• Stars
    star
    1,258
  • Rank 37,383 (Top 0.8 %)
  • Language
    PowerShell
  • License
    MIT License
  • Created about 4 years ago
  • Updated 10 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A tool for checking if MFA is enabled on multiple Microsoft Services

MFASweep

MFASweep is a PowerShell script that attempts to log in to various Microsoft services using a provided set of credentials and will attempt to identify if MFA is enabled. Depending on how conditional access policies and other multi-factor authentication settings are configured some protocols may end up being left single factor. It also has an additional check for ADFS configurations and can attempt to log in to the on-prem ADFS server if detected.

Currently MFASweep has the ability to login to the following services:

  • Microsoft Graph API
  • Azure Service Management API
  • Microsoft 365 Exchange Web Services
  • Microsoft 365 Web Portal w/ 6 device types (Windows, Linux, MacOS, Android Phone, iPhone, Windows Phone)
  • Microsoft 365 Active Sync
  • ADFS

WARNING: This script attempts to login to the provided account TEN (10) different times (11 if you include ADFS). If you entered an incorrect password this may lock the account out.

For more information check out the blog post here: Exploiting MFA Inconsistencies on Microsoft Services

MFASweep Example

Single Factor Access Results Example

Usage

This command will use the provided credentials and attempt to authenticate to the Microsoft Graph API, Azure Service Management API, Microsoft 365 Exchange Web Services, Microsoft 365 Web Portal with both a desktop browser and mobile, and Microsoft 365 Active Sync.

Invoke-MFASweep -Username targetuser@targetdomain.com -Password Winter2020 

This command runs with the default auth methods and checks for ADFS as well.

Invoke-MFASweep -Username targetuser@targetdomain.com -Password Winter2020 -Recon -IncludeADFS

Individual Modules

Each individual module can be run separately if needed as well.

Microsoft Graph API

Invoke-GraphAPIAuth -Username targetuser@targetdomain.com -Password Winter2020 

Azure Service Management API

Invoke-AzureManagementAPIAuth -Username targetuser@targetdomain.com -Password Winter2020 

Microsoft 365 Exchange Web Services

Invoke-EWSAuth -Username targetuser@targetdomain.com -Password Winter2020 

Microsoft 365 Web Portal

Invoke-O365WebPortalAuth -Username targetuser@targetdomain.com -Password Winter2020 

Microsoft 365 Web Portal w/ Mobile User Agent

Invoke-O365WebPortalAuthMobile -Username targetuser@targetdomain.com -Password Winter2020 

Microsoft 365 Active Sync

Invoke-O365ActiveSyncAuth -Username targetuser@targetdomain.com -Password Winter2020 

ADFS

Invoke-ADFSAuth -Username targetuser@targetdomain.com -Password Winter2020 

More Repositories

1

MailSniper

MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an administrator to search the mailboxes of every user in a domain.
PowerShell
2,891
star
2

CloudPentestCheatsheets

This repository contains a collection of cheatsheets I have put together for tools related to pentesting organizations that leverage cloud providers.
2,499
star
3

DomainPasswordSpray

DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain. BE VERY CAREFUL NOT TO LOCKOUT ACCOUNTS!
PowerShell
1,725
star
4

MSOLSpray

A password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled.
PowerShell
883
star
5

GraphRunner

A Post-exploitation Toolset for Interacting with the Microsoft Graph API
PowerShell
843
star
6

PowerMeta

PowerMeta searches for publicly available files hosted on various websites for a particular domain by using specially crafted Google, and Bing searches. It then allows for the download of those files from the target domain. After retrieving the files, the metadata associated with them can be analyzed by PowerMeta. Some interesting things commonly found in metadata are usernames, domains, software titles, and computer names.
PowerShell
538
star
7

HostRecon

This function runs a number of checks on a system to help provide situational awareness to a penetration tester during the reconnaissance phase. It gathers information about the local system, users, and domain information. It does not use any 'net', 'ipconfig', 'whoami', 'netstat', or other system commands to help avoid detection.
PowerShell
424
star
8

Check-LocalAdminHash

Check-LocalAdminHash is a PowerShell tool that attempts to authenticate to multiple hosts over either WMI or SMB using a password hash to determine if the provided credential is a local administrator. It's useful if you obtain a password hash for a user and want to see where they are local admin on a network. It is essentially a Frankenstein of two of my favorite tools along with some of my own code. It utilizes Kevin Robertson's (@kevin_robertson) Invoke-TheHash project for the credential checking portion. Additionally, the script utilizes modules from PowerView by Will Schroeder (@harmj0y) and Matt Graeber (@mattifestation) to enumerate domain computers to find targets for testing admin access against.
PowerShell
169
star
9

RDPSpray

Tool for password spraying RDP
Python
91
star
10

PowerWebShot

A PowerShell tool for taking screenshots of multiple web servers quickly.
PowerShell
90
star
11

PassphraseGen

A script for generating custom passphrase lists to be used for password cracking with hashcat rules
PowerShell
79
star
12

EmailAddressMangler

This module mangles two lists of names together to generate a list of potential email addresses or usernames. It can also be used to simply combine a list of full names in the format (firstname lastname) into either email addresses or usernames.
PowerShell
47
star
13

lab_scripts

Repo for hosting various scripts for creating users for password spraying and other password attacks.
10
star
14

BasicPHPRedirector

A basic PHP redirection site that captures request headers
PHP
9
star
15

Ethereham

A script for tracking and decoding input data messages sent to and from a particular Ethereum address or from every transaction in a block.
Python
9
star
16

blockchain-developer-bootcamp-final-project

4
star
17

dafthack

About Me
1
star