I was able to see the following output
VERBOSE: POST https://mail.domain.com/owa/auth.owa with -1-byte payload
VERBOSE: received 0-byte response of content type

from mailsniper.

For anyone still experiencing this, try this method instead: https://grimhacker.com/2017/07/24/office365-activesync-username-enumeration/
It may be more reliable

from mailsniper.

Thanks @Boberttt !

from mailsniper.