WEBCAST: Exchange and OWA attacks – Step by Step
Here’s our webcast with Beau Bullock, Brian Fehrman & Carrie Roberts from Tuesday, November 29.
Ready to learn more?
Level up your skills with affordable classes from Antisyphon!
Available live/virtual and on-demand
Robert P.
November 30, 2016 @ 12:42 pm
Your webcast video, Exchange and OWA attacks – Step by Step is something that was already researched and presented by Nate Power from Rapid7. I think you guys should give credit where credit is due. This is nothing new and there is even a metasploit module for it that gives the domain name in addition to bruteforcing username/passwords while showing if the username is valid by a timing attack.
BHIS
December 1, 2016 @ 8:20 am
Robert, thank you for connecting us with Nate Power and his previous research, we weren’t aware of it, but do appreciate being hooked up. Infosec is a fairly small community and we always want to build up and encourage research and learning to move forward together.
Nate Power
November 30, 2016 @ 1:04 pm
I found your techniques interesting especially since i’m the original author who discovered and developed several of these. Heres some more information you may have missed in your search. Let me know if you have any questions.
1) http://www.securitypentest.com/2014/08/cas-authentication-timing-attack.html
2) http://www.youtube.com/watch?v=qqye-peOvNM
3) http://www.irongeek.com/i.php?page=videos/bsidescolumbus2016/offense04-hacking-corporate-emil-systems-nate-power
4) http://www.youtube.com/watch?v=tBljldhtC70
5) http://www.irongeek.com/i.php?page=videos/passwordscon2014/penetrate-your-owa-nate-power
BHIS
December 1, 2016 @ 8:19 am
Thanks Nate for your comments and links. We really do appreciate being hooked up with you and your previous work, we always want to build on previous research and keep improving the knowledge base. It concerns us even more that this has been a known issue for so long and MS has done nothing about it.