SecureState released a new module for the Metasploit Framework that allows users to brute force credentials on Microsoft OWA servers. The module, written in Ruby, forges HTTP requests (both GET and POST) to simulate a user logging into the web service. By checking the responses, the module determines whether the authentication succeeded and reports the information to the user. This is often useful on penetration tests when the attacker has a list of Active Directory users but no services that are using domain authentication.
Check it out on our new blog! http://blog.securestate.com/post/2011/02/24/New-Module-for-the-Metasploit-Framework-Released-by-SecureState.aspx