raikia / uhoh365 Goto Github PK

A script that can see if an email address is valid in Office365 (user/email enumeration). This does not perform any login attempts, is unthrottled, and is incredibly useful for social engineering assessments to find which emails exist and which don't.

License: GNU General Public License v3.0

Python 100.00%

uhoh365's Introduction

UhOh365

A script that can see if an email address is valid in Office365. This does not perform any login attempts, is unthrottled, and is incredibly useful for social engineering assessments to find which emails exist and which don't.

Microsoft does not consider "email enumeration" a vulnerability, so this is taking advantage of a "feature". There are a couple other public Office365 email validation scripts out there, but they all (that I have seen) require at least 1 login attempt per user account. That is detectable and can be found as a light bruteforce attempt (1 "common" password across multiple accounts).

This script allows for email validation with zero login attempts and only uses Microsoft's built-in Autodiscover API so it is invisible to the person/company who owns the email address. Furthermore, this API call appears to be completely unthrottled and I was able to validate over 2,000 email addresses within 1 minute in my testing.

Usage

The script is actually really basic and easy to use. You make a file of the emails you want to see are valid or not and pass it as an argument to the script. Or you can provide a file just of usernames and give the -s argument to automatically append a suffix to each entry:

Usage: UhOh365.py [-h] [-v] [-t THREADS] [-o OUTPUT] file

positional arguments:
  file                  Input file containing one email per line

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         Display each result as valid/invalid. By default only displays valid
  -s, --suffix	    Add a domain suffix to every input line from file (e.g: contoso.com)
  -t THREADS, --threads THREADS
                        Number of threads to run with. Default is 20
  -o OUTPUT, --output OUTPUT
                        Output file for valid emails only
  -n, --nossl           Turn off SSL verification. This can increase speed if
                        needed
  -p PROXY, --proxy PROXY
                        Specify a proxy to run this through (eg: 'http://127.0.0.1:8080')

Explanation

This is actually a very easy thing to do. It turns out the /autodiscover/autodiscover.json/v1.0/{EMAIL}?Protocol=Autodiscoverv1 API endpoint returns different status codes for if an email exists in o365 or not. 200 status code means it exists, a 302 means it doesn't exist.

If the email does exist:

If the email does not exist:

Notice this request takes zero authentication or identifying parameters and it does not cause a login attempt on the target account.

Author

Chris King

[email protected]

@raikiasec

uhoh365's People

Contributors

Stargazers

Watchers

Forkers

ashr jermainlaforce av1080p attackgithub gdraperi hicham1007 techbytom loneboat sopsmattw akshayjaing pbutler6163 breakthenet sammymuhen mmillerxyz coredamage bandrel jbarcia askyeye quikilr itsshubham modulexcite ishan-marikar shaunstanislauslau madwind76 pegasusx johndoex1 caesarcipher bbhunter lolici123 slooppe smcgu natrix-fork byt3bl33d3r blackhatethicalhacking pwnfoo wifiuk j-a-c-k-maynard luongphuhoa c0ntr07 smolige001 hmilkovi therealelyayo alpah7 p3t3rp4rk3r chazmacc red-infosec masterscott 4nder5 bigbrobro xenov-x zxc2007 hexfocus-fork siddharthkumar02 wisdark w00t3k polling-repo-continua hollow667 kaulanab kingsalman99 lawrencehisellopzj m0t firefalc0n raystyle y0d4a fxcebx sts0mrg0 rcaroncd 06opotehb jakuta-tech bashedcode inf0secrabbit ssl-user-en ingramali sec-js reanimat0r ceyhuncamli sachinpatkar techdragon mr-r3b00t srand2 terrorizer1980 sajibekanti kopfjager007 0xajstrike ehutchison69 filthyshoe cisfran05 shakibelmolik

uhoh365's Issues

showing its valid when its not

hey there , so i've checked a specific domains with known and unknow o365 emails , however some (alot) of the email listing was saying those were valid account and when i checked them manually they turned out to be not valid..

so lots of false positive (which is a huge bummer when you have couple of thousands ) eventually i stoped the script since i could not validate if uhoh365 gave real result .

any solution for that ? @Raikia
thanks

Exchange server different API but functionnal

I've tried this API with a mail and the response was strange :
{"Protocol":"Autodiscoverv1","Url":"https://mydomain.extension/api"}

So I guess the API was changed to redirect to API of exchange server for infrastructures with Exchange server.

It's specific but we should add an exception for that.

Regards

Still working?

I is returning valid for non-existent emails. Is the API endpoint still functional?

has MS fixed?

Using the example file, I receive:

It doesn't look like 'eoirgoaiejrgoi.com' uses o365
It doesn't look like 'microsoft.com' uses o365
INVALID: [email protected]

Has MS now addressed this issue?

Support for suffix email domain on a wordlist

There are awesome username wordlists out there and I was wondering if a feature can be implemented to use a wordlist and just add a domain prefix to all of it.

Something like --user-file wordlist --suffix contoso.com which will add @contoso.com suffix to all usernames.

I can take a stab at it and will send a PR soon :)

Office validation versus Outlook validation

Emails are found valid even though the company does not use Outlook (OWA) for their email. I've seen this twice now. The companies do use Office in some format though.

Add LICENSE

Please add a LICENSE to the repo so that I can package this for BlackArch :)

False negative if Mailbox is on premise

The logic for if the account is valid is slightly flawed. From my testing a valid user with a valid mailbox hosted in o365 will return an HTTP 200 as documented. However, if the user is valid, but the mailbox for a user is still hosted on premise a 302 will be returned with the message 'Object moved to' where the URL specified is the on premise hostname and not outlook.office365.com.