Proof of Concept in Go from Secureworks' research on Azure Active Directory Brute-Force Attacks. Inspired by @treebuilder's POC on PowerShell.
This code is a proof of concept developed in go of the Azure Active Directory password brute-force vulnerability recently disclosed by Secureworks.
Currently it is only possible to perform a user enumeration or password spray attack without being blocked, because as explained in the Secureworks article Azure AD Smart Lockout prevents the brute force attack.
This repository has been inspired by @treebuilder's proof of concept. The purpose of doing it in go is to create a much faster tool in enumerating users during an Ethical Hacking.
- Github repository option:
$ git clone https://github.com/MrTuxx/aad-sso-enum-brute-spray
$ cd aad-sso-enum-brute-spray/cmd; go build -o 'aad-sso-enum-brute-spray'
$ ./aad-sso-enum-brute-spray -h
User enumeration, password spraying and brute force attacks can be performed.
-
User enumeration: When it returns "bad password" or any value other than "no user" or "Invalid STS request" it indicates that the user exists. Also a return of "locked" may mean that the account is locked, or that Smart Lockout is temporarily preventing interaction with the account.
-
Password spraying and brute force: "Correct credentials" message indicates that the correct username and password combination has been found.
./aad-sso-enum-brute-spray -emails-file users.txt -password "password"
./aad-sso-enum-brute-spray -emails-file users.txt -passwords-file passwords.txt
NOTE: Microsoft's Smart Lockout feature will start falsely claiming that accounts are locked if you hit the API endpoint too quickly from the same IP address
./aad-sso-enum-brute-spray -paired users_passwords.txt
NOTE: The file users_passwords.txt contains the list of credentials in username:password format