Password Spraying O365

Overview

The majority of companies use Office 365 and Outlook with their Active Directory set up. If you find valid credentials for either of these there is a high chance that those credentials will also work with something like a VPN because all of the accounts are managed through Active Directory.

A great tool for password spraying O365 is TREVORspray. Again, tools come and go so this isn't the only option.

TREVORspray

Spray using a valid emails list and a single password and a delay of 15 seconds to avoid detection

trevorspray -u valid_emails.txt -p 'Welcome123' --delay 15

Doing the same thing except using AWS machines as a proxy and SSH

trevorspray -u valid_emails.txt -p 'Welcome123' --delay 5 --no-current-ip --ssh ubuntu@100.25.38.206 -k adot8.pem

Sometimes you may get this warning instead of a SUCCESS notification. This warning can be a successful login as well. Verify using the actual O365 login panel.

Identify the lockout policy before spraying so you don't lock everyone out of their accounts

If a company has 5 passwords attempts as their policy, you can try 4 passwords and wait an hour until the next round

Once we get a foothold into an account digging through Outlook, Onedrive, OneNote, Sharepoint and Teams

Don't spray against a VPN login portal because they have good detection systems in place.

AWS Proxy Setup

We can setup a free AWS Cloud account and create Ubuntu machines using the EC2 service and the Free Tier Eligible option for everything.

Use the default credentials and create a new key pair.

To spin up more you can go to your Instances Console -> Actions -> Image and Templates -> Launch more like this. Tie it to the same key pair and launch that sucker.

PreviousAttacking Login Portals NextPassword Spraying OWA

Last updated 11 months ago

Was this helpful?