If XML references the domain ‘’, then the Skype server in question is hosted by Microsoft and these attacks will not work. In the example below, the Front-End server is ‘’.įigure 1 – Lyncdiscover Domain Points to Front-End Server If the ‘lyncdiscover’ subdomain exists, it will serve an XML file that references the Front-End server. Microsoft’s recommended naming format for the autodiscover URL is:
Luckily, locating these servers is usually not an issue. This server will be our primary target throughout the attack. Locating the Front-End Serverīefore Skype4B can be attacked, it is necessary to determine the location of the Front-End server. In this blog post, I will walk through information gathering, user-enumeration, and brute-force attacks against an internal network, using only the attack-surface opened by a standard implementation of self-hosted Skype for Business.
In a very real sense, Skype4B provides a bridge from The Internet into a company’s internal network, allowing an attacker to interact with the internal Active Directory environment. This bit of convenience makes Skype4B an attractive target to attackers. Skype for Business, by design, is meant to encourage communication between individuals and it is often externally-accessible so that employees can stay connected 24×7 without the need for a VPN. When companies choose to host Skype for Business (previously Microsoft Lync) on-premises, they can inadvertently introduce a large attack surface. Note: For the sake of brevity throughout this post, Skype for Business and Microsoft Lync will both be referred to under the umbrella designation of ‘Skype4B’. If you’re using O365 wait for the next post.
#O365 SKYPE FOR BUSINESS FEATURES HOW TO#
TL DR: How to attack self-hosted Skype for Business (Lync) servers.
By TrustedSec in Penetration Testing, Security Testing & Analysis
0 kommentar(er)
