Home Insights Source Zero There's Gold in Them Thar Metadata!! September 30, 2020 There's Gold in Them Thar Metadata!! Many electronic documents posted online contain metadata in some form. The organization's username structure and deployed technologies can allow an attacker to guess passwords and successfully breach the perimeter. This post explains how it works and offers advice on how to prevent it. To put it simply, metadata is information created during document creation that describes the data. When first targeting an organization, an attacker will scour document metadata, as it may expose internal usernames, software versions, GPS data as well as the document creation date. While its purpose is benign in nature, for an attacker it can open the door to more successful attacks against the target organization. Many electronic documents contain metadata in some form. For a penetration tester, it is often the organization's username structure and deployed technologies that are the most interesting. For the purpose of this discussion, we will be focusing on username enumeration as it is paramount to conducting a successful password attack. When planning for a password attack, the most valuable piece of information is determining the target organization's username format. While there are common username formats (firstname.lastname@example.org, email@example.com, etc.), that may not always be the case. It is becoming more common for organizations to set user IDs to values that do not match employee email addresses. Doing so makes discovering internal username conventions more challenging. Often after performing the typical leaks harvest and statistically likely username activities, only a few valid users are found. This can be particularly concerning when the target organizations can have hundreds if not thousands of users. Thus, the journey to harvest the gold in a target organization's metadata begins. During the discovery phase, login portals such as Outlook Web Application (OWA) are sometimes uncovered. Login portals are a prime target for a password guessing attack since access to these types of systems allow an attacker to access email and any sensitive information contained therein. In order to make sure this attack has the highest chance of success, the username format for the target organization must be determined. Figure 1: OWA Login Page The internal username convention of the target organization can often be found by browsing recent breach data containing possible email addresses. To validate usernames against an OWA portal, a Client Access Server (CAS) Timing Attack can be performed using tools such as the Metasploit Framework or Burp Suite. This vulnerability takes advantage of the way OWA responds to valid and invalid email addresses. The authentication response times contain noticeable deltas, allowing for the positive identification of valid and invalid user accounts. This sometimes results in only a few valid accounts, which can indicate that there may be another username convention in use. Enter FOCA and Pymeta, document metadata gathering tools, to analyze files on the target domain. As shown below, using FOCA, document metadata can uncover the unusual format the target organization has deployed. These new usernames can be validated utilizing Metasploit to verify if they're valid. Figure 2: FOCA Results for Word Document Figure 3: Username Validation of Usernames Recovered Via FOCA Next, recent breach information and sites such as LinkedIn can be used to gather names of employees and potential email addresses. Leveraging the collected data, a unique username list can be generated using the discovered format. Again, the CAS timing attack can be used to validate accounts prior to performing a password guessing campaign. Figure 4: CAS Authentication Timing Attack – Final User List Enumeration Finally, passwords such as Password1!, Summer2020!, Fall2020! and CompanyName2020 can be used for the initial automated authentication attack. It's important to limit the number of attempts made to avoid locking out accounts. To rapidly test the usernames against weak passwords, the owa_login module in the Metasploit Framework can be used to automate the attack process. In the test case, a valid login is shown below. Figure 5: Successful Password-guessing Attempt While existing and archived documents on the internet may be challenging to control, organizations should strive to implement Data Loss Prevention Tools (DLP) to scrub metadata from any document before it is posted online. Taking these steps will further hamper attackers and assist in protecting the organization from the next password attack. So the next time you're on the warpath and the perimeter has you down, remember there's gold in them thar metadata. By: Jeffery L. Wright Consultant, Attack & Pen | Optiv Jeffery Wright is a security consultant in Optiv’s Threat Management practice with a concentration on network, web application, wireless penetration testing and social engineering assessments. He has over twenty years’ experience with a background in enterprise network administration, engineering, and security. His experience on the defensive side of security gives him a unique perspective when approaching offensive security assessments. Share: Red Team Source Zero Threat Cybersecurity Information Cyber Attack Brute Force Attack Business Email Compromise Risk Mitigation Data Protection Copyright © 2021 Optiv Security Inc. All rights reserved. No license, express or implied, to any intellectual property or other content is granted or intended hereby. This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information. Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards. Complaints / questions should be directed to Legal@optiv.com RELATED INSIGHTS BLOG July 22, 2020 Anatomy of a Kubernetes Attack - How Untrusted Docker Images Fail Us An attacker could use a poisoned docker image to break out of a container. See Details Read more about Anatomy of a Kubernetes Attack - How Untrusted Docker Images Fail Us BLOG June 30, 2020 Aligning Defender ATP Alerts to MITRE ATT&CK - Video Demonstration How to prioritize efforts based on alert information from Microsoft Defender ATP, Logic Apps, and Log Analytics. See Details Read more about Aligning Defender ATP Alerts to MITRE ATT&CK - Video Demonstration BLOG September 16, 2020 Defending Against Container Threats With Palo Alto Prisma Cloud Palo Alto Networks Prisma Compute can help minimize the risk of deploying untrusted images. See Details Read more about Defending Against Container Threats With Palo Alto Prisma Cloud How Can We Help? Let us know what you need, and we will have an Optiv professional contact you shortly.