-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Add External Module: office365userenum.py #10607
Conversation
External python module compatible with v2 and v3. Enumerate valid usernames (email addresses) from Office 365 using ActiveSync. Differences in the HTTP Response code and HTTP Headers can be used to differentiate between: - Valid Username (Response code 401) - Valid Username and Password without 2FA (Response Code 200) - Valid Username and Password with 2FA (Response Code 403) - Invalid Username (Response code 404 with Header X-CasErrorCode: UserNotFound) Note this behaviour appears to be limited to Office365, MS Exchange does not appear to be affected. Microsoft Security Response Center stated on 2017-06-28 that this issue does not "meet the bar for security servicing". As such it is not expected to be fixed any time soon. This script is maintaing the ability to run independently of MSF.
Change the 'required' attribute of the output and logfile options to False. Open output file for appending immediately before use and only if output file name is configured.
RHOSTS is automatically created as a required option despite my module not needing it and it not being specified in the metadata. |
I think we need a different kind of module type to support what you want, which is non-automatic host resolution, and just plain URI-based targets. I think there are lots of other modules that also would prefer this method of operations rather than RHOSTS / RPORT, etc. The RHOSTS argument comes from the underlying module template that gets instantiated automatically by Metasploit, as you noticed. |
Is the different module type something in the pipeline you know of buster? I can either look into writing a different module template for external py modules or help Oliver port this to pure ruby (former option probably preferred) |
Sorry for the delay @GrimHacker - @clee-r7 is doing some research into this. Maybe we can sync up on the Slack team at some point to work out the details. |
I'm going to land this now and we can improve it in the tree. Just spoke with @clee-r7 about a path forward to make raw unresolved hosts available to modules in a backward compatible way, but that shouldn't block this. |
External python module compatible with v2 and v3.
Enumerate valid usernames (email addresses) from Office 365 using ActiveSync.
Differences in the HTTP Response code and HTTP Headers can be used to differentiate between:
Note this behaviour appears to be limited to Office365, MS Exchange does not appear to be affected.
Microsoft Security Response Center stated on 2017-06-28 that this issue does not "meet the bar for security servicing". As such it is not expected to be fixed any time soon.
This script is maintaing the ability to run independently of MSF.
Verification
/home/msfdev/users
msfconsole
use auxiliary/gather/office365userenum
set users /home/msfdev/users
set rhosts 127.0.0.1
run
[+] 401 VALID_USER valid_username@example.com:Password1
[-] 404 INVALID_USER invalid_username@example.com:Password1
Example
Help Requested
[*] Auxiliary module execution completed
without running the module.