search

MarkoH17 / Spray365

Spray365 makes spraying Microsoft accounts (Office 365 / Azure AD) easy through its customizable two-step password spraying approach. The built-in execution plan features options that attempt to bypass Azure Smart Lockout and insecure conditional access policies.
MIT License
341 stars 57 forks source link

WsTrust server returned error in RSTR #11

Open quentinhardy opened 2 years ago

quentinhardy commented 2 years ago

Hello,

I have used:

python3.10 spray365.py generate normal -ep ex-plan.s365 -d dom.de -u users.txt -pf pwds.txt

It is a fresh install.

python3.10 spray365.py spray -ep ex-plan.s365                                                    

███████╗██████╗ ██████╗  █████╗ ██╗   ██╗██████╗  ██████╗ ███████╗
██╔════╝██╔══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝╚════██╗██╔════╝ ██╔════╝                                                                                                                                                                           
███████╗██████╔╝██████╔╝███████║ ╚████╔╝  █████╔╝███████╗ ███████╗                                                                                                                                                                           
╚════██║██╔═══╝ ██╔══██╗██╔══██║  ╚██╔╝   ╚═══██╗██╔═══██╗╚════██║                                                                                                                                                                           
███████║██║     ██║  ██║██║  ██║   ██║   ██████╔╝ ██████╔╝███████║                                                                                                                                                                           
╚══════╝╚═╝     ╚═╝  