quentin's blog

Office 365 User Enumeration Reloaded

During a recent engagement, we tried to enumerate email accounts by abusing previously reported user enumeration issue affecting Office 365, but found out it no longer works.

In the past, sending authentication requests to ActiveSync with Basic HTTP authentication mechanism would return different status code disclosing the user's existence. A 404 meant the user did not exist, a 401 meant the user existed. We don't know exactly when Microsoft released that specific update, but it now returns a 401 whether the user exists or not.

We therefore had to find another way. By looking at HTTP responses from ActiveSync, we've identified that it still leaks information about the user existence. Whenever the HTTP response header X-MailboxGuid is set, that means the user exists.

We packed everything in a Python3 script that will read usernames from a text file and output the users and validity as CSV. You can find it at https://github.com/gremwell/o365enum. It also includes a user enumeration technique based on Office.com login page.

Man-in-the-Conference-Room - Part II (Hardware Hacking)

In this post I'll describe how I used hardware hacking techniques to get more information about the device and dump its internal storage. If you missed the introductory post you can find it here Man-in-the-conference room - Part I (Introduction). Let's start right away !

If we remove the two enclosure screws and open it up, we immediately identify two pinout slots:

Man-in-the-Conference-Room

Back in 2017 a small device appeared on my desk. A wireless presentation device that one of our customers wanted to deploy on its premises, but not before we had audited it first.

The idea behind those devices is pretty simple: instead of running from meetings to meetings with HDMI and VGA cables in your pockets, just leave a device connected to a presentation screen at all time and let presenters connect to the device using a client application on their laptop or smartphone. These presentation devices are usually deployed in large companies or universities and cost between $800 to something around $1800 based on the features they got.

The device in question was an Airmedia AM-101 and in this blog series I'll describe my complete process on how I went to test it. Hopefully this can be used as some kind of cheat sheet for folks starting in the field.

Subscribe to RSS - quentin's blog