Hello, welcome to the Monday, September 27, 2021 edition of the Sandstone at Storm Center's Stormcast. My name is Johannes Ulrich, and then I'm recording from Jacksonville, Florida.

These days, one of the main sources how users are connecting to networks is mobile devices. And of course, they may not necessarily connect

to your network, but they may connect various ISPs and connectivity methods like that in order

to connect to your resources, like, for example, exchange servers. We got an interesting diary by Xavi, where he outlines how you can use this to get

advantage in order to get an inventory of all of the mobile devices or device in general

being used in your organization.

As part of the Microsoft Exchange platform.

You'll be using something called Active Sync.

And ActiveSync does report back quite a bit of details about the particular client connecting.

So you should be able to, for example, identify what hardware is being used, whether it's an Apple

device or Samsung or LG or whatever,

but also what operating system and version is installed on that device.

So this would, for example, help you identify devices that are out of date

and that may not necessarily connect to your network directly,

but only connect to it by connecting

to the Exchange Server.

Talking about connections to Exchange servers on Friday, I believe it was, where I mentioned

a vulnerability that was discovered by Garty Core, and the nature of this vulnerability was that the exchange clients

are attempting to order-discover the configuration, also the host name of a local exchange server,

and in the process, they may be leaking credentials to various servers around the internet in particular, anything

ought to discover, dot, and then a top level domain.

We now have a list of possible domain names that are abusing this.

...