User-Enumeration Timing-Attack VulnerabilityĪnother information-leaking vulnerability exists in the authentication process in Skype4B that enables an attacker to enumerate valid domain accounts. We will use this vital piece of information to next perform a user-enumeration timing attack against the back-end WebTicket service that was identified in the Dialin and Scheduler portals. Nmap -v -Pn -sS -p443 –script http-ntlm-info –script-args http-ntlm-info.root=/abs/ Figure 5 – Internal NetBIOS Domain Name Revealed via NTLMĪs shown in the screenshot, the internal NetBIOS domain name is CONTOSO.
Lync web app url full#
To extract the internal server name, NetBIOS domain name, and full DNS domain name, all you need to do is fire up Nmap with the ‘http-ntlm-info’ script, and point it at a directory protected by NTLM authentication: Other paths that will likely be protected with NTLM authentication include: If you browse to this path in a browser, a prompt will appear requesting authentication. In real-world testing, the ‘/abs/’ directory on the ‘Dialin’ or Front-End Skype4B server is a reliable target (e.g., and ). NTLM authentication can be disabled, but in my experience, it rarely is. Skype for Business is normally configured with a number of directories protected with NTLM authentication. This is sometimes easy to guess if it is similar to the organization’s domain name, but for those domains consisting of cryptic initialisms or shorthand names, Skype again provides a helpful hand. Since login requires a valid internal domain, the internal NetBIOS name will have to be discovered.
(It is worth noting that while a ‘Lifetime’ value exists with a short timestamp specified, these values do not appear to be evaluated when testing if credentials are valid).
Lync web app url code#
Examination of the source code of these pages shows that they both perform a POST of an XML document to the same back-end service located at:Ĭapturing the POST in Burp Suite reveals an XML document containing a base64-encoded username and password. These two portals clearly indicate that the login format is DOMAIN\Username. Figure 2 – Dial-In Conferencing Portal Figure 3 – Lync Web Scheduler Portal Having found the Skype4B Front-End server, we can explore the two login portals that are commonly enabled in Skype4B installations: Dial-in Conferencing, and the Web Scheduler. The following subdomains will often point to the Front-End server and are worth investigating. If the ‘lyncdiscover’ subdomain does not exist, all is not lost. (information on attacking hosted Skype will be published in a future post). If XML references the domain ‘’, then the Skype server in question is hosted by Microsoft and these attacks will not work. In the example below, the Front-End server is ‘’.įigure 1 – Lyncdiscover Domain Points to Front-End Server
If the ‘lyncdiscover’ subdomain exists, it will serve an XML file that references the Front-End server. Microsoft’s recommended naming format for the autodiscover URL is: Luckily, locating these servers is usually not an issue. This server will be our primary target throughout the attack.
Locating the Front-End Serverīefore Skype4B can be attacked, it is necessary to determine the location of the Front-End server. In this blog post, I will walk through information gathering, user-enumeration, and brute-force attacks against an internal network, using only the attack-surface opened by a standard implementation of self-hosted Skype for Business. In a very real sense, Skype4B provides a bridge from The Internet into a company’s internal network, allowing an attacker to interact with the internal Active Directory environment. This bit of convenience makes Skype4B an attractive target to attackers. Skype for Business, by design, is meant to encourage communication between individuals and it is often externally-accessible so that employees can stay connected 24×7 without the need for a VPN. When companies choose to host Skype for Business (previously Microsoft Lync) on-premises, they can inadvertently introduce a large attack surface. Note: For the sake of brevity throughout this post, Skype for Business and Microsoft Lync will both be referred to under the umbrella designation of ‘Skype4B’. If you’re using O365 wait for the next post.
Lync web app url how to#
TL DR: How to attack self-hosted Skype for Business (Lync) servers. By TrustedSec in Penetration Testing, Security Testing & Analysis
0 kommentar(er)
