Back in November Beau Bullock wrote a blog post describing how his awesome PowerShell tool MailSniper can sometimes bypass OWA portals to get mail via EWS if it has not been configured with the same two-factor authentication (2FA) protection.
I used that technique on a recent test and was able to abuse the situation even further. Here is my story…
I did a password spray on an external OWA portal and discovered that the password for the user who we will call Jane Doe was Spring2017. But I was not able to login to Jane’s account because it required, as you might have guessed, a time-sensitive token provided by 2FA. So I tried accessing Jane’s mailbox via Exchange Web Service (EWS) using MailSniper and was able to retrieve Jane’s mail messages from the server. Cool. So I can read her email. That is sort of interesting but not really interesting enough.
I investigated what other external services were available on the organization’s network and, pretty predictably, found a VPN but that was also protected by 2FA of course. Clearly I needed to get access to those 2FA tokens if I was going to get anywhere.
Hmm. On a crazy whim I waited until after hours and tried calling the organization’s help desk hoping that someone was on call for off hours help. I waited until after hours in order to maximize the chances that the real Jane Doe would not access her email and get suspicious before I could get to it and mark it as “Read” or delete it altogether. Here is a paraphrased transcript of the call.
Help desk: Hello, this is Hal at the Acme Widget Help Desk. How can I help you?
Me: Hi Hal. This is Jane Doe. I would like to add another phone to my account to use for two-factor authentication when I connect to Acme’s network when I am away from the office. Is that possible?
Hal: Of course that is possible. I would be happy to help you get that set up. First, I need to know what type of phone it is.
Me: It’s an iPhone.
Hal: Okay and what is your email address, Jane?
Me: It is email@example.com
This is the account for which I learned credentials from the password spray.
Hal: Great. Yes, I see your email address in the directory. I just sent an activation link to that account. You will need to open the email up on your phone and click the link.
Me: Sure. Hang on…
I execute MailSniper and pull the email from the server using EWS. Then I copy out the text of the email and paste it into a new outgoing email that I send to myself. I open the email on my phone and click the link.
Me: Ok. It looks like I am all set up on my new phone. So normally a push notification is sent to my primary phone. How do I use the new secondary phone instead?
Hal: You enter your username and then your password but don’t press enter. Instead, add a comma after the password then add the 6 digit code from the app on your phone.
Me: I think I understand. Let me give it a try.
I try tacking on the code as Hal described and was able to successfully login to the VPN as Jane Doe.
Me: Thank you Hal. That worked perfectly! Now, just to be sure I understand — the primary phone will continue to get push notifications unless I enter the code from my secondary phone in the password field when authenticating. Is that correct?
I needed to be sure that the real Jane Doe was still able to access her account normally.
Hal: Yes, that’s right.
Me: You have been so helpful Hal. Thank you so much.
Hal: You are welcome and have a great day Jane!
At that point, I was able to authenticate to the VPN and get access to the organization’s Intranet and was now a trusted insider. The next step would be to attempt to elevate privilege and pivot….and so the dominoes begin to fall….
- It started with a weak password policy. I was able to guess a user’s password in a password spray attack.
- Exchange Web Service was accessible without two-factor authentication.
- The Help Desk did not authenticate me other than to incorrectly assume that since I had access to Jane Doe’s mailbox, I must be Jane Doe.
- Always use a strong password policy. At BHIS we recommend at minimum a 15 character passphrase.
- EWS is enabled by default with Exchange. If not needed, disable it altogether. If it is required, consider whitelisting only those applications that require access or enable it with 2FA.
- Authenticate users before provisioning 2FA access tokens with more than just an email. Passwords are stolen and guessed all the time and for use cases such as 2FA, should not be considered sufficient authentication.