dievus / oh365userfinder Goto Github PK

Python3 o365 User Enumeration Tool

Python 100.00%

oh365userfinder's Introduction

Oh365 User Finder v1.1.0

Oh365UserFinder is used for identifying valid o365 accounts and domains without the risk of account lockouts. The tool parses responses to identify the "IfExistsResult" flag is null or not, and responds appropriately if the user is valid. The tool will attempt to identify false positives based on response, and either automatically create a waiting period to allow the throttling value to reset, or warn the user to increase timeouts between attempts.

Oh365UserFinder can also easily identify if a domain exists in o365 using the -d or --domain flag. This saves the trouble of copying the url from notes and entering it into the URL bar with the target domain.

With version 1.1.0, password spraying is now possible. If MFA is enabled, the tool SHOULD identify it when reporting a valid account. Keep in mind that account lockouts are possible if too many incorrect attempts are made. Make sure to consult with your client to determine the lockout policy if you have any concerns.

Usage

Installing Oh365UserFinder

git clone https://github.com/dievus/Oh365UserFinder.git

Change directories to Oh365UserFinder and run:

pip3 install -r requirements.txt

This will run the install script to add necessary dependencies to your system.

python3 oh365UserFinder.py -h

This will output the help menu, which contains the following flags:

-e, --email - Required for running Oh365UserFinder against a single email account\n
-r, --read - Reads from a text file containing emails (ex. -r emails.txt)\n
-t, --timeout - Sets a pause between attempts in seconds (ex. -t 60)\n
-w, --write - Writes valid emails to a text document (ex. -w validemails.txt)\n
-c, --csv - Writes valid emails to a CSV file (ex. -c validemails.csv)\n
-d, --domain - Checks if the listed domain is valid or not (ex. -d mayorsec.com)\n
--verbose - Outputs test verbosely\n
-ps, --pwspray - Password sprays a list of accounts\n
-p, --password - Password to be tested\n
-el, --elist - Emails to be tested

Examples Commands

Validate a Domain Name in O365

python3 oh365Finder.py -d mayorsec.com

Validate a single email

python3 oh365UserFinder.py -e [email protected]

Validate a list of emails and write to file

python3 oh365UserFinder.py -r testemails.txt -w valid.txt

Validate a list of emails, write to file and timeout between requests

python3 oh365UserFinder.py -r emails.txt -w validemails.txt -t 30

Validate a list of emails and write to CSV

python3 oh365UserFinder.py -r emails.txt -c validemails.csv -t 30

Password Spray a list of emails

python3 oh365UserFinder.py -p <password> --pwspray --elist <listname>

Notes

Make note that Microsoft does have some defense in place that can, from time to time, provide false positives in feedback. If you suspect that this is occurring take a pause in testing, and return and increase the duration between attempts using the -t flag.

Acknowledgements

This started as a port over from Python2 to Python3 of a tool named o365Creeper developed by Korey Mckinley, and it quickly spiraled into what it is now.

oh365userfinder's People

Contributors

Stargazers

Watchers

Forkers

0x5a65726f4b65776c scriptidiot c0de-sin pelican9091 bornunique911 5l1v3r1 magespawn krouser chapter78v3 gavz mayorsecsecuritysolutions v4nyl bug-tools uionto hu-ma dileepkumarjagadabi linuer raytracy fynewine y2mk1ng zha0 markalvsn nguyenxuanbinhminh dinhle85 slooppe fdlucifer giadev25 lunarobliq bypasscc elliottl pwnpy redhotchilihacker chrismeistre askyeye red-infosec darkoneiroi aglerj qu33n1x me009 a1124510616 saiyato casistack mlynchcogent gprime31 tadryanom singularidad 0xsojalsec ckevens zpaav cybersissons rvrsh3ll pedrocorreiacodes cybersecops jeromeyoung o3t1w ipc-security cydef1 0unknown0shadow0 rizzy01 carlostkd righteousgambit leomatias wand3rlust slothsyndrome ehutchison69 istern spongyb pyro0ownz sneak71 ikpehlivan c-teck hxlxmjxbbxs devendrasuthar n3k7ar91 bluethistle-bouquet sidneysimas prevail24 emadyay sjpn gwisinkoht pilotguy0920 turtlebear-work rajivraj sagarjain-js

oh365userfinder's Issues

Enhancement - check whether the IP address is being throttled

The results may get throttled - in that case you'll be returned with false positives (i.e. it always returns "IfExistsResults":0). You can check throttle by looking whether "ThrottleStatus":1.

If would be nice to return a warning in this case.

Domain Check - Unknown, Managed, Federated

https://github.com/dievus/Oh365UserFinder/blob/main/oh365userfinder.py#L204
valid_response = re.search('"NameSpaceType":"Managed",', response)

Microsoft outline that there are different namespace types besides Unknown and Managed. As far as I can tell, there is also, Federated which can be seen here for my local university.
https://login.microsoftonline.com/[email protected]

Potentially consider that the regex should check for the word Unknown and change the response to a negative if returned true.

Add a shebang so we can be lazy

The script doesn't have the traditional shebang of:
#!/usr/bin/env python3

So it can't be directly run from the shell. Any chance this could be added to help us lazy people?

Invalid 'NoneType' argument for int() function

Hi @dievus , first I want to thank you for the great tool.

As shown in the images below, when using the tool without the -l / --lockout argument, after a LOCKOUT occurrence, an exception occurs that breaks the password spray flow.

Error :

No Error:

This error occurs because on line 276, the -l / --lockout argument is multiplied by the integer value 60. If the parameter is not defined by the user, the type of the 'lockout' variable is defined as NoneType, which by in turn, it cannot receive arithmetic operations with an integer value, causing the error.

Suggestions:

Create a condition that checks if the -l or --lockout argument was defined by the user at script execution, otherwise it sets a default value (1 maybe) or returns to the help menu and 'forces' the user to use the -l / --lockout argument.