Browa10: Bruteforce script for OWA 2010 -------( michaelhendrickx.com/tools )-- Please use this script responsibly and only test those targets you have proper authorization for. 1. Intro -------- This script allows one to perform a brute force attach on an OWA (Outlook Web Access) 2010 interface; an interface that allows web browser access to one's Exchange mailbox. A brute force attack can identify users with a weak password onto a mailserver. You need to have a ruby runtime installed, this script was tested successfully using RVM's ruby 1.9.2 (https://rvm.io/). 2. Usage -------- When the script is run without any arguments, the usage screen is presented, containing following options: -u : single username mode -p : single password mode -l : try list containing username:password combinations -U : list containing usernames -P : list containing passwords -t : delay between requests in seconds (default: 2) -b : break as soon as a valid combination is found -v : verbose mode -h : help; this scree 2.1 Single user, single password -------------------------------- $ ./browa10.rb -l username -p password mail.domain.com This will try to login using the credentials "username" and "password". 2.2 Multiple username, multiple passwords ----------------------------------------- $ ./browa10.rb -U /tmp/usernames -P /tmp/passwords mail.domain.com This configuration will open the files /tmp/usernames and /tmp/passwords for retrieving user logins and passwords respectively. Note that it will try every username and password combination, so this could create a lot of requests. If the username file contains 5 logins and the password file contains 10 items, then the script will issue a total of 50 login tries. Note that any combination of single username / multiple passwords, or multiple usernames and a single password is possible as well. 2.3 Username / password combination file ---------------------------------------- $ ./browa10.rb -L /tmp/mixed mail.domain.com This will open the /tmp/mixed file and parse a username / password combination out of it. Note that this file has to contain these credentials, seperated by a colon (:), such as this: bob:smith123 mike:mechanic2012 sheryl:omg1234 2.4 Additional options ---------------------- By using the "-b" switch , the script will stop execution as soon as one valid username/password combination is found. You can increase verbosity by enabling the "-v" switch; this will tell you what request you are issues at any moment. Between every authentication request, there's a 2 second delay. Although this script will properly exectue slower than that (depending on the OWA web server performance and network speed) this delay can be changed issuing a new timeout value using the "-t" switch. 3. Known bugs ------------- This script is a quick proof of concept code and is far from perfect. Having a lot of requests can make a target server to timeout sometimes. If this happens, the script automatically issues a 60 second delay before continuing. If many delays are happening, the script seem to fail. In order to prevent having an internal counter for an increasing, acceptable timeout length; it is better to restart the script where you left off (verbosity is your friend). If you have any questions, or have any suggestions - please do not hesitate to contact me on me@michaelhendrickx.com.