Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
There's Gold in Them Thar Metadata!!
To put it simply, metadata is information created during document creation that describes the data. When first targeting an organization, an attacker will scour document metadata, as it may expose internal usernames, software versions, GPS data as well as the document creation date. While its purpose is benign in nature, for an attacker it can open the door to more successful attacks against the target organization.
Many electronic documents contain metadata in some form. For a penetration tester, it is often the organization's username structure and deployed technologies that are the most interesting.
For the purpose of this discussion, we will be focusing on username enumeration as it is paramount to conducting a successful password attack. When planning for a password attack, the most valuable piece of information is determining the target organization's username format. While there are common username formats (email@example.com, firstname.lastname@example.org, etc.), that may not always be the case. It is becoming more common for organizations to set user IDs to values that do not match employee email addresses. Doing so makes discovering internal username conventions more challenging. Often after performing the typical leaks harvest and statistically likely username activities, only a few valid users are found. This can be particularly concerning when the target organizations can have hundreds if not thousands of users. Thus, the journey to harvest the gold in a target organization's metadata begins.
During the discovery phase, login portals such as Outlook Web Application (OWA) are sometimes uncovered. Login portals are a prime target for a password guessing attack since access to these types of systems allow an attacker to access email and any sensitive information contained therein. In order to make sure this attack has the highest chance of success, the username format for the target organization must be determined.
Figure 1: OWA Login Page
The internal username convention of the target organization can often be found by browsing recent breach data containing possible email addresses. To validate usernames against an OWA portal, a Client Access Server (CAS) Timing Attack can be performed using tools such as the Metasploit Framework or Burp Suite. This vulnerability takes advantage of the way OWA responds to valid and invalid email addresses. The authentication response times contain noticeable deltas, allowing for the positive identification of valid and invalid user accounts. This sometimes results in only a few valid accounts, which can indicate that there may be another username convention in use.
Enter FOCA and Pymeta, document metadata gathering tools, to analyze files on the target domain. As shown below, using FOCA, document metadata can uncover the unusual format the target organization has deployed. These new usernames can be validated utilizing Metasploit to verify if they're valid.
Figure 2: FOCA Results for Word Document
Figure 3: Username Validation of Usernames Recovered Via FOCA
Next, recent breach information and sites such as LinkedIn can be used to gather names of employees and potential email addresses. Leveraging the collected data, a unique username list can be generated using the discovered format. Again, the CAS timing attack can be used to validate accounts prior to performing a password guessing campaign.
Figure 4: CAS Authentication Timing Attack – Final User List Enumeration
Finally, passwords such as Password1!, Summer2020!, Fall2020! and CompanyName2020 can be used for the initial automated authentication attack. It's important to limit the number of attempts made to avoid locking out accounts. To rapidly test the usernames against weak passwords, the owa_login module in the Metasploit Framework can be used to automate the attack process. In the test case, a valid login is shown below.
Figure 5: Successful Password-guessing Attempt
While existing and archived documents on the internet may be challenging to control, organizations should strive to implement Data Loss Prevention Tools (DLP) to scrub metadata from any document before it is posted online. Taking these steps will further hamper attackers and assist in protecting the organization from the next password attack.
So the next time you're on the warpath and the perimeter has you down, remember there's gold in them thar metadata.
Copyright © 2022 Optiv Security Inc. All rights reserved.
No license, express or implied, to any intellectual property or other content is granted or intended hereby.
This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information.
Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards.
Complaints / questions should be directed to Legal@optiv.com
July 22, 2020
An attacker could use a poisoned docker image to break out of a container.
June 30, 2020
How to prioritize efforts based on alert information from Microsoft Defender ATP, Logic Apps, and Log Analytics.
September 16, 2020
Palo Alto Networks Prisma Compute can help minimize the risk of deploying untrusted images.
Let us know what you need, and we will have an Optiv professional contact you shortly.