One-Click to OWA

Video thumbnail (Frame 0) Video thumbnail (Frame 761) Video thumbnail (Frame 1482) Video thumbnail (Frame 1917) Video thumbnail (Frame 3053) Video thumbnail (Frame 4901) Video thumbnail (Frame 6306) Video thumbnail (Frame 7100) Video thumbnail (Frame 7709) Video thumbnail (Frame 8484) Video thumbnail (Frame 10493) Video thumbnail (Frame 11477) Video thumbnail (Frame 12237) Video thumbnail (Frame 14465) Video thumbnail (Frame 15416) Video thumbnail (Frame 16249) Video thumbnail (Frame 17456) Video thumbnail (Frame 18213) Video thumbnail (Frame 19213) Video thumbnail (Frame 20442) Video thumbnail (Frame 22870) Video thumbnail (Frame 23474) Video thumbnail (Frame 23907) Video thumbnail (Frame 25268) Video thumbnail (Frame 26062) Video thumbnail (Frame 26761) Video thumbnail (Frame 27483) Video thumbnail (Frame 28137) Video thumbnail (Frame 28657) Video thumbnail (Frame 29431) Video thumbnail (Frame 30032) Video thumbnail (Frame 30852)
Video in TIB AV-Portal: One-Click to OWA

Formal Metadata

One-Click to OWA
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
With the presense of 2FA/MFA solutions growing, the attack surface for external attackers that have successfully phished/captured/cracked credentials is shrinking. However, many 2FA/MFA solutions leave gaps in their coverage which can allow attackers to leverage those credentials. For example, while OWA may be protected with 2FA, the Exchange Web Services Management API (EWS) offers many of the same features and functionalities without the same protections. In this talk, I will introduce ExchangeRelayX, an NTLM relay tool that provides attackers with access to an interface that resembles a victim's OWA UI and has many of its functionalities - without ever cracking the relayed credentials. ExchangeRelayX takes advantage of the gap in some 2FA/MFA solutions protecting Exchange, potentially resulting in a single-click phishing scheme enabling an attacker to exfiltrate sensitive data, perform limited active-directory enumeration, and execute further internal phishing attacks.
Trail Suite (music) Multiplication sign Differentiated services Software testing Software testing Pressure Twitter Router (computing)
Authentication Email Service (economics) Demo (music) Covering space Demo (music) Bit Web application Crash (computing) Virtuelles privates Netzwerk Process (computing) Internetworking Virtuelles privates Netzwerk Term (mathematics) Self-organization Right angle Whiteboard
Authentication Point (geometry) Email Divisor Code Password Code Self-organization Bit Public key certificate
Polar coordinate system Commutative property Email Server (computing) Mapping System administrator Client (computing) IBM Client Access Web 2.0 Data management Connected space Casting (performing arts) Video game console Configuration space Service (economics) Email Focus (optics) Mapping View (database) Server (computing) Bit Control flow Web application Task (computing) Modem Address space
Email Mobile app Mapping Code Mobile Web 1 (number) Set (mathematics) Client (computing) Rule of inference Web 2.0 Data management Mathematics Web service Synchronization Hacker (term) Video game console Software testing Configuration space Address space Task (computing) Default (computer science) Authentication Addition Service (economics) Email Mapping View (database) Server (computing) Client (computing) Usability Control flow System call Electronic signature Web application Data management Pseudopotenzial Task (computing) Modem Address space
Authentication Service (economics) Implementation Consistency System administrator Arithmetic mean Cuboid Self-organization Hill differential equation Information security Error message Routing Sanitary sewer Physical system
Server (computing) Implementation Mapping Service (economics) Code Authentication Electronic program guide Login Public key certificate Goodness of fit Pseudopotenzial OSI model Communications protocol Validity (statistics) HTTP cookie Sanitary sewer Authentication Covering space Service (economics) Mapping Server (computing) Token ring Interactive television Active Directory Internet service provider Bit Directory service Web application Causality Message passing Internet service provider Formal verification Single sign-on HTTP cookie Communications protocol
Implementation Server (computing) Mapping Overhead (computing) Divisor Token ring Authentication Disintegration Shape (magazine) Type theory Hybrid computer Authorization Integrated development environment Process (computing) Office suite Communications protocol Implementation Form (programming) Authentication Mapping Token ring Active Directory Client (computing) Bit Product (business) Mechanism design Causality Integrated development environment Internet service provider Phase transition Self-organization Office suite Single sign-on Authorization Communications protocol
Authentication Covering space Point (geometry) Service (economics) View (database) Server (computing) Authentication Kerberos <Kryptologie> Bookmark (World Wide Web) Mechanism design Pointer (computer programming) Mechanism design Causality Default (computer science)
