A password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled.
License: MIT License
I created 1000 users "all test users" in my tenant, added all those users to the users.txt file so it cycles through valid accounts with a bad password, but Password Spray events never show up in Azure. Maybe I dont know enough of the actual algorithm, but for whatever the reason may be, I cannot get it to generate the alert. Has anyone had luck with generating the actual password spray alert in azure id protection?
Hi,
During our tests we've found, that when sprayed User with a correct password - attempt failed due to Conditional Access Policy requirements, following error code will be thrown:
PS C:\MSOLSpray > Invoke-MSOLSpray -UserList users.txt -password Winter2022 -verbose
[*] There are 1 total users to spray.
[*] Now spraying Microsoft Online.
[*] Current date and time: 02/11/2022 14:06:36
VERBOSE: POST https://login.microsoft.com/common/oauth2/token with -1-byte payload
[*] Got an error we haven't seen yet for user [email protected]
{"error":"interaction_required","error_description":"AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow
token issuance.\r\nTrace ID: e0ea6353-40e5-4496-8bd5-294facea2e00\r\nCorrelation ID: 2ba27739-7daf-49e7-949c-2e16e3c42079\r\nTimestamp: 2022-02-11
13:06:36Z","error_codes":[53003],"timestamp":"2022-02-11 13:06:36Z","trace_id":"e0ea6353-40e5-4496-8bd5-294facea2e00","correlation_id":"2ba27739-7daf-49e7-9
49c-2e16e3c42079","error_uri":"[https://login.microsoft.com/error?code=53003","suberror":"message_only"}](https://login.microsoft.com/error?code=53003%22,%22suberror%22:%22message_only%22%7D)
Whereas the same attempt with a wrong password will result in no output:
PS C:\MSOLSpray > Invoke-MSOLSpray -UserList users.txt -password Winter20www22 -verbose
[*] There are 1 total users to spray.
[*] Now spraying Microsoft Online.
[*] Current date and time: 02/11/2022 14:06:51
VERBOSE: POST https://login.microsoft.com/common/oauth2/token with -1-byte payload
The conclusion is that AADSTS53003 error code indicates correct password, but CAP getting into way.
I guess it's worth adding corresponding logic to handle that :)
Regards,
Mariusz.
Has anyone encountered issues where the script was reporting accounts as being locked out when that wasn't the case? I've been getting 10+ accounts reporting as locked out on the very first password spray. Maybe it's a coincidence, maybe the users were almost already at the lockout threshold, but I'm pretty sure it's flagging accounts as being locked out when they're not.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.