G Suite is the Soft Underbelly of Your Environment

Matthew Toussain//*

Wouldn’t you like to START your pentests knowing every username for all individuals in your target environment? Gmail, G Suite, Outlook Web Access, Exchange Web Services… Email. A divine gift issued to hackers with no statute of limitations. In this blog we explore an exploitation workflow using new features of the MailSniper toolkit.

What happens if you browse to mail.google.com and trying logging in as: matt@blackhillsinfosec.com?

It turns out that Google automatically attempts to authenticate you to a G Suite instance associated with the domain blackhillsinfosec.com. Since BHIS has one… this works. What happens if, instead, you tried logging on as blahblah@blackhillsinfosec.com?

No dice, interesting. As you can see from the above image Google responds differently to email accounts that exist versus those that do not. It performs this check without even attempting authentication. In our role as penetration testers, this information response is exceptionally useful. It means that we can discover valid user emails without knowing ANYTHING except the domain name.

There is, however, one pesky problem. Captchas.

After a few unsuccessful attempts Google presents us with a captcha to verify our humanity. Fortunately for us, humanity can be scripted.

As with everything in information security, overcoming a hurdle is just a matter of diving deeper. In this case we turn to the wire.

If differences in error responses is what allows us to determine whether an account exists, what would be indicated by differences in responses when a captcha is presented? That’s right captcha / no captcha. We can look for these differences with the Burp Suite intercepting proxy.

In Burp Suite we can see a get request for captcha, but what is most interesting to use is the return response to our POST requests. A POST request is made for each email “lookup” request. As you can see a captcha was requested after the sixth consecutive “bad” POST request.

Comparing this response to an incorrect, but captcha-less response we can key in on the “gf.alr” JSON name/value pair. The value of this object changes! For every captcha the ALR value is a 5 whereas each bad email request returns a 7. Bypassing captchas could be as simple as detecting an ALR of 5 and retrying until an ALR of 7 is received again.

When we examine many responses across a wide number of request/response types, we can see that this differentiation remains constant yet predictable:

  • 1 -> Correct Email Address
  • 7 -> Incorrect Email Address
  • 5 -> Captcha Presented

There are even other factors (like 2FA) that can be enumerated using this mechanism.

Awesome! That said, waiting for captchas to go away is lame. What else could we try?

When we detect a captcha, what happens if we send the next request from a different IP address?

No captcha.

Using _socat_ we can setup socks proxy hosts to bounce and rotate our guesses.

socat TCP-LISTEN:9090,fork SOCKS4A:127.0.0.1:accounts.google.com:443,socksport=9999

 

If we combine all of these features and create a list of potential email addresses we can enumerate users. Let’s look at an example of this performed against BHIS!

What if we do not know the email addresses ahead of time? With some clever scripting an US Census data we can overcome this limitation.

Emails generally come in one of several overarching formats:

Format

    Example

firstname@domain.com

    matt@blackhillsinfosec.com

firstname.lastname@domain.com

    matthew.toussain@blackhillsinfosec.com

firstinitial.lastname@domain.com

    mtoussain@blackhillsinfosec.com

 

By taking the top 1000 boy and girl names from census data and combining them with the most common US surnames we can generate email address permutations. Next, let’s examine this accomplished with PowerShell.

First download a list of firstnames and lastnames:

PS C:\> git clone https://github.com/0sm0s1z/email-generator.git

PS C:\> cd email-generator

 

Now use PowerShell to craft a custom email list based on the desired format:

Get-Content .\firstnames.txt | % { $fname = $_; Get-Content .\lastnames.txt | % {$fname + '.' + $_ + '@blackhillsinfosec.com'}}

 

Email is a key component of the penetration tester’s toolkit. This will continue as long as password-based authentication remains the gatekeeper of system or network security. The fundamental problem here is not necessarily Gsuite or Outlook Online, though there is certainly more they can do. The primacy of passwords unshackles the network adversary. As penetration testers we need to demonstrate these problems to engender a more secure future for us all.

____________________________________________________________________

*This blog post is a follow up to Matt’s webcast, which is available to watch here:

WEBCAST: Testing G Suites with MailSniper