Domain name Message passing Dependent and independent variables Server (computing) Computer virus Computer cluster Multiplication sign Password Authentication Software testing Software testing Process (computing)
Authentication Email Email Link (knot theory) Link (knot theory) Zeitdilatation Authentication Shared memory Formal language Bookmark (World Wide Web) Software Videoconferencing Window
Authentication Broadcasting (networking) Direct numerical simulation Dependent and independent variables Hash function Authentication Shared memory Fiber bundle Event horizon Window Number
Web page Email Wechselseitige Information Server (computing) Link (knot theory) Authentication Kerberos <Kryptologie> Set (mathematics) Client (computing) Rule of inference Event horizon Web 2.0 Word Synchronization Electronic meeting system Set (mathematics) Volumenvisualisierung Message passing Macro (computer science) Metropolitan area network Default (computer science) Authentication Rule of inference Email View (database) Server (computing) Interactive television Bit Annulus (mathematics) Inclusion map Mechanism design Normed vector space Office suite Window
Authentication Multiplication sign Rule of inference
Mechanism design Service (economics) Mathematics Web service View (database) Server (computing) Function (mathematics) Kerberos <Kryptologie> Office <Programm> Client (computing) Default (computer science)
Authentication Email Rule of inference Default (computer science) Digital filter Email Multiplication Pay television Demo (music) Server (computing) Authentication Directory service IBM Client Access Rule of inference Power (physics) Self-organization Perimeter Default (computer science) Self-organization
Authentication Demo (music) Code
Web application Email Web service Interface (computing) Projective plane Right angle Client (computing)
Email Link (knot theory) Demo (music) Online help Multiplication sign Sampling (statistics) YouTube
Email Execution unit Server (computing) Email Structural load Hacker (term) Source code Convex hull Identity management Metropolitan area network Reading (process) Connected space
Email Rule of inference
Authentication Firewall (computing) Authentication Principal ideal Local Group Heegaard splitting Virtuelles privates Netzwerk Integrated development environment Blog Virtuelles privates Netzwerk Self-organization Integrated development environment Right angle Endliche Modelltheorie UDP <Protokoll> Perimeter
like to introduce first time speaker William Martin and his talk one-click Cody thank you cars my name is William
Martin and I'm an OS CP I'm a pen tester for RS mus and I'm based out of Charlotte and you know first time sitting at Def Con so no pressure thank you if you can't see me back there
I'm the one on the right and we only got 20 minutes so we're gonna kind of blow through this we're gonna talk about basics on exchange and the various end points on exchange we're gonna go through a little bit of multi-factor authentication crash course on how it's typically set up which will kind of emphasize some gaps that some organizations face then we're gonna talk about my spirit intact which the ntlm relay attack we're gonna do a demo and a tool release and we're gonna talk about how to fix the things they'll be just broke so overall organizations have been
doing a pretty kick-ass job in terms of implementing multi-factor education across the board for their externally facing services like VPNs definitely our Remote Desktop Services Citrix web apps and email with an asterisk on email we're gonna get to that one OWA is typically where we see a lot of
to factor of being implemented but there's a little bit of a break-in mentality on the goal for multi-factor authentication on OWA I don't know about
most of you but I have email synced on my phone I've taken gamble at least 60% 70% of this room also had that scenario for themselves but when I was working in an organization I found that I was using multi-factor authentication on our OWA portal but my phone was sinking just fine with just my username and password wouldn't know whether no other factor no certification no code nothing so that was a bit weird that seemed like it was counterintuitive for the point of multi-factor authentication so to find out why that
gap exists I realize I to learn a little bit more about how my phone and my outlook were connecting to exchange and as we're going to talk about so
for those who haven't set up an exchange server themselves exchange has multiple roles in which it can be installed there's a mailbox server role there's an edge transport role and all these kind of dictate how the server is going to operate the role that we care about is called the client access server role it's the one that we interact with more telling or email less things like autodiscover for telling us how to connect our email mappy which is how Outlook connects in an OWA and ECP which are promised the focus of this so exchange cast servers run essentially on top of an iis server there's one large web app and accessing them looks a bit like this so all over HTTP all over HTTP just your standard web calls now to break down what these little endpoints do and the various ways you can talk to exchange there is PowerShell which is used by administrators to kind of administer the server itself autodiscover tells your client how to connect to exchange map is used by Outlook our pcs use by old-school
outlook active sync used by your phone typically OAB provides your client a way to download the global address book so it takes that you can ease the burden on exchange ECP is an addition to OWI which allows a user to kind of change their settings this is where you go into when you're changing your signature adding forwarding rules and whatnot on your OWA and then not to beat a dead horse OWA itself the web app that lets you access your email can access your task manager or calendar and whatnot from the web without having to live like run a thick client and then finally EWS or exchange web services if they soap based API that allows you to interact with exchange we make API based calls your mailbox so a lot of like old-school apps or we might the outlook client for Mac is based on EWS so the endpoints because we're hackers
that we care about are the ones that have access to email so that would be map e RPC access ActiveSync ECP OWA in EWS now as a pen tester interestingly enough the ones that I find covered by two-factor authentication most often are only these two OWA an exchange control panel which leaves at least four other ways we can access or email whatnot without that code so to find out why I
mean does get to have myself I'm by far not the first one to find this gap there have been other security researchers like notably a black hill information security that have found this kind of gap is inconsistency on the implementation of multi-factor authentication protecting exchange and like 2016-2020 16 they reported this to Microsoft and say hey this is a gap you guys gonna fix it Microsoft replied
saying no because this is not an issue on properly configured systems so I took that as okay it's just it's the admins fault a check boxes and checks they didn't add a route something you know it was just a human error causing this thing it wasn't that technological failure so but because it was so prevalent I want to find out what was causing such a pervasive human error why would work across all these organizations so we see this gap consistently an answer is there really
isn't a mention of these other endpoints in those two-factor authentication protocol implementations so things like Symantec RSA a little bit of duo and their basic implementation guides they would cover OWA and ECP both are which are the only two web app based protocols and the reason that is is because a lot of these protocols are authenticating through something called a DFS or Active Directory Federation services without D railing the talk to talk about what that is in a nutshell it provides a way for users to authenticate to this one server through whatever means they choose like multi-factor and this server will provide that user a cookie which will vouch to other single sign-on services so when you go to a a protected OWA you're totally talking to other server this other server it says you know William logged in he's cool just trust me that trust gets passed to exchange and I'm able to log in OWA even though exchange didn't handle most of the authentication so the issue lies in that that whole exchange happens over HTTP happens over like that web app based protocol but EWS and map II and RPC and those lower layer protocols can't handle that kind of interaction so that causes a bit of an issue this is what it kind
of looks like when you log into OWA through an ad FS protected setup you try to access code a way you get that redirect saying no contact ad FS first ad FS is the one that actually authenticate you it says hey login may be fused or two-factor code or maybe give me your your certificate to prove who you are if you're using multi-factor it'll pass that code off and say to its multi-factor authentication provider again like Symantec and say hey business code good and we'll say yes or no anyways after that's done ad FS will pass you back your token or your cookie you then take that over OWA and you're good to go so the vendors know that
their solutions aren't covering these underlying protocols this is not they're not oblivious to this but the issue is not so much on the vendors themselves as they've stated it lies on the environment that they're implementing their solution on and to implement their solution properly they need something called modern authentication which if you've got an exchange environment on premises takes a bit of a overhead to implement so modern education in a
