CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/documentation/modules/auxiliary/scanner/http/azure_ad_login.md
Views: 1904
Vulnerable Application
The Microsoft Azure AD SSO service has a vulnerable endpoint that delivers an error-code based response to specific authentication requests in XML. The endpoint, when passed the correct credentials, will respond with a DesktopSsoToken that can be used to authenticate to Azure AD. When the authentication is unsuccessful, the error code that is returned can be used to discover the validity of usernames in the target tenant. This module also reports credentials to the credentials database when they are discovered.
Verification Steps
Start
msfconsole
use auxiliary/scanner/http/azure_ad_login
show info
set USER_FILE USER_FILE
set PASS_FILE PASS_FILE
set DOMAIN example.com
run
Check output for validity of your test username(s), and password(s)
Options
DOMAIN
The target tenant domain to use for the username checks.
USERNAME
A specific username to verify.
PASSWORD
A specific password to verify.
USER_FILE
A file with users, one per line.
PASS_FILE
A file with passwords, one per line.
Scenarios
Azure AD Tenants with SSO Enabled
If a tenant's domain is known, you can use this module for username and password brute-forcing.
Specific target output replaced with *s so as not to disclose information
If a tenant's domain is known, you can enumerate their usernames