o365spray

This is a username enumeration and password spraying tool aimed at Microsoft O365. For educational purposes only.

This tool reimplements a collection of enumeration and spray techniques researched and identified by those mentioned in Acknowledgments.

Updates:

- The office.com enumeration module has been implemented and set to default for Managed realms.
- The ActiveSync enumeration and password spraying modules have been reimplemented in an
  attempt to handle the recent updates from Microsoft that are causing invalid results. The
  ActiveSync enumeration module still returns some false positives - this is why the office.com
  enumeration module has been moved to the default process.
- When a Federated realm is identified, the user is prompted to switch enumeration to OneDrive
  (otherwise disabled due to invalid results from different modules) and to switch spraying to
  ADFS (otherwise sprays against the user selected spray-type).

WARNING: ActiveSync user enumeration is performed by submitting a single authentication attempt per user. If ActiveSync enumeration is run with password spraying, the tool will automatically reset the lockout timer prior to the password spray -- if enumeration is run alone, the user should be aware of the authentication attempts and reset the lockout timer manually.

OneDrive user enumeration relies on the target user(s) to have previously logged into OneDrive. If a valid user has not yet used OneDrive, their account will show as 'invalid'. This appears to be a viable solution for user enumeration against federated realms.

Usage

Validate domain is using O365:
python3 o365spray.py --validate --domain test.com

Perform username enumeration:
python3 o365spray.py --enum -U usernames.txt --domain test.com

Perform password spray:
python3 o365spray.py --spray -U usernames.txt -P passwords.txt --count 2 --lockout 5 --domain test.com

usage: o365spray.py [-h] [-d DOMAIN] [--validate] [--enum] [--spray]
                    [-u USERNAME] [-p PASSWORD] [-U USERFILE] [-P PASSFILE]
                    [--paired PAIRED] [-c COUNT] [-l LOCKOUT]
                    [--validate-type {openid-config,getuserrealm}]
                    [--enum-type {office,activesync,onedrive}]
                    [--spray-type {activesync,autodiscover,msol,adfs}]
                    [--adfs ADFS] [--rate RATE] [--safe SAFE]
                    [--timeout TIMEOUT] [--proxy PROXY] [--output OUTPUT]
                    [--version] [--debug]

Microsoft O365 User Enumerator and Password Sprayer -- v1.3.7

optional arguments:
  -h, --help            show this help message and exit

  -d DOMAIN, --domain DOMAIN
                        Target domain

  --validate            Perform domain validation only.
  --enum                Perform username enumeration.
  --spray               Perform password spraying.

  -u USERNAME, --username USERNAME
                        Username(s) delimited using commas.

  -p PASSWORD, --password PASSWORD
                        Password(s) delimited using commas.

  -U USERFILE, --userfile USERFILE
                        File containing list of usernames.

  -P PASSFILE, --passfile PASSFILE
                        File containing list of passwords.

  --paired PAIRED       File containing list of username:password format.

  -c COUNT, --count COUNT
                        Number of password attempts to run before resetting
                        lockout timer. Default: 1

  -l LOCKOUT, --lockout LOCKOUT
                        Lockout policy reset time (in minutes). Default: 15
                        minutes

  --validate-type {openid-config,getuserrealm}
                        Specify which validation module to use. Default:
                        getuserrealm

  --enum-type {office,activesync,onedrive}
                        Specify which enum module to use. Default: Office

  --spray-type {activesync,autodiscover,msol,adfs}
                        Specify which spray module to use. Default: ActiveSync

  --adfs ADFS           URL of target ADFS login page for password spraying.

  --rate RATE           Number of concurrent connections during enumeration
                        and spraying. Default: 10

  --safe SAFE           Terminate scan if `N` locked accounts are observed.
                        Default: 10

  --timeout TIMEOUT     Request timeout in seconds. Default: 25

  --proxy PROXY         Proxy to pass traffic through (e.g.
                        http://127.0.0.1:8080).

  --output OUTPUT       Output directory for results. Default: Current
                        directory

  --version             Print the tool version.
  --debug               Debug output

Modules

Validation

openid-config
getuserrealm

Enumeration

office
activesync
onedrive
autodiscover -- No longer working - Removed

Spraying

activesync
autodiscover
msol
adfs

Acknowledgments

Office.com Code/References

@gremwell
User enumeration via Office.com without authentication
- o365enum

ActiveSync Code/References

@grimhacker
Research and discovery of original user enumeration via ActiveSync.
- office365userenum
- See the original blog post.

Autodiscover Code/References

@Raikia
User enumeration via Autodiscover without authentication
- UhOh365

MSOL Code/References

@dafthack
Password spray via MSOL
- MSOLSpray
- This was rewritten in Python by @byt3bl33d3r
  - https://gist.github.com/byt3bl33d3r/19a48fff8fdc34cc1dd1f1d2807e1b7f

OneDrive Code/References

@nyxgeek
User enumeration via One Drive
- onedrive_user_enum
- See the blog post discussing this technique.

ADFS Code/References

@Mr-Un1k0d3r
Password spray via ADFS
- https://github.com/Mr-Un1k0d3r/RedTeamScripts/blob/master/adfs-spray.py

Other Code References

@byt3bl33d3r --- SprayingToolkit
@sensepost --- Ruler

fuzzy-one / o365spray