No announcement yet.

Demo Labs - Carnivore

  • Filter
  • Time
  • Show
Clear All
new posts

  • Demo Labs - Carnivore

    Carnivore (Microsoft External Attack Tool)

    Target Audience: Offense

    Short Abstract (What is your tool, what does it do?): Carnivore is a username enumeration and password spraying tool for Microsoft services (Skype for Business, ADFS, RDWeb, Exchange and Office 365). It originally began as an on-premises Skype for Business enumeration/spray tool as I was finding that these days, organizations often seem to have locked down their implementations of Exchange, however, Skype for Business has been left externally accessible, and has not received as much attention from previous penetration tests due to the lack of tools as impactful as Mailsniper. Overtime this was improved and built upon to bring the same service discovery, username enumeration and password spraying capability to Skype, ADFS, RDWeb, Exchange, and O365 all in the same tool. Carnivore includes new post compromise functionality for Skype for Business (pulling the internal address list and user presence through the API), and smart detection of the username format for all services. As a practical means of entry into an organisation – numerous external penetration tests have uncovered an on-premises Skype for Business or ADFS server even for organisations that have moved Mail/SSO/etc to the cloud.

    Detailed Description:
    Service Discovery
    Carnivore takes a domain name and attempts to discover and verify subdomains relating to each of the attackable services, it can also enumerate internal domain information necessary for username enumeration/password spraying by sending a blank NTLM type 1 message. For O365, autodiscovery is used to determine whether an organisation has a presence on O365 and whether the organisation is federated or not (this information changes how we password spray the organisation.) This builds on the tool UhOh365 - however, the specific means used in UhOh365 were not found to be 100% effective, so they were modified for Carnivore to now work for all organisations. If a service such as Skype is discovered and then found to be hosted by O365, this will also add the option to spray O365.
    Smart Enumeration
    Username enumeration using the "smart enumeration" option takes 9 lists of statistically likely usernames and tries the top one from each list until 3 are found to be valid from the same list, it will then automatically switch to enumerating from the discovered format. While other tools exist that capitalise on the known “timing based difference” vulnerability for username enumeration, I wanted to improve on this by adding a “smart enumeration” option that automatically detects the username format and then enumerates only usernames of that format without the need for manually generated mixed username lists, or manually swapping between lists of different formats. Carnivore also uses the UPN format by default as this is more likely to be in the email address style rather than payroll id/name and number/similar, however, it is possible to manually change this.
    Password Spraying
    Username enumeration is slow as it uses a timing based difference, but it also means that even if the password is wrong, we at least get something (valid/invalid username). It is recommended that once the format is discovered with smart enumeration, a password spray attempt is tried before continuing with username enumeration. Password spraying is much faster (~10 mins instead of ~10 hours) and will hit the same possible usernames with a password - meaning that valid credentials will hopefully be uncovered quickly and without having to wait for username enumeration to finish. Carnivore is able to detect valid credentials for accounts in a number of different states (depending on the service) including SIP enabled, Password Expired and Account Disabled.

    For O365 - Carnivore first determines whether an organisation is federated or not (this determines whether we need to spray the O365 login portal or the company's ADFS server). If we spray the ADFS server, this is similar to the above, however, if we spray the O365 portal, it is possible to determine valid username/valid username+password/valid username+password with MFA. A number of measures are taken to try and avoid Smart Lockout, including the option to provide a proxy list for all functions.
    Post Compromise
    While it is possible to gain compromised credentials from Skype for Business with other tools such as Lyncsmasher and then pull the global address list using Mailsniper, this scenario is little use if we only find Skype for Business exposed. For Skype for Business Carnivore is able to use the UCWA API to search the internal address list, searching for common digraphs and trigraphs in an attempt to pull the majority of the global address list. The UCWA API is fairly poorly documented and the functionality does not always work as expected - ie, searching for "r" may return 50 results with 1 Roger, searching for "ro" may now return 2 Rogers, "rog" may now add a third. Testing showed that searching for common beginnings of names as well as digraphs and trigraphs returned the majority of the address list.

    The information returned about users from the address list includes invaluable information for ongoing Social Engineering - including email address, job title, phone number, office location, any note on the account, and user "presence" (Offline/Online mobile/Online desktop).
    On a number of prior engagements a misconfiguration with an organization’s Microsoft Web Application Proxy was found to prevent valid credentials working with the legitimate Lync client. For this reason Carnivore was improved to detect this issue, and jump authentication to the correct server meaning that we can pull the address list or send messages using Carnivore even when this issue renders it impossible with the legitimate Lync client.
    PGP Key: