PenTales: “User enumeration is not a vulnerability” – I beg to differ

Last updated at Wed, 03 Jan 2024 21:07:35 GMT

At Rapid7 we love a good pentest story. So often they show the cleverness, skill, resilience, and dedication to our customer’s security that can only come from actively trying to break it! In this series, we’re going to share some of our favorite tales from the pen test desk and hopefully highlight some ways you can improve your own organization’s security.

This is a story of how a well defended network was compromised through user enumeration; a vulnerability which many organizations do not consider to be a “real” vulnerability. For the uninitiated, user enumeration vulnerabilities are application behaviors that could allow a malicious actor to determine valid usernames on a service. They are commonly exploited to set up follow-on attempts to guess users’ passwords.

I was tasked with performing an external penetration test for a midsize company. I began the engagement by performing port scanning and service enumeration, and discovered a small number of accessible web services. This led to a wonderful discovery: Outlook Web Access (OWA) was exposed! OWA suffers from a user enumeration vulnerability in which authentication requests involving valid usernames produce different responses than authentication requests involving invalid usernames. This could allow a malicious actor to submit unlimited authentication requests with different usernames, and use the responses to determine whether a given user exists in Exchange or not. We believe that Microsoft has been aware of this problem since 2014 but has not yet patched it. Some security professionals speculate that this may be because Microsoft (like many other companies) does not consider user enumeration to be a vulnerability.

I quickly began user enumeration against this service. After harvesting employee names from LinkedIn, marketing databases, and password breach databases, I coerced the employee names into a username format and verified them against OWA. Once done, I pulled popular names from US Census data and found additional valid usernames. When all was finished I was in possession of hundreds of usernames I could employ for password spray attacks set up through Metasploit. It took just one attempt to find success: a support engineer was using a classic weak password which is compliant with most password policies, [season][year][special character]!

I logged into this user’s email, enumerated their inbox, and found users sending support requests that contained passwords and sensitive information over plaintext! If a malicious actor were to obtain these, they could potentially log into other accounts owned by this company’s clients or employees given the prevalence of password reuse. I also extracted the Exchange Global Address List that contained every email address in the company which would prove incredibly useful for further password spray attacks (or in the hands of a malicious actor, for a business email compromise attack).

Finally, I observed that VMware Horizon, a system used to provide remote access to employee workstations, was accessible to the public internet. When attempting to log in using the compromised credentials it was discovered that multifactor authentication was not being employed. I identified an active Windows virtual machine and logged in over RDP, giving me a foothold in the client’s internal network. This entire attack chain took less than an hour and the ingress into internal systems went undetected by my client.

My client was stunned to say the least, but through our partnership we identified a set of controls which would mitigate all of the identified vulnerabilities. Our subsequent conversations also were able to surface other issues outside of the pentest scope which we helped address, and together we were able to dramatically reduce their organization’s attack surface.

We believe this assessment demonstrates the value of a penetration test: vulnerability scans will not flag findings such as OWA user enumeration, users employing weak passwords that still comply with password policies, and a lack of MFA. Through our penetration testing assessments, we can also demonstrate a more holistic picture of the risks that our clients face by identifying and chaining disparate vulnerabilities together in the way that only a skilled human can. We can then partner with them to ensure swift mitigation using a strategy that is tailor made for the client’s individual environment.