• Stars
    star
    590
  • Rank 75,794 (Top 2 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created about 5 years ago
  • Updated over 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A script that can see if an email address is valid in Office365 (user/email enumeration). This does not perform any login attempts, is unthrottled, and is incredibly useful for social engineering assessments to find which emails exist and which don't.

UhOh365

A script that can see if an email address is valid in Office365. This does not perform any login attempts, is unthrottled, and is incredibly useful for social engineering assessments to find which emails exist and which don't.

Microsoft does not consider "email enumeration" a vulnerability, so this is taking advantage of a "feature". There are a couple other public Office365 email validation scripts out there, but they all (that I have seen) require at least 1 login attempt per user account. That is detectable and can be found as a light bruteforce attempt (1 "common" password across multiple accounts).

This script allows for email validation with zero login attempts and only uses Microsoft's built-in Autodiscover API so it is invisible to the person/company who owns the email address. Furthermore, this API call appears to be completely unthrottled and I was able to validate over 2,000 email addresses within 1 minute in my testing.

Usage

The script is actually really basic and easy to use. You make a file of the emails you want to see are valid or not and pass it as an argument to the script. Or you can provide a file just of usernames and give the -s argument to automatically append a suffix to each entry:

Usage: UhOh365.py [-h] [-v] [-t THREADS] [-o OUTPUT] file

positional arguments:
  file                  Input file containing one email per line

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         Display each result as valid/invalid. By default only displays valid
  -s, --suffix	    Add a domain suffix to every input line from file (e.g: contoso.com)
  -t THREADS, --threads THREADS
                        Number of threads to run with. Default is 20
  -o OUTPUT, --output OUTPUT
                        Output file for valid emails only
  -n, --nossl           Turn off SSL verification. This can increase speed if
                        needed
  -p PROXY, --proxy PROXY
                        Specify a proxy to run this through (eg: 'http://127.0.0.1:8080')

Explanation

This is actually a very easy thing to do. It turns out the /autodiscover/autodiscover.json/v1.0/{EMAIL}?Protocol=Autodiscoverv1 API endpoint returns different status codes for if an email exists in o365 or not. 200 status code means it exists, a 302 means it doesn't exist.

If the email does exist: img

If the email does not exist: img

Notice this request takes zero authentication or identifying parameters and it does not cause a login attempt on the target account.

Author

Chris King

[email protected]

@raikiasec

More Repositories

1

FiercePhish

FiercePhish is a full-fledged phishing framework to manage all phishing engagements. It allows you to track separate phishing campaigns, schedule sending of emails, and much more.
PHP
1,324
star
2

CredNinja

A multithreaded tool designed to identify if credentials are valid, invalid, or local admin valid credentials within a network at-scale via SMB, plus now with a user hunter
C#
442
star
3

Kali-Setup

Script for Kali that adds a bunch of tools and customizes it to be much better
Python
171
star
4

SMBCrunch

3 tools that work together to simplify reconaissance of Windows File Shares
Perl
162
star
5

Recon-NG-API-Key-Creation

One of the biggest annoyances of using Recon-ng is getting everything set up to use it. So here I’ll outline the different API keys it can use and where to get them yourself.
162
star
6

SharpStat

C# utility that uses WMI to run "cmd.exe /c netstat -n", save the output to a file, then use SMB to read and delete the file remotely
C#
39
star
7

Get-ReconInfo

A powershell script that prints a lot of IP and connection info to the screen
PowerShell
30
star
8

Nmap-scripts

A collection of nmap scripts I've written
Lua
23
star
9

CredSwissArmy

DEPRECATED! LOOK AT CREDNINJA! A tool designed to identify if credentials are valid, invalid, or local admin valid credentials within a network at-scale via SMB
Perl
15
star
10

Misc-scripts

Honestly, these are just scripts for my own use and consumption. If someone wants to use them too, cool.
Shell
5
star
11

IPCheckScope

A simple script to help check if a list of IPs are within the provided network scopes
Python
3
star
12

dotfiles

Some simple dotfiles of mine.
Prolog
1
star