Password Spraying OWA

Overview

Outlook Web Access is the on-premise Exchange Mail server. It is possible to pull quite a bit of information from the organization even if we don't fully break into it

OWA Login page

Attacking OWA with Metasploit

Password Spraying with auxiliary module

use auxiliary/scanner/http/owa_login
set user_file users.txt
set password Winter24!

You may need to change the Auxiliary Action to the appropriate version

set action OWA_2016

If the account is valid the server will get back to you faster than if the account is invalid. Metasploit has a builtin detection mechanism for this and saves the valid user accounts

Valid username example

Metasploit won't stop if you continuously lock out accounts althought it will tell you if an account is locked out. Be sure to monitor it

When there's a successful login, Metasploit will give you the Internal Domain and naming system and convention because we are using Active Directory credentials to login

Successful login example

PreviousPassword Spraying O365NextAttacking Other Portals

Last updated

Was this helpful?