Microsoft Lync servers have been a staple of my external engagements for the past six months or so. I have found a Lync server on all of those engagements. In most cases, these portals have long been forgotten; they are simply the discarded technology of yesteryear for many companies. I have found numerous instances where monitoring was in place for nearly every asset. Every asset…except the Lync server, that is.
Lync servers can provide many goodies for an attacker. All the same treasures that can be had with Outlook Web Access (OWA) portals can be had with Lync servers. This includes: internal-domain name disclosure, user enumeration via the AD timing attack, and even password spraying.
This blog post from TrustedSec has been my guiding light for my Lync adventures. Rather than write a crappier version of the great work that they did, I will simply point you to their blog: