y0k4i-1337/MSOLSpray-ng

# MSOLSpray 下一代版 该项目起初是 [MSOLSpray](https://github.com/MartinIngesen/MSOLSpray) 的一个分支，随后为了避免与原项目混淆，更名为 [MSOLSpray-ng](https://github.com/y0k4i-1337/MSOLSpray-ng)。 自那以后，我们添加了许多功能，并对项目进行了部分重构，旨在优化 OpSec 和微调。 **原项目是 [dafthack's MSOLSpray](https://github.com/dafthack/MSOLSpray/) 的纯 Python 重写版，而后者是用 PowerShell 编写的。** MSOLSpray 是一个针对 Microsoft Online 账户 (Azure/O365) 的密码喷射工具。该脚本会记录用户凭证是否有效、账户是否启用了 MFA、租户是否存在、用户是否存在、账户是否被锁定或账户是否被禁用。 **请务必小心，不要导致账户被锁定！** ## 为什么还需要另一个密码喷射工具？ 该工具的主要区别在于，它不仅寻找有效密码，还能获取 Azure AD 错误代码提供的极其详细的信息。这些错误代码提供了与以下情况相关的信息：账户是否启用了 MFA、租户是否存在、用户是否存在、账户是否被锁定、账户是否被禁用、密码是否已过期等等。 因此，它不仅是密码喷射工具，还是 Microsoft Online 侦察工具，可提供账户/域枚举功能。在有限的测试中，似乎在成功登录 Microsoft Online OAuth2 端点时，它不会自动触发 MFA 短信/推送通知，这使得这对于在不惊动目标的情况下查找有效凭证非常有用。 最后，该工具与 [FireProx](https://github.com/ustayready/fireprox) 配合良好，可在身份验证请求时轮换源 IP 地址。在测试中，这似乎可以避免被 Azure Smart Lockout 阻止。 由于 Amazon 开始标记 FireProx 端点，该脚本现在也支持 Tor。你可以使用 `--tor` 选项。脚本随后将自动创建一个 Tor 线路池，并在每次登录尝试时进行轮换。 ## Tor 你也可以配合 Tor 使用此工具。为此，你需要安装 Tor 并在计算机上运行。然后你可以使用 `--tor` 选项通过 Tor 路由请求。 为了绕过限速，脚本可以通过 [IsolateSocksAuth](https://spec.torproject.org/proposals/351-socks-auth-extensions.html) 功能生成 `N` 个不同的线路。为此，你需要在 `torrc` 文件中设置此子选项（Linux 上通常位于 `/etc/tor/torrc`，MacOS 上位于 `/opt/homebrew/etc/tor/torrc`）： ``` SOCKSPort 9050 IsolateSOCKSAuth ``` ## 快速开始 ### 环境要求 安装依赖项最简单的方法是使用 `poetry`。你可以通过运行以下命令来完成此操作： ``` poetry install ``` ### MSOLSpray-ng 你需要一个用户列表文件，每行一个目标电子邮件地址。 ``` usage: msolspray [-h] (-u USERNAME | -U FILE | -C FILE | --tor-test) [-p PASSWORD | -P FILE] [--sep SEP] [-o OUTFILE] [-x PROXY] [--url URL] [-f | --force-first] [--shuffle] [-a {0,1,2}] [--notify NOTIFY] [--notify-actions NOTIFY_ACTIONS] [--notify-each] [-s SLEEP] [--pause PAUSE] [-j JITTER] [-l PERCENT] [-H HEADERS] [-A NAME] [--rua] [--timeout TIMEOUT] [--tor] [--tor-port SOCKS_PORT] [--tor-pool TOR_POOL] [-v] This script will perform password spraying against Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled. options: -h, --help show this help message and exit -u, --username USERNAME Single username -U, --usernames FILE File containing usernames in the format 'user@domain'. -C, --creds FILE File containing credentials in the format ''. --tor-test Test Tor connectivity and exit. -p, --password PASSWORD Single password. -P, --passwords FILE File containing passwords, one per line. --sep SEP Separator used when parsing credentials file in CSV format. -o, --out OUTFILE A file to output valid results to (default: valid_creds.txt). -x, --proxy PROXY Use proxy on requests (e.g. http://127.0.0.1:8080) --url URL A comma-separated list of URL(s) to spray against (default: https://login.microsoft.com). Potentially useful if pointing at an API Gateway URL generated with something like FireProx to randomize the IP address you are authenticating from. -f, --force Forces the spray to continue and not stop when multiple account lockouts are detected. --force-first Like --force but only for first iteration. Use it with '-a 2' for optimization. --shuffle Shuffle user list. -a, --auto-remove {0,1,2} Auto remove accounts from next iterations (0: valid credentials (default), 1: previous + nonexistent/disabled, 2: previous + locked). --notify NOTIFY Slack webhook for sending notifications about results (default: None). --notify-actions NOTIFY_ACTIONS Slack webhook for sending notifications about needed actions (default: same as --notify). --notify-each If set in conjunction with --notify WEBHOOK, it will notify each valid creds besides final summary. -s, --sleep SLEEP Sleep this many seconds between tries (default: 0). --pause PAUSE Pause (in minutes) between each iteration (default: 15). -j, --jitter JITTER Maximum of additional delay given in percentage over base delay (default: 0). -l, --max-lockout PERCENT Maximum lockouts (in percent) to be observed before ask to abort execution. (default: 10). -H, --header HEADERS Extra header to include in the request (can be used multiple times). -A, --user-agent NAME Send User-Agent NAME to server (default: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"). --rua Send random User-Agent in each request. --timeout TIMEOUT Timeout for requests (default: 4) --tor Use Tor for requests (overrides --proxy). --tor-port SOCKS_PORT Tor socks port to use (default: 9050). --tor-pool TOR_POOL Number of Tor circuits to create (default: 10). -v, --verbose Increase verbosity of output. Can be used multiple times for more verbosity. EXAMPLE USAGE: This command will use the provided userlist and attempt to authenticate to each account with a password of Winter2020. python3 msolspray-ng.py --userlist ./userlist.txt --password Winter2020 This command uses the specified FireProx URL to spray from randomized IP addresses and writes the output to a file. See this for FireProx setup: https://github.com/ustayready/fireprox. python3 msolspray-ng.py --userlist ./userlist.txt --password P@ssword --url https://api-gateway-endpoint-id.execute-api.us-east-1.amazonaws.com/fireprox --out valid-users.txt This command will create a new tor circuit every 5 login attempts and use it to spray from randomized IP addresses. python3 msolspray-ng.py --userlist ./userlist.txt --password P@ssword --tor --tor-control-pw H1d3M3 --tor-refresh-interval 5 TIPS: [1] When using along with FireProx, pass option -H "X-My-X-Forwarded-For: 127.0.0.1" to spoof origin IP. ``` ## :coffee: 支持

  由 y0k4i 用 :green_heart: 制作

标签：Azure AD, FireProx, IP轮换, MFA检测, Microsoft Online, O365, OAuth2, Office 365, PoC, Python, Tor, 凭证验证, 域侦察, 密码喷射, 无后门, 暴力破解, 账户枚举, 逆向工具, 避锁策略