This repository has been archived by the owner on Oct 17, 2022. It is now read-only.
Unsure if this is really an issue--I may just be doing it wrong #41
Comments
|
Code mods I made were in core/sprayers/owa.py. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I tried to use the atomizer against a Windows 2016 server running a vanilla install of Exchange 2016.
The target I used was https://mail.my-domain.tld (where my-domain and tld were given the appropriate values for my setting).
Any username:password combination would yield "Found" because the get requests they generate give a 200 response, but none of them actually logged in.
I modified the code to do a post request appending /owa/auth.owa to the mail host url and provided username, password, destination, flags, and forcedownlevel parameter values.
Was I doing it wrong or does this make sense?
I don't see how I could use the tool as it is built to properly spray the https owa instance.
The text was updated successfully, but these errors were encountered: