{"id":524,"date":"2016-02-10T21:40:37","date_gmt":"2016-02-10T21:40:37","guid":{"rendered":"http:\/\/www.hackwhackandsmack.com\/?p=524"},"modified":"2016-02-10T21:40:37","modified_gmt":"2016-02-10T21:40:37","slug":"brute-forcing-microsoft-lync-via-ntlm","status":"publish","type":"post","link":"https:\/\/www.hackwhackandsmack.com\/?p=524","title":{"rendered":"Brute-forcing Microsoft Lync via NTLM"},"content":{"rendered":"

Ok, so there is good reason why Lync should not be accessible over the Internet similarly to any single factor system. BRUTE-FORCE will usually prevail!!!!<\/p>\n

I installed burp\u2019s certificate on my Windows host and attempted to login from Lync (From this I was an\u00a0HTTP NTLM Login request to https:\/\/lyncwebact.customer.com\/WebTicket\/WebTicketService.svc).<\/p>\n

NTLM like many other services is made fairly simple to brute-force or attempt one password guess against many accounts. I have used hydra for this once before but a colleague recently wrote a pretty decent python\u00a0script that makes it even easier and you don’t need to know all the switches etc (https:\/\/github.com\/strawp\/random-scripts\/blob\/master\/ntlm-botherer.py<\/a>).<\/p>\n

Anyway, to make obtaining the NTLM url simple I wrote a quick python script that located the company DNS records for lyncdiscover and then finds the NTLM url as shown below:<\/p>\n

\"lyncmicrosoft\"<\/a><\/p>\n

https:\/\/github.com\/benpturner\/h00k\/blob\/master\/python\/lyncdiscover.py<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Ok, so there is good reason why Lync should not be accessible over the Internet similarly to any single factor system. BRUTE-FORCE will usually prevail!!!! I installed burp\u2019s certificate on my Windows host and attempted to login from Lync (From this I was an\u00a0HTTP NTLM Login request to https:\/\/lyncwebact.customer.com\/WebTicket\/WebTicketService.svc). NTLM like many other services is… Continue reading Brute-forcing Microsoft Lync via NTLM<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=\/wp\/v2\/posts\/524"}],"collection":[{"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=524"}],"version-history":[{"count":1,"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=\/wp\/v2\/posts\/524\/revisions"}],"predecessor-version":[{"id":526,"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=\/wp\/v2\/posts\/524\/revisions\/526"}],"wp:attachment":[{"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=524"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=524"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=524"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}