Nytro Posted February 11, 2016 Report Posted February 11, 2016 Brute-forcing Microsoft Lync via NTLM FEBRUARY 10, 2016 BY BEN LEAVE A COMMENT Ok, so there is good reason why Lync should not be accessible over the Internet similarly to any single factor system. BRUTE-FORCE will usually prevail!!!! I installed burp’s certificate on my Windows host and attempted to login from Lync (From this I was an HTTP NTLM Login request to https://lyncwebact.customer.com/WebTicket/WebTicketService.svc). NTLM like many other services is made fairly simple to brute-force or attempt one password guess against many accounts. I have used hydra for this once before but a colleague recently wrote a pretty decent python script that makes it even easier and you don’t need to know all the switches etc (https://github.com/strawp/random-scripts/blob/master/ntlm-botherer.py). Anyway, to make obtaining the NTLM url simple I wrote a quick python script that located the company DNS records for lyncdiscover and then finds the NTLM url as shown below: https://github.com/benpturner/h00k/blob/master/python/lyncdiscover.py Sursa: http://www.hackwhackandsmack.com/?p=524 Quote
