Owa user enumeration

 

Nov 4, 2016 When two-factor authentication is enabled for a mailbox user, the 2FA . -Server User enumeration using recent Sensepost research (2018), built-in toolsets and nmap Gaining access to OWA mailboxes and target hosts on different networks; Agenda In the Transport High Availability in Exchange 2013 article we discussed, amongst other topics, Exchange’s Shadow Redundancy feature and how it generates redundant copies of e-mails before these being delivered to mailboxes and before Exchange acknowledging to the sending server successfully receiving them. By default, when user open some shared network folder, SMB displays full list of files and folders on it (of course only if user have permission to access share). TABLE 3—TIMING ATTACK ANALYSIS We have a user that has a very large number of sub-folders under his Inbox. The flaw is easily detected, and easily exploited, and as such, any site or software package with even a minimal user base is likely to be subject to an attempted attack of this kind. 1. 10/29/2017 10:07 AM 32 user. and reference OWASP's XSS Filter Evasion Cheat Sheet to learn common Users can be enumerated through many other functions of a web application,  To enumerate the SAM database, system level access is required. enumeration scan of the system looking for common directories and files (Figure 4). Just off the top of my head: if you can enumerate thousands of users quickly, it increases the number of accounts which might have simple  May 17, 2013 Enumerating usernames using a EWS service call . SecurityFocus is designed to facilitate discussion on computer security related topics, create computer security awareness, and to provide the Internet's largest and most comprehensive database of computer security knowledge and resources to the public. 'Declaration Public Enumeration OwaVersions 'Usage Dim instance As OwaVersions public enum OwaVersions Members. I’m not sure if yours is a typo, but I just spent a while troubleshooting with setting these attributes along with msExchRemoteRecipientType in order to have AAD Connect synchronize my user accounts to Azure AD / Office 365 and my equipment mailbox account wouldn’t sync to Azure AD. Stack Exchange network consists of 176 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. For example we have some accounts named (domain\TEST), (domain Multiple unsuccessful login attempts using generic login names? Windows Server 2003 Access-based Enumeration makes visible only those files or folders that the user has the rights to access. I recently implemented and configured OWA 2007 remote file sharing. When each user is considered as a criterion, weights can be calculated by using Eq. Out of the box, if you want to log into Outlook Web App, you need to use the Domain\Username format, like so; Seeing as how Microsoft are making a big song and dance about using UPN’s to log into Office 365, I thought they might have changed from the NT4 way of doing things, but hey what do I know? Add this suggestion to a batch that can be applied as a single commit. It was enough to get a valid user name and password. user enumeration timing bug in Outlook Web Access (OWA) for years  OWA Brute-Force Logon Script · OWA 5. Access Based Enumeration (ABE) allows you to hide specific files and folders for user who don’t have access permission. This may a) leave them susceptible to a brute force-esque attack and b) may violate their users privacy which may be very important for certain types of sites. Lost updates can otherwise occur if a user selects, and then attempts to update, a row whose values were changed in the meantime by another user. This value specifies the user's login. Adversaries may steal the credentials of a specific user or service account APT39 has used stolen credentials to compromise Outlook Web Access (OWA). Specifies the name of an archive for which to retrieve the details. me. Server 2016 And 2012 R2 - Share Files And Folders (with access based enumeration) Windows Server 2012 R2 and 2016 are used as file servers. its those shared folders we dont want the particular user seeing. Ask Question 11. 14. He is able to view them all in the Outlook client but when he logs into OWA it only lists the root folders Inbox, Drafts and Deleted Items. User-defined: Specify whether Background. Logs from: C:\Program Files\Microsoft\Exchange Server\V15\Logging\Monitoring\OWA\MailboxProbe OWA Enumeration Scripts The following are scripts I’ve written over the years for testing various versions of Outlook Web Access (OWA). ” OWA values are calculated separately for each ad after the weight vector is obtained. In this article, we will take a look at the difference between the samAccountName and Signatures that target attacks against the Microsoft Outlook Web Access (OWA) application. In this post, I will talk about them within the context of web application pentesting and will discuss some of the common issues I've come across during my experience while working at ProCheckUp. Get-NetDomain. This includes a time based authentication attack that allows attackers  This lab explores a couple of common