Explore offensive security techniques for hacking corporate email systems in this 51-minute conference talk from BSides Columbus 2016. Learn about penetration methodology, locating email domains, gathering employee names, and exploiting various SMTP and webmail vulnerabilities. Discover methods for enumerating Active Directory domains, bypassing two-factor authentication, and conducting brute-force attacks. Examine techniques for extracting sensitive information, including global address lists and Autodiscover configurations. Investigate malicious attachment and website tactics, SMTP catch-all exploitation, and SMB email client attacks. Understand how to reuse gathered credentials on internal networks and web applications. Conclude with remediation strategies to reduce risk and enhance email system security.
Overview
Syllabus
Intro
Penetration Methodology
Agenda
Locate Email Domain
Gather Employee Names
Frontend SMTP Servers
Frontend SMTP Email Validation
Backend SMTP - Email Bounce Back
Locate Webmail System - Autodiscover
Client Access Server - Autodiscover
OWA Webmail - Autodiscover
OWA Webmail - Internal IP
Key Information for Credential Extraction
OWA - AD Domain Enumeration
Format Employee Names to Usernames
OWA Timing Attack
OWA Two-Factor Authentication Bypass
Brute-force Password Guessing
Mailbox Keyword Search
Extract Global Address List
Autodiscover XML SOAP Injection
Autodiscover Configuration Enumeration Autodiscover.xml reveals
Malicious Attachment
Malicious Website
SMTP Catch-all
SMB Email Client Attack
Reuse AD Credentials on Services • Web applications
Reusing gathered info on Internal Network
Remediation & Reduce Risk
