LyncSniper is an essential tool for any external penetration test or red team engagement. It performs brute-force and password spraying attacks against Skype for Business to obtain valid credentials. LyncSniper was written by @domchell of the MDSec ActiveBreach Team. MDSec put out an awesome blogpost detailing exactly how LyncSniper works and what you can do with valid Skype for Business credentials here. Big thanks to everyone who has contributed to the tool!
LyncSniper’s Invoke-LyncSpray function will take a list of e-mail addresses and attempt to authenticate to Skype For Business with a single password (e.g. Summer2018). Based on the response, LyncSniper is able to determine whether an authentication attempt was successful as well as if the username provided was a valid username (when using the -Office365 flag).
What’s the fuss about obtaining Skype for Business credentials? In the past, I’ve been able to log-in to Office 365 e-mails and even log-in directly to a company’s VPN to gain direct access to the internal network.
I added a couple lines of PowerShell that will save all invalid usernames and cross-check this with the initial list of e-mails and output a clean list of e-mails. This saves time in future LyncSniper attempts as well as lets you know which e-mails are valid for future social engineering attempts.
I’ll walk you through how I have used LyncSniper on previous pen tests and then introduce the small changes I made.
Open-Source Intelligence (OSINT)
Open-source intelligence is essentially any data about a company or its employees that is publicly available through websites such as Google or LinkedIn.
In the case of LyncSniper, we’re looking to obtain a list of employee e-mail addresses. This can be done by researching current employees at the company and the format in which a company turns names into e-mails. Below are a few tools or techniques I like to use:
- A tool that ships default on Kali Linux 2 and scrapes various search engines for e-mail addresses and other interesting information.
- https://github.com/initstring/linkedin2username (Python scraper)
- Note: This uses your LinkedIn session/credentials, so use a fake LinkedIn account because scraping is against the ToS!
- Salesforce product that can help identify employee names. They’re removing this service come May 4, 2019 so use it while you can!
- Note: You’re supposed to pay to export data. However, you can search up employees of a company and then copy the table into Excel, then grab the names and copy them into a text document.
Once you have a large list of employees, you have to research how the company formats employee e-mails. Some formats I have seen: email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com. Search around and you should be able to find an example. Often times, the company’s executive team publicizes their contact information in conferences/talks/events which you can find on Google ;)
LyncSniper has two main modules: Invoke-LyncSpray and Invoke-LyncBrute.
I’ll be focusing on Invoke-LyncSpray as this is less likely to lock out accounts and generally what I use. You can run Invoke-LyncSpray as follows:
Invoke-LyncSpray -UserList C:\Users\path\to\userlist.txt -Password Summer2018 -Office365 -Verbose -Delay 5000
This will attempt to authenticate to Skype for Business with the e-mails in the user list provided with a single password, in our case ‘Summer2018’. Some common passwords I will use in spray attempts can be found here: https://github.com/SpiderLabs/Spray/blob/master/passwords-English.txt. The output will return successful authentication attempts and tell us which e-mail addresses were invalid.
Kicking Out The Garbage!
To remove invalid usernames from the user list I used to go through one-by-one and delete e-mails that LyncSniper told me were invalid. I had enough and figured I could save myself a couple minutes every pen test if I automated this!
First, I created an ArrayList to store the invalid usernames in the Invoke-LyncSpray function.
Invoke-LyncSpray calls the Invoke-AuthenticateO365 function when the -Office365 flag is used. Invoke-AuthenticateO365 is able to determine when a username does not exist. Thanks to @cobbr for adding this feature! I added all invalid usernames to $InvalidUsernames with the following.
Lastly, I check if the user specified the -Office365 flag and compare $UserList to $InvalidUsernames and output all valid usernames to <original user list>_validusers.txt.
Thanks for reading! I hope you learned a little something about LyncSniper, performing OSINT, password spraying or PowerShell today. Thanks again to @domchell for the amazing tool! Thanks @dotslashpeaches for showing me the song that inspired the title of this post. If you spot any errors, please let me know by Twitter @slyd0g or e-mail firstname.lastname@example.org.
LyncSniper: A tool for penetration testing Skype for Business and Lync deployments - mdsecresearch/LyncSniper