nutshell is Microsoft's implementation of the OAuth protocol and it allows Outlook EWS mapping and other protocols to handle both tokens now with OAuth exchange is no longer handling the actual authentication phase of it even through single sign-on like through ad FS or author just passes exchanging their token it's as cool you're good to go the OAuth provider is the one that really implements those two factor solutions or whatever else may be but the catch is with modern education you need to implement Azure in some way shape or form you can't just spin up a DC on pram spin up an exchange server on pram spin up an 88 best server on Prem and be good to go you have to interact with office 365 somehow and it's that catch that leaves a lot of organizations in the dark and then vulnerable to this kind of a lack of coverage so when you implement it with exchange on Prem you need to use something called hybrid modern authentication it requires an on-prem a DFS and requires you to use Outlook 2013 or later and you're using Azure to perform all of the token provisioning with pure office 365 guys but when you're when you're using exchange online you already support modern auth because it's all going through office 365 anyways it just comes down to what kind of multi-factor authentication you want to implement through this now supported protocol and
this is what it looks like when you have a hybrid setup so anyways now we know that the gap that these two-factor solutions cause is not a quick easy fix and I love that because it makes it a pain in the ass for my targets to cover you know cover there's so while we can how can we take advantage of this gap or we can take advantage of this oversight well looking back at those other endpoints that you can talk to that are typically unprotected there's a common theme amongst three of them before doing this research I didn't know that three of them use ntlm which is my favorite authentication mechanism
that's my point so also the first me my
ver made so ntlm relay is my favourite attack and how I pop maybe 80 to 90% of my internal pen tests if the tale is if a tack is oldest time itself the cult of the dead clap wow the toilet because of the dead cow were exploiting this as early as 2001 so for those who don't know the until M relay attack happens through three messages works like this
the victim is somehow tricked to connect to an attacker and we'll talk about how they're tricked in a second but they connect to an attacker and say hey I want to login here's my domain who's my username the attacker that redirects that says telly I want to login here's my a domain in my username the target server will reply saying alright cool if you're really so and so take this challenge and hash your password with it we don't know the password as an attacker so we'll pass that right back to the victim the victim will happily oblige and pass that back it's now the attacker as the response we pass that on to our target server target server promptly says ok cool you've now have dedicated you are so and so the attacker gets the session and we kill our victim we just say no you weren't able to login so the ways to trigger at ntlm
authentication are vast some of the
common ways my favorite ways are UNC links and emails which if you're opening an email in Outlook and you click a UNC link outlook treats that it really passes on to Windows and now and windows treats that like a you're trying to access a network share and / network shares it will try to authenticate to it try to login try to open that folder for you well if the attacker is on the other end of that UNC path it'll authenticate to them and that triggers the ntlm relay attack either favorite way is ntlm as a
half saree NetBIOS an LLM and are poisoning which anyone here use responder Johanns yeah fair number of us so never never fails to get a hash it for those who don't use responder it's a tool that hackers used to abuse how Windows works when windows asks for a resource that isn't available through DNS ill event send a broadcast to the local we're saying hey has anyone seen I don't know Williams share and typically they'll be radio silence but an attacker will say yeah I'm William Cher and then the victim was like oh cool all right let me login to you and then I say get the ntlm hash recently I've seen some
really cool ways to a trivial ntlm authentication I think are worth mentioning so recently there was a CV
pushed out by will doorman which he found that outlook you could send an RTF or a rich text formatted email and when outlook received that email it would parse it and if that RTF email had a I know I'm getting really technical but if that RTF email had a remote resource embedded in it outlook would try to automatically load that and it would pass it to Windows and then windows would authenticate to it if it's a UNC path and this is all without user with intervening and is without any kind of warnings so essentially you sent an email they open it and they aren't you are together hash Microsoft patched that one but we all know that one patches everything appropriately or so we have nothing to worry about there so that looks like a
way that is not patch because it's a bit more difficult to patch this by Mike felt Mike you in the room oh man he said was coming alright so lost wrote an attacker can modify the details of a Microsoft document and embed UNC path in the web settings so when Microsoft work opens up that document it will see a little UNC path in the web settings and it try it treats that as an external HTML page that you want to embed in your document and so as always it'll try to reach out and get that if not share it passes to Windows and Windows will authenticate this one there's no user interaction whatsoever outside of opening a document so if you find that UNC links are filter and hey Mel and you can't get like a macro through you might we'll get just a benign document through their email system and get them to trigger an ntlm authentication that way so now that we know we can these are protected by ntlm and we can relate to ntlm which one we want to attack well a couple years ago sense post came out with attack hold the ruler attack which took advantage of Outlook rules in a nutshell the outlook stick client on a desktop to be configured to run certain commands upon receiving an email sending an email upon a certain event happening and so ruler found out that if you compromise the user credentials if you're on the outside you could create a new outlook rule sync it up with their server that rule will then be pushed down to the exchange outlook clients and then that rule would run upon the event happening so naturally I thought great I can get RCE with a relay let's let's use that as a
rule it looks like unfortunately one of the creators of ruler already had this idea and turns out to perform a true lot
the true authentic ruler attack you need to authenticate to exchange more than a few times an ant alert the ntlm relay attack is pretty much a one and done so you're not gonna really get that far with using up Matty or RPC which what ruler is based on so I just left this
guy change web services which I five already Christ alright so which I had never heard of until I built this tool until I ran this attack so in a nutshell
exchange Web Services is just a way to access exchange through an API and the
things we care about is that it's enabled by default and by on-premise exchange it supports NC LM by default and it provides access to most things outlook has access to and we don't have to go through multiple stages of authentication with ntlm on EWS it's one and done so I built a tool called exchange relay X which has these goals in mind if we pop a user we want them we want to be able to read send delete you know manage their inbox as they would we want to be able to download their attachments add forwarding rules to kind of backdoor their email scrape as much data as we can from Active Directory and launch spearfishing from inside the organization typically orgs have great attachment filtering on their premium the perimeter but from user to user from inside the organization they have that gap so if you compromise the exchange of one user you may be able to send users B C and D malicious attachments without being filtered through all right now
let's try to power through a demo this
demo is going to show an OWI that's protected with two-factor authentication
but is vulnerable to the same gaps that
we've covered now being prompted for the code
enter it through and there and there's your usual outlook web app interface got emails you can see that the user that we're on as a William Martin that's me we've got a folder over there on the Left called modern off project I'm gonna open the users outlook thick client just to demonstrate the same thing all right
cool so now we're going to launch the attack the tool is called exchange relay X and right now we're just going to check if the victim is vulnerable right now it just reaches out to the mail and says hey do you support ntlm and turns out we do so let's build a relay to that ntlm interface let's build a relay to exchange web services
all right this is showing sending a sample UNC link to a victim and we're masking it as a youtube link and I'm skipping through similar loading times the demo so we're tight on time all
right user gets the phishing email with that malicious link in there they click it and that's it that's all the user has to
do the attack is now done on their end over here we receive the connection we've related back to their exchange
server and we see them popped right there so what can we do with this I
tried to build a similar-looking OWA for for hackers so now you see we can open up their email we've still got the same little folder on the Left that they do and by the way as we're reading email and as we're sending email we're not showing up in their sent folder man you're killing me cars so I'm gonna release this tool and you guys got a lot of fun with it but we kind of have to blow through what you can do one of the
features is that you can add forwarding rules as well as you can automatically download all of their attachments so just like goes through inbox and folder everything and just as quickly as it can downloads every attachment they've ever sent to receive so if you have a user that's not super technical maybe their CFO and they get popped that's a really bad day so
[Applause] stop applauding we have to move through so how we fix this you have to implement
modern authentication across your organization oh man all right model dedication everywhere you have to implement as you're with that our PC won't be able to support that same thing with pop3 and IMAP if you have any 2010s anywhere this will not work for you you can't get modern off with 20 claims in the environment yeah implement MFA
everywhere filter on one three nine four four five and remember that split tunnel VPNs and ipv6 are typically a gap all right here the contributors Sarver the restroom [Applause] [Applause]