ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations. However, there is still potential for this blog entry to be used as an opportunity to learn and to possibly update or integrate into modern tools and techniques.

Update 10/03/16: Want to download the address book automatically with PowerShell? Check out Beau Bullocks latest additions to MailSniper

As part of a penetration test, you’ve gained access to an employee’s web mail, perhaps through a password spraying attack.

Outlook Web App Login

Your original password spray was done with a limited username list based on what you could find through reconnaissance. Now you would like to repeat the password spray with the full username list but you don’t see a way to download the address book from the OWA interface.

Uggghhh, do I need to write some custom web scraping code?

No, Wait! Burp Suite Pro to the rescue. Burp Suite will automatically pull email addresses out of responses and include them in an “Email addresses disclosed” issue report. All we need to do is proxy our web traffic through Burp as we browse the OWA address book.

In the example above, 3,135 email addresses were extracted as I browsed the address book via OWA. I simply started a new email and selected the “To:” link to bring up the address book.

I noticed that only a limited amount of results were returned, but if I used the scrollbar to scroll the address list from top to bottom, it would force all the addresses to load. As they were loaded, Burp successfully extracted them, leaving me with the entire address book that I could copy and paste into other tools.

Note that Burp is configured by default to do “live passive scanning”, which reports on disclosed email addresses. If for some reason you have disabled that feature, you can re-enable it on the “Scanner–>Live Scanning” tab as shown below.

Update: I just used this technique on an address book that had over 16 thousand entries, and I got tired of holding the mouse button down to scroll through the whole list. The Mechanical Engineer in me shined through with this solution:

Go Duct Tape!!!

For related posts, see the following:

Exploiting Password Reuse on Personal Accounts: How to Gain Access to Domain Credentials Without Being on a Target’s Network: Part 1

Password Spraying Outlook Web Access – How to Gain Access to Domain Credentials Without Being on a Target’s Network: Part 2

Question: What Can I Learn from Password Spraying a 2FA Microsoft Web App Portal? Answer: Enough to make it worth it!

You can learn more from Carrie in her classes!

Check them out here:

Attack Emulation Tools: Atomic Red Team, CALDERA and More

PowerShell for InfoSec

Available live/virtual and on-demand!

2 Comments

Jerry Decime
September 16, 2016 @ 8:28 am

Or better yet, find an address book request, then do a sequentially query automatically using Burp, The Fiddler, Charles or nearly any other intercepting proxy.

This takes a matter of seconds to pull addresses where # is the sequential integer using The Fiddler’s Composer tool:

POST: https://outlook.office.com/owa/service.svc?action=FindPeople&ID=-#&AC=1

You’ll get back some JSON which can then be easily parsed.
Carrie Roberts
September 16, 2016 @ 9:44 am

Hi Jerry, nice to hear from you! I was testing client hosted OWA instances. Never saw a call to service.svc, tried it manually just now and got an error. Perhaps this method only works on Microsoft hosted instances of OWA (office365)? I will try this technique next time I test OWA there. Thx

Downloading an Address Book from an Outlook Web App (OWA) Portal

2 Comments