goEnumBruteSpray – User Enumeration And Password Bruteforce On Azure, ADFS, OWA, O365 And Gather Emails On Linkedin

The recommended module is o365 for user enumeration and passwords bruteforce / spray . Additional information can be retrieved to avoid account lockout, to know that the password is good but expired, MFA enabled,…

Linkedin

This module should be used to retrieve a list of email addresses before validating them through a user enumeration module. The company will be searched on Linkedin and all people working at these companies will be returned in the specified format.

The Linkedin’s session cookie li_at is required.

AVvXsEg2oUqQyAw69X6eGTjQ8Yzbu0CEcr9tfuTLTGxHJuTZc dATRVRCYfskwcALeVRqV9 zjHr imMC3MgMJFGlwFxaG0E4ZgFOF5M3r 6TUslUP NgpXBb5vKCq7VluZVDWizET519kaaxekHAmnDEQQm0yXqeSCorLKLtxaOhk5j Szr2NPyJLVJn73KbQ=w640 h100

SearchEngine

This module should be used to retrieve a list of email addresses before validating them through a user enumeration module. The company name will be searched on Google and Bing with a dork to find people working in the company (site:linkedin.com/in+"%s"). The results title will be parsed to output email addresses in the specified format.

AVvXsEgEVAIcdU0 W84AWvtKRz6MCAweUM6PTXDnZkS0NSlN1ckjmure3pXg g3HVnDeAmW3M4luGHzru4c6EGKX3WGvk6UYk8hpzDpvg2CAw098ULWw90jmyDYJbFTzhpD2h7sONvneA3ddDKZHrL85j1LRnlMuABniCT6WnoxxBcd3ekLo0YzogBRgqHRW2A=w640 h88

Azure

User enumeration

The Azure module is only available to enumerate the users of a tenant. The authentication request will be made on https://autologon.microsoftazuread-sso.com, a detailed response shows if the account does not exist, a MFA is required, if the account is locked, …

AVvXsEgVP9Rp7cKJqdTXmapesBj pLA ZF0PhAiU9vgbPbt5h8YQtyY2cI2Z IlC9b2keT qYQk0NvlfleOAufjYRjy0xza68zA9GZsjWqlkvhsRtUItg14J7ggSmlEyp2DesB3q8stNHuIs AlMARTd2GXZ1O8cHIF6vTTCqYw rIIT8xFYUUB2j8S LJlyg=w640 h56

ADFS

Passwords bruteforce / spray

The ADFS module is only available to bruteforce or spray a password. The authentication request is sent to https://<target>/adfs/ls/idpinitiatedsignon.aspx?client-request-id=<randomGUID>&pullStatus=0. An error message can informs the user if the password is expired

AVvXsEioCddSmn941IXRD6N7T8h kJiF6G1bAy4PYAm4RLYsriEcT3IpleT0VYpVEnZWCT0tMjrIFQlboHBkhAKnu4vVTgs yz 7tVixPZ50i1jsQI2byFq3UvHuI JAxAab97ER19yz9po7nZ69WXFmGivZP6JaSTprmK8p p eqjRicuh6NnJfjcVEgHsTcg=w640 h84

 

O365

This module allows to enumerate users and bruteforce / spray passwords.

User enumeration

Several modes are available: office, oauth2 and onedrive (not implemented yet). The office mode is recommended as no authentication is made. Oauth2 can retrieve additional information through AADSTS error code (MFA enable, locked account, disabled account)

AVvXsEggUckzzmWbFrf5ZlztL gXmYsbP6IvGQo0wzNIzT7DGgiYh7ugKHk9DtBRZJUO4XwUoa59CuzdzNDRdWcwMKKtvBoWW9BoQsia8WCwdGcKC3N 2W6LFpYCviiYi8N6d9SGIJmm5GVBFi0 MHvbdJ5V3gcavxEsHtLI W UEaZ8apvx6DnWDGGnRV8mwQ=w640 h108

Passwords bruteforce / spray

As for the user enumeration, two modes are available: oauth2 and autodiscover (not implemented yet). The Oauth2 is the recommended mode, it allows to get much information thanks to the AADSTS error code.

AVvXsEj gNnfJqYD5XwRnWe8am Bx0n36NqlyS1FBRQ3 Oo3uVE11g8ehspA yMHrTFz6Vd sdklz4 Lfy81fgOGEr5Q4 vuan7bHyiGdwJzWiPlpNZzU9mr3XZQZbUg4Svh5ESL8a6NZ n pF47VIHnB8Inl4BajKeq5VsCsZ54gHwYYId5Ymz7HIkal1Ukow=w640 h58

OWA

This module allows to enumerate users and bruteforce / spray passwords.

User enumeration

Enumeration is made with authentication requests. Authentication for a non-existent user will take longer than for a valid user. At first, the average response time for an invalid user will be calculated and then the response time for each authentication request will be compared.

AVvXsEjxyXJeblOV40xq23ZsJ7VQVDLNXqwhRpCIAy0Cfe5e7ktqBOAXCVeVI1VRol3PZu1R111e9lMXDA QrMKr wyPlBZkWm9DBNk7Iaf9QFsvTSj0ySPWsiBCDHDBbalm3dxeZgHw bIZSAU7GMTUEZxnMsz foZYuc 9uGFe3ildzMyYK15sp4HHLkOfg=w640 h124

Passwords bruteforce / spray

Please note that no account locking mechanism can be implemented because no information about it is returned.

AVvXsEiXN9ifSFGlOWaL00Creo8lHII1ABRsmsNT kZQRHGe5s9Yr1ehEp1E MsCkJyAIhlZr9sjOS0F4di6RscOyUsaCRGG wmzsJhLwRJ1Ggr8Ld2 BifxroTr6NfqoSjOppXUe2y2JyBD tkXwTwX2rAUkCRqGE6xPLrN81g8lwUKnHgk0vmGD87 2VxL5A=w640 h90

Credits

https://github.com/busterb/msmailprobehttps://github.com/0xZDH/o365spray/https://github.com/xFreed0m/ADFSpray/https://github.com/m8r0wn/CrossLinked

click here to read full Article

Read More on Pentesting Tools

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: