/MSOLSpray

A Python implementation of dafthack's MSOLSpray. A password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled.

Primary LanguagePythonMIT LicenseMIT

MSOLSpray Python rewrite

This is a pure Python rewrite of dafthack's MSOLSpray which is written in PowerShell. All credit goes to him!

MSOLSpray is a password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled.

BE VERY CAREFUL NOT TO LOCKOUT ACCOUNTS!

Why another spraying tool?

The main difference with this tool is that it is not only looking for valid passwords, but also the extremely verbose information Azure AD error codes give you. These error codes provide information relating to if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, if the account is disabled, if the password is expired and much more.

So this doubles as not only a password spraying tool but also a Microsoft Online recon tool that will provide account/domain enumeration. In limited testing it appears that on valid login to the Microsoft Online OAuth2 endpoint it isn't auto-triggering MFA texts/push notifications making this really useful for finding valid creds without alerting the target.

Lastly, this tool works well with FireProx to rotate source IP addresses on authentication requests. In testing this appeared to avoid getting blocked by Azure Smart Lockout.

Quick Start

Requirements

You will need to install the python library requests. You can do this by running:

pip3 install requests

MSOLSpray

You will need a userlist file with target email-addresses one per line.

usage: MSOLSpray.py [-h] -u FILE -p PASSWORD [-o OUTFILE] [-f] [--url URL]

This is a pure Python rewrite of dafthack's MSOLSpray (https://github.com/dafthack/MSOLSpray/) which is written in PowerShell. All credit goes to him!

This script will perform password spraying against Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled.

optional arguments:
  -h, --help            show this help message and exit
  -u FILE, --userlist FILE
                        File filled with usernames one-per-line in the format
                        'user@domain.com'. (Required)
  -p PASSWORD, --password PASSWORD
                        A single password that will be used to perform the
                        password spray. (Required)
  -o OUTFILE, --out OUTFILE
                        A file to output valid results to.
  -f, --force           Forces the spray to continue and not stop when
                        multiple account lockouts are detected.
  --url URL             The URL to spray against (default is
                        https://login.microsoft.com). Potentially useful if
                        pointing at an API Gateway URL generated with
                        something like FireProx to randomize the IP address
                        you are authenticating from.

EXAMPLE USAGE:
This command will use the provided userlist and attempt to authenticate to each account with a password of Winter2020.
    python3 MSOLSpray.py --userlist ./userlist.txt --password Winter2020

This command uses the specified FireProx URL to spray from randomized IP addresses and writes the output to a file. See this for FireProx setup: https://github.com/ustayready/fireprox.
    python3 MSOLSpray.py --userlist ./userlist.txt --password P@ssword --url https://api-gateway-endpoint-id.execute-api.us-east-1.amazonaws.com/fireprox --out valid-users.txt