External Penetration Testing 101: Targeting Login Portals (Part-2)

Greetings Readers !

In my last blog post, I discussed the initial four steps of my external penetration testing methodology. We started by verifying the scope, then moved on to discovering subdomains and endpoints, followed by some directory busting, and finally, scanning for vulnerabilities. If you haven’t had a chance to read it yet, I recommend doing so to better understand the context. read it here!

Now, in this new blog post, we’re diving into action. We’ll be enumerating users and attempting to brute-force commonly found login portals such as O365. This step is a subpart of directory busting covered previously.

Introduction To login Portals

Login portals, also referred to as authentication portals or login screens, are basically web interfaces where users input their credentials like username and password. These portals act as gateways, allowing users to prove their identity before they can get into a specific system, service, or app.

It’s like the front door where you need the right keys (your credentials) to get in and access whatever’s inside.

Login portals are commonly used in various contexts, including:

1. Email Services: Portals like Outlook Web Access (OWA) or Gmail’s login page, where users enter their credentials to access their email accounts.
2. Enterprise Systems: Portals used by employees to access internal company resources such as intranet sites, HR systems, or project management tools.
3. Online Banking: Portals provided by banks where customers log in to access their accounts, perform transactions, and manage their finances.
4. Cloud Services: Portals like Microsoft Office 365 (O365), Google Workspace, or Amazon Web Services (AWS) login pages, where users authenticate to access cloud-based productivity tools, storage, or computing resources.
5. Social Media Platforms: Platforms like Facebook, Twitter, or LinkedIn have login portals where users enter their credentials to access their profiles and interact with the platform.

Imagine we stumble upon a login page and want to get past it. But to do that, we need the right login details — like a username and password — to unlock access to confidential information. which brings us to the user enumeration part of the blog.

Finding the Right Type of Account

When it comes to exploiting Office 365 accounts, it’s essential for a pentester to discern whether the implementation of O365 is managed or federated.

• a managed domain goes through O365 for authentication
• a federated domain, authentication goes through local AD set up by organisation and is always done through on premises Active directory infrastructure.
• This means that if on-premise server goes down, User not connected internally to AD could lose access to things like email and office 365 suite temporarily until connection is restored.
• Federated accounts are more complicated and much harder to exploit.

To find out if a Office 365 account is managed or federated there is a script provided by NETSPI .

User Enumeration — Finding the right Nemo

Companies often adhere to specific email address formats, with common patterns like “{firstname}.{lastname}@domain.com” or “{f}.{lastname}@domain.com” prevailing. Understanding the email format used by the target company is crucial for external penetration testing.

We can find the format of emails using online tools like hunter.io and phonebook.cz

We know any login portal requires both a username and password for access. Username acquisition can occur through various means:

1. Leaked Credentials : Gitrob, Gitlab, dehashed
2. Statistical Username Enumeration (my Go to list !)
3. Using enumeration tools like Harvester
4. Abusing Functionalities like forgot password
5. Job Postings

How Many Passwords Does it Take to Change a Lightbulb? Brute Forcing Our Way Through!

After finding the list of usernames it’s time to do some password brute-forcing. Most common tools used are trevorspray, Spray 365, Go365 and O365 spray.

Make sure while performing a brute-force, reduce the number of requests to avoid account lockout. Some of them are really sensitive to brute-forcing :)

Closing it Up…

This concludes our External Pentesting series. While it may not have been exactly what you expected, it’s important to understand that simulating these types of techniques could lead to serious legal issues, and I’m not looking to end up in jail just yet.

We play it safe !!

If you found this blog helpful, feel free to give it a clap (it keeps me motivated) and follow for more content like this.

Connect with me: https://linktr.ee/n1chr0x