cmdlets of PowerView that allows for Active Directory/Domain enumeration. NetSessionEnum can be executed by any authenticated user by default. It’s always a good practice to do a full port scan to start with followed by a version scan. com, domain\user. Lately we released an attack where an evil bad guy (or tester) could easily bypass Outlook Web Access Two Factor Authentication to gain access to sensitive emails. It might seem like a good idea to differentiate responses with HTTP 404 (not found) and HTTP 403 (forbidden), but this leaks information. Hey, Scripting Guy! I was talking to my boss the other day, and he made a rather interesting observation. Marco Mella, Sun Java Access & Identity Manager Users enumeration: Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004) or web server when the user provide a valid username is different than when they use an In that context, it is not feasible to really hide user names; thus, hiding user names had better be pointless. This download provides a GUI and a CLI that enables this feature. I was working with a customer who had Exchange 2010 & were in the process of migrating to Exchange 2013. In terms of database lookups etc, this is easily solved. Cross-site scripting (XSS) vulnerability in Outlook Web App (OWA) in Microsoft Exchange Server 2013 SP1 and Cumulative Update 7 allows remote attackers to inject arbitrary web script or HTML via a crafted X-OWA-Canary cookie in an AD. If this logon is initiated locally the IP address will sometimes be 127. 0 with attribution required. realm name doesn't need to be known and usernames can be enumerated. Well, now we will do a full, step-by-step walk through of the attack, from beginning to end, to demonstrate the risk. Source Network Address: The IP address of the computer where the user is physically present in most cases unless this logon was initiated by a server application acting on behalf of the user. owasp-bywaf  Aug 26, 2018 Recon and Enumeration. If the Login name contains a domain, the format should be <Username>@<Domain>. visited web page visited by a user with a current OWA session to take over the user s User Enumeration is key. If an attacker is able to break an application's authentication function then they may be able to own the entire application. The OWA 2013 form-based authentication response times were being monitored. Figure 4 – Enumeration of the admin. This site aims to list them all and provide a quick reference to these tools. The second method is what I think is a far more interesting way of gathering user credentials that involves discovering a target organization’s username schema, followed by password spraying user accounts against an externally facing service that is hosted by the target organization (for example an Outlook Web Access portal). 8 - Rapid growth in transaction logs, CPU use, and memory consumption in Exchange Server 2010 when a user syncs a mailbox by using an iOS 6. OWA_PATTERN. User enumeration is when a malicious actor can use brute-force to either guess or confirm valid users in a system. user contributions licensed under cc by-sa 3. Of the folders in a mailbox, some are special folders. Send an email to the user with a password reset link. OWA Attacks - Mitigation • Implement 2FA – Be careful, not all 2FA solutions apply to all services • Prevents user enumeration if not an administrator Trying to Programmatically Create & Open a new Outlook Email. OWA version for Exchange 2010. I'm just in the process of setting up a deployment with this setting and will check it out again. g. txt 1 File(s) 32 bytes 2 Dir(s)  Feb 12, 2014 Host information can be enumerated using NTLM over HTTP in a null domain and user credentials (passed in the 'Authorization' header), the  Do we trust the connection between the user's browser and our application cannot . Problem . or by directory and file enumeration. Check the sender and recipient in several active queues. This was an absolute life saver. We see the directories redirected to /owa/ (Outlook web app) and also a /rpc/ directly with basic . User action, aka "OWA Modified Canary Parameter Cross Site Scripting Vulnerability. Signature Manager now provides the logic to prevent applying Campaigns to OWA signatures. His complaint is that he can't view his Sent folder. Any failure will result in the Log in to OWA 365 with this account's credentials. The Division of Enumeration, Earnings and Death (S4SL) Analyzes user requests, develops requirements, validates and responds to information requests/controls for earnings projects. ad-ldap-enum, An LDAP based Active Directory user and group enumeration tool . Let’s start our enumeration with nmap. For example: user@domain. Exploiting Timing-Based Username Enumeration. It’s good to complete scans for CTFs quickly, however, not a good technique to use in actual pentests. To enable access-based enumeration on a namespace, all namespace servers must be running Windows Server 2008 or newer. This test was completed against a fully patched Exchange 2013 environment running Windows 2008 R2 server. Usually you can The next step is going to be to log into the portal using a username and password combination. 25, respectively. Set the regional   May 18, 2017 Microsoft Exchange users have the power to grant other users various Using MailSniper, it is possible to quickly enumerate mailboxes like this that both Outlook Web Access (OWA), and Exchange Web Services (EWS). 05 and 0. 0. Office 365 (O365) has become a trend in organizations. Now when both a domain name and a user name has been acquired we can perform the actual password spraying. 2. 1-based or iOS 6. Domain User Enumeration Chevy Swanson // Everyone loves being able to speed up their work with custom tools, but the clear problem is that computers are a bit too fussy about everything being perfect and exact. Common ways are through Outlook Web Access, SMB or other. Issue 1. More and more, administrators are offloading their mail to The Cloud™. we give the user access to \\dcname\users share A targeted attack has been uncovered in which hackers were able to burrow onto the corporate network and steal thousands of username-password combinations via Outlook Web Access. Using Burp to Brute Force a Login Page Authentication lies at the heart of an application’s protection against unauthorized access. Attackers aiming o The user being member of many AD groups (hundreds of groups) o The user’s object in AD contains SID (Security Identifier) history information as consequence of a domain migration/consolidation. The domain CORP is a valid realm and the usernames user_exist_1, user_exist_2, and user_exist_3 are valid account names. Well-known folders. For a better browsing experience, we recommend using one of the officially supported browsers: #!/usr/bin/perl # ##### # Outlook Web Access Light - Address Book Enumeration ##### # # Copyright (C) 2010 Joe Mondloch # JoMo-Kun / jmk@foofus. asp of the component Outlook Web Access. User enumeration is often a web application vulnerability, though it can also be found in any system that requires user authentication. Campaign and Disclaimer deployment options – Allows you select if campaigns and disclaimers will be deployed to Microsoft Outlook, Microsoft Outlook Web Access or both. As @Terry mentions, CAPTCHA on registration pages may make user name enumeration harder to do automatically (but "harder" is not the same as "hard"). I usually go with nmap -p- --min-rate=1000 -T5 target. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the The following figure shows the folder structure for a user and indicates which folders are for the user's items and which are system folders. contoso. 1 instead of the local computer's actual IP address. Keep up the good work with post like this. It is a feature that was previously available as a downloadable package for the Windows Server® 2003 operating system (it was also included in Windows Server 2003 Service Pack 1). com) to Exchange 2013 in DNS. Once you have acquired the domain name, you can try a technique called password spraying. The Web interface of Outlook Web Access resembles the interface in Microsoft Outlook. One of the first steps when looking to gain access to a host, system, or application is to enumerate usernames. These values coincide with “at least one” and “few. By default, Exchange 2000 and later allows relaying if a mail sender can successfully authenticate to the mail server. nse : Attempts to enumerate the users on a SMTP server by issuing the VRFY, . 2FA works for OWA, ActiveSync, and Outlook Anywhere, but not EWS. The parallel resource enumeration process activates by default when 3 or more farms/sites are being aggregated (this can be modified of course). net # # odd OWA Issue 1. Harden Net Sessions Enumeration. That means to record which users were sprayed, exactly when, what passwords were tried and how many attempts for each user. This feature is not enabled by default for namespaces (though it is enabled by default on newly-created shared folders in Windows Server 2008), and is only supported in a DFS namespace when Access Based Enumeration - Applying Permissions That is say you have a folder that has a security group on it that grants read permissions. If you add a user to the security group, will the user be able to the folder only after they logoff and back on? -User (required if you use the first parameter set in the Syntax section) Identifies the user for which to retrieve the archive list. The purpose of these provisions is to improve the efficiency and effectiveness of the electronic transmission of health information. How about an OWA server exposed to the internet? Have fun and be aware of accounts lockout! If you want to check what permissions an Active Directory user account has on a specific mailbox, simply use the following cmdlet which will enumerate all the permissions the user has on that mailbox: Get-Mailbox <Mailbox> | Get-MailboxPermission -User <AD User> Account enumeration is a potential security risk whereby a web site gives out information about what accounts are already in the system. . The remote host is running Microsoft Outlook Web Access (OWA) 2003. Support for Outlook 2010 x86 and x64; Version: 1. Exchaneg OAB, Address, Resources$) etc. From OWA domain enumeration, to user enumeration, to password enumeration to bypass it has been a slow steady build on this attack. Next, it attempts to enumerate the Inbox folder of this mailbox. Re: Shared mailbox does not update itself Unchecking 'Download shared folders' - if that doesn't work, then there is another issue because that simply forces the folder to remain always online. Conclusion: If we consider that is common to find databases deployed inside the internal network, we can combine this technique with the port scanner technique to deliver more targeted attacks. Scanner HTTP Auxiliary Modules cert The cert scanner module is a useful administrative scanner that allows you to cover a subnet to check whether or not server certificates are expired. can enumerate User IDs and passwords via OWA with 2FA enabled  Jul 16, 2017 Learn how to brute force OWA and login pages using Burp Intruder. Abusing Exchange Web Service - Part 1 February 18, 2016 Scot Berner Outlook Web Access (OWA) has been one of the consistently viable attack vectors for pentesters and bad guys alike for many years. There are ways to turn this feature on or off if you wish. The scripts automate the process of testing logon credentials and enumerating information from the target system’s address book. Let's start our enumeration with nmap. Resolved: Exchange 2013 SP1 readiness check failing with AD errors (User permissions and connectivity) Recently I’ve been having issues with our storage array for which reason I decided to deploy our Exchange Server 2013 Kali Linux contains a large amount of penetration testing tools from various different niches of the security and forensics fields. User Enumeration is a type of attack where nefarious parties can probe your website to discover your login name. As mentioned before, the it's very important to spray in a controlled manner to prevent lockout. Done enumerating? Do more. Claims-based authentication is an industry standard that uses a SAML token for authentication. (Update 5/9/2012: See You Cannot Hide Distribution Group Membership in Exchange 2007 in Exchange 2007 documentation on TechNet). Testing for User Enumeration and Guessable User Account (OWASP-AT-002) From OWASP. . 7 - Meetings are missing on some mobile devices, but are present in OWA and Outlook This issue has been resolved. A set of interlinked, dynamically generated HTML pages forms the user interface of a web application. TABLE 3—TIMING ATTACK ANALYSIS HACKING OUTLOOK WEB ACCESS OR directory enumeration tool like DirBuster. Why? OWA does pose a security risk having e-mail open to the internet. vulnerability in Microsoft Outlook Web Access (OWA Should I expose my Active Directory to the public Internet for remote users? Go on someone's OWA site and attempt to Be aware of some user enumeration There is no option to hide Distribution Group membership in the console, nor a single parameter you can flip using the shell. Release Date: 07/08/2009 HI, I'm trying to get the auto login from EBS working to APEX. These credentials can be harvested by a administrative user or SYSTEM. com host partially discloses the webserver’s folder structure. We of course have to figure out the domain name first. visited web page visited by a user with a current OWA session to take over the user s  May 29, 2019 The exposure of the internal IP address via OWA allowed the form to be the internal domain name for the organisation and allowed enumeration of was used to identify if any of the users identified used weak passwords. Create Search Folders using the EWS Managed API in a Mailbox or Archive Store using Powershell Search folders are one of the suite of Exchange search options you can use programatically or to provide users with different views of their mailbox data in Outlook or OWA. What causes this threat? Under certain circumstances, an authenticated OWA session can be hijacked by an attacker to perform actions on behalf of the user without the user's knowledge. Most enterprises provide numerous ways of authenticating. 20724. Jun 15, 2017 User enumeration is often a web application vulnerability, though it can For example, Outlook Web Access (OWA) often displays this type of  May 30, 2018 This module tests credentials on OWA 2003, 2007, 2010, 2013, and 2016 systems and users · Test your defenses to make sure they're ready  Feb 17, 2016 Beau Bullock //. o IIS is configured by default. Outlook Web Access comes as a part of Microsoft Exchange Server. How can I tighten up security and restrict access or even complete hide them from my OWA users? Thanks in advance, Deja. to shares it has enumerated and for which it has obtained legitimate credentials . This involves some simple enumeration. When Access-based Enumeration is enabled, Windows will not display files or folders that the user does not have the rights to access. No longer are admins shackled to their Stop User Enumeration is a security plugin designed to detect and prevent hackers scanning your site for user names. The classic passwords still work. In my last post I have talked about how to explore SQL injection flaws to perform port scanner when the database is Oracle. SQL injection has become a common issue with database-driven web sites. for user profile pages), make sure an attacker cannot enumerate usernames. Figure 2. Goal: Acquire domain user credentials A domain user is any user in the domain. If the user exists, both steps are carried out. This permission enumeration values are “Access-based enumeration– Access-based enumeration allows users to see only files and folders on a file server to which they have permission to access. For those not familiar, the Exchange Management Shell has an enumeration limit which can result in some values being cut off, which is evidenced by the trailing …) at the end of a value. As part of their migration process they pointed their Exchange 2010 Outlook Anywhere namespace (let’s call it mail. The scan results revealed that along with common Apache default files (Please see Appendix A for more Re: Help Trouble shooting remote Access - OWA and Remote work plac If my post ever makes it the second nic should be disabled as it looks like you are trying to do a one nic server. To control access-based enumeration of files and folders in folder targets, you must enable access-based enumeration on each shared folder by using Share and Storage Management. Under his Inbox it only lists up to the "Sa"s. I will put an article on my site linking to yours about this issue along with my symptoms. Yes, passwords, firewalls, etc all provide levels of protection, but it is still an opening for someone to get in through. Lastly, if each user is granted a unique URL (e. That guess is based on the fact the lan nic has a gateway and the dns and wins is pointing to the same nic. Net Sessions Enumeration can be used by attackers to get information about the sessions established on a server including computer names, usernames, session active times, and IP addresses. 1-based device This issue has been resolved. Typically, a web application written in PL/SQL is a set of stored subprograms that interact with web browsers through HTTP. My customer decided that they needed to block OWA externally but leave it open internally. In addition, the versions of the tools can be tracked against their upstream sources. Defines user needs and requirements for automated data processing services pertaining to annual employer wage reporting. Get-RemoteMailbox “user identity” | fl This is so you have a record of all current attributes. Get current user's domain :  Aug 1, 2014 OWA form-based authentication and IIS file paths were found Typically, the realm name, username, and password is required for authentication. Access-based enumeration displays only the files and folders that a user has permissions to access. Access The whole idéa behind this is to provide faster responses to user queries when aggregating multiple farms. Once you get some credentials, get more. Let’s walk through how this user list gets built and what attacks it facilitates. OWA_SEC For this lab, I exported 8600+ command lines from various processes and wrote a dirty powershell script that ingests those command lines and inspects them for a couple of classic windows enumeration commands that are executed in the span of 2 minutes and spits them out: We all know what username enumeration vulnerabilities are about. steal credentials to accounts logged into the compromised system and to Outlook Web Access. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters. If no value is specified, the default will be set to the string preceding the '@' in the email address. Once usernames are guessed or enumerated targeted password based attacks can then be launched against those found usernames. One of our newer initiatives at SNT is to post a weekly blog that contains some of our favorite pentesting tips and tricks, usually containing something that we've found success with during penetration testing/researching in the past month or so. Unfortunately since we ran the update to CU15 the we still get errors from the OWA Healthset, which seems to have the same cause like before the update. If the sender or recipient isn't a user from your local domain, the mail server is probably used as a mail relay. megacorpone. Item and system folders in a mailbox. CWE is Subprograms that impose database optimistic locking strategies to prevent lost updates. -ArchiveName. From OWA domain enumeration, to user enumeration, to password  The version of “Mutillidae” we are using is taken from OWASP's Broken Web Add the "username" and "password" parameter values as positions by to iterate through a large list of common usernames to enumerate which ones are valid. Export calendar Items to a CSV file using EWS and Powershell Somebody asked about this last week and while I have a lot of EWS scripts that do access the Calendar I didn't have a simple example that just exported a list of the Calendar events with relevant information to a CSV file so here it is. zonetransfer. The a and b parameters for the linguistic quantifier are selected as 0. o The group the user is member of is also affected by SID history, just like the user. So I have noticed over the past few weeks I am getting account lockouts of some of our more generic user accounts. Type the user's Windows logon name, user principal name, or Domino user ID. when using OWA and making documents available via OWA, i can give a user access to a shared folder but if the user then clicks the 'up' arrow in the folder nav pane, it then shows every shared folder on the server. Your browser may be out of date and not officially supported. Sent the report and waited, client side exploits are a pain and can be quite annoying to get to work and I have seen it before when I have done the correct exploit yet it has not worked for some reason so always try a few different exploits as our report may have been picked up by windows defender. See Also. Now I am sharing with you a way to perform brute force attack to enumerate users from Microsoft AD (or other LDAP repository). The failure has no recurrence, but randomly happens after the business ours about 8:00pm - 02:00am. The Centers for Medicare & Medicaid Services (CMS) has developed the National Plan and Provider Enumeration System (NPPES) to assign these unique identifiers. But when it comes to interacting with external systems, in this case sending an email, it's less trivial. Subprograms that perform string matching and string manipulation with regular expressions. Follow all reddit rules and Bypassing Two-Factor Authentication on OWA and we can try to push back and have Microsoft fix the user enumeration and password This test was completed against a fully patched Exchange 2013 environment running Windows 2008 R2 server. But at this moment without success. It also hosts the BUGTRAQ mailing list. If the user doesn't exist, only step 1 is executed. Affected is an unknown function of the file owalogon. " 46 Summary: Microsoft Scripting Guy, Ed Wilson, shows how to use Windows PowerShell to data mine your Microsoft Outlook Inbox. This vulnerability is built on a year of work at BHIS. The combination of these can be used later  MailSniper also includes additional modules for password spraying, enumerating users/domains, gathering the Global Address List from OWA and EWS, and  A 'black box' review of Microsoft's Outlook Wep App(OWA) revealed several vulnerabilities. Username enumeration techniques and their value Introduction. 1 Overview of PL/SQL Web Applications. Due to a lack of sanitization of the user input, the remote version of this software is vulnerable to URL injection that can be exploited to redirect a user to a different, unauthorized web server after authenticating to OWA. This is often a pre-cursor to brute-force password attacks. This pivotal point of why a server exists is because Recon and Enumeration. smtp-enum-users. If you run across a login interface for Microsoft OWA, Microsoft EWS, Microsoft Lync, or any other application you think may be vulnerable to timing-based username enumeration, what do you do next? KB ID 0001254 Dtd 07/11/16 . adfind, Simple owabf, Outlook Web Access bruteforcer tool. We were hoping to see a change A vulnerability classified as problematic has been found in Microsoft Exchange 2003 (Groupware Software). User accounts in Active Directory have various attributes, among which there are two interesting attributes: samAccountName and UserPrincipalName (usually it is called UPN), the differences between which are not understood by many Windows administrators. On Sun, 24 Jan 2010 16:41:01 -0800, John Brute Forcing with Burp Suite. This is part two of a series of posts (See part 1 here) where I am detailing multiple ways to gain access to domain user  May 14, 2019 Microsoft doesn't consider user enumeration to be a security problem. RecipientType. On its own, OWA does not support claims-based authentication, however, Windows Identity Foundation (WIF) comes with a service that can convert a claims token into a Windows Token that OWA can use to authenticate the user. These equate to well-known folders in the EWS Managed API, or distinguished Load the user from database. 5 URL User Verification · OWA Light Address Book Enumeration · OWA Address Book Enumeration · OWA (older)  Dec 10, 2016 OWA can be a great way to enumerate users and other important information such as AD names. Metasploit Module OWA User Enumeration on Exchange 2010 – How to? Security ‎ > ‎ There’s already a module to brute-force through OWA, but what about narrow the attacks by knowing if the user exist or not in the domain. I have followed several documentations and forums Exchange 2007 access to all mailboxes for Administrator feature to open another user’s mailbox in Outlook Web Access. The manipulation with an unknown input leads to a information disclosure vulnerability. My question isif my users try to access \\exchangeservername from within OWA they see lots of shared folder (e. e. AAAA 2001:67c:2e8:11::c100:1332 | owa. Common Weakness Enumeration CWE-84: Improper Neutralization of Encoded URI Schemes in a Web Page. Time is precious, so I don’t want to do something manually that I can automate. owa user enumeration

9e, ni, kb, z8, om, os, es, l5, 0k, ui, x5, qe, hy, if, y8, jy, ij, sz, 7z, rx, x2, jp, nz, sg, zm, pk, kj, yc, 8a, cj, dj,