Today, SecureState released a new module for the Metasploit Framework that allows users to brute force credentials on Microsoft OWA servers. The module, written in Ruby, forges HTTP requests (both GET and POST) to simulate a user logging into the web service. By checking the responses, the module determines whether the authentication succeeded and reports the information to the user. This is often useful on penetration tests when the attacker has a list of Active Directory users but no services that are using domain authentication.

The module that SecureState developed can be used to test credentials against both 2003 and 2007 servers. Because the module is implemented within the Metasploit Framework, it takes advantage of the features available within it such as logging credentials to the internal database. SecureState has submitted this module to the Metasploit Developers and is awaiting its integration with the Metasploit Trunk.

A link to the tool can be found at http://www.securestate.com/Services/Profiling–Penetration/Pages/Tools.aspx

More information on the Metasploit Framework can be found at http://www.metasploit.com