search

Password Spraying O365

hashtag
Overview

The majority of companies use Office 365 and Outlook with their Active Directory set up. If you find valid credentials for either of these there is a high chance that those credentials will also work with something like a VPN because all of the accounts are managed through Active Directory.

A great tool for password spraying O365 is TREVORsprayarrow-up-right. Again, tools come and go so this isn't the only option.

hashtag
TREVORspray

Spray using a valid emails list and a single password and a delay of 15 seconds to avoid detection

trevorspray -u valid_emails.txt -p 'Welcome123' --delay 15

Doing the same thing except using AWS machines as a proxy and SSH

trevorspray -u valid_emails.txt -p 'Welcome123' --delay 5 --no-current-ip --ssh [email protected] -k adot8.pem
From TCM Course

Sometimes you may get this warning instead of a SUCCESS notification. This warning can be a successful login as well. Verify using the actual O365 login panel.

From TCM Course
triangle-exclamation

Identify the lockout policy before spraying so you don't lock everyone out of their accounts

circle-check

If a company has 5 passwords attempts as their policy, you can try 4 passwords and wait an hour until the next round

Once we get a foothold into an account digging through Outlook, Onedrive, OneNote, Sharepoint and Teams

Don't spray against a VPN login portal because they have good detection systems in place.

hashtag
AWS Proxy Setup

We can setup a free AWS Cloud account and create Ubuntu machines using the EC2 service and the Free Tier Eligible option for everything.

Use the default credentials and create a new key pair.

To spin up more you can go to your Instances Console -> Actions -> Image and Templates -> Launch more like this. Tie it to the same key pair and launch that sucker.

PreviousAttacking Login PortalsNextPassword Spraying OWA

Last updated