Update 10/03/16: Want to download the address book automatically with PowerShell? Check out Beau Bullocks latest additions to MailSniper
As part of a penetration test, you’ve gained access to an employee’s web mail, perhaps through a password spraying attack.
Outlook Web App Login
Your original password spray was done with a limited username list based on what you could find through reconnaissance. Now you would like to repeat the password spray with the full username list but you don’t see a way to download the address book from the OWA interface.
Uggghhh, do I need to write some custom web scraping code?
No, Wait! Burp Suite Pro to the rescue. Burp Suite will automatically pull email addresses out of responses and include them in an “Email addresses disclosed” issue report. All we need to do is proxy our web traffic through Burp as we browse the OWA address book.
In the example above, 3,135 email addresses were extracted as I browsed the address book via OWA. I simply started a new email and selected the “To:” link to bring up the address book.
I noticed that only a limited amount of results were returned, but if I used the scrollbar to scroll the address list from top to bottom, it would force all the addresses to load. As they were loaded, Burp successfully extracted them, leaving me with the entire address book that I could copy and paste into other tools.
Note that Burp is configured by default to do “live passive scanning”, which reports on disclosed email addresses. If for some reason you have disabled that feature, you can re-enable it on the “Scanner–>Live Scanning” tab as shown below.
Update: I just used this technique on an address book that had over 16 thousand entries, and I got tired of holding the mouse button down to scroll through the whole list. The Mechanical Engineer in me shined through with this solution:
Go Duct Tape!!!
For related posts, see the following: