The owa-enum.pl Program
The
owa-enum.pl program performs multiple queries to the user directory search page of a specified Microsoft Outlook Web Access (OWA) service and dumps the results in a text delimited file suitable for importing into database tools.
Synopsis
owa-enum.pl options base-url
base-url is the base address of the OWA service, say
https://webmail.example.com
options are zero or more of the following:
-v | Verbose mode, reports progress |
-n | Don't try to remove duplicates |
-f text | Text to put in empty fields |
| --delim str= | Output field delimiter, | (vertical bar) by default |
Description
The program starts by trying each character from the alphabet [a-z 0-9]. If the search returns nothing, it goes to the next character. If it returns "too many items", it recursively adds more characters. If the search returns useful data, it is printed to the standard output.
The program's comments and messages are in Portuguese. Someday I'll have them translated.
Sample Session
# ./owa-enum.pl -v https://webmail.exemplo.com.br
Logando para pegar os cookies...
- Pagina inicial de logon
- Pagina de acesso anonimo
- Pagina do formulario
- Cookies pegos:
Set-Cookie3: ASPSESSIONIDAABDBBBS=EAPJLLNACMNCFEKCDIFJLDDB; path="/"; domain=web
mail.exemplo.com.br; path_spec; discard; version=0
------------------
Buscando DN=a
Buscando DN=aa
Buscando DN=ab
|Abigail Exemplo da Silva||Abigail|||
|Abrolhos Cavalcanti de Teste|3456-7890|abrolhos|||
Buscando DN=az
|Azuretado de Oliveira||zureta|||
Ethical Issues
The kind of information this tool returns may be useful in "fingerprinting" a site, where a would be 'attacker' tries to get to know as much information as possible (such as know many users it has, what are their naming conventions, what are the users' real and login names, phone numbers, departments, etc.) from its tentative victim.
This may lead some to believe this is an attack tool. It is not -- it just automates what can be done by hand, just as Google automates finding useful web pages.
Besides, not everyone that performs site fingerprinting is necessarily an attacker -- they might just as well be collecting statistics for some study.
If you don't want people to enumerate your domain's contact lists, don't publish them.
License and Downloads
This program is licensed under the
CC-GNU GPL 2.0.
Addendum on 2008-Feb-19
Previously, the sample in this page used data I got from running this script at
www.procempa.com.br. Today I got this email from an account "admcorreio"
(mailadmin) apparently from that domain saying (my translation to English):
Mr Marco Carnut
We would like to request that you remove the data regarding the users of
our site, since we have already blocked the search through the script "owa-enum.pl".
I don't have the foggiest idea whether this request really came from them
(it's trivially easy to forge source email addresses) and I don't plan to check either.
Nonetheless, I changed the example to use fake data.
Whoever the authors of the email, I regret they said they "blocked the search through
the script owa-enum.pl" because that particular wording seems to reinforce the notion
I've previously discussed above that this script might be a problem. The problem, if
there is any, is having private data exposed on the Internet. (If the data wasn't
private, then there would be no problem -- but then they wouldn't be asking me to remove
it, would they?) I just hope they've blocked
any kind of search, not only the
one this script performs. I don't plan to go any deeper on this, though.
Let me also make it very clear: I don't have anything for or against this institution
-- in fact, I don't know anyone there. I used them as example just because it was
the first name that turned up in a Google search for sites using the old OWA version
when I originally wrote this page a few years ago.
top
The content of this site is made available under the terms of a Creative Commons License, except where otherwise noted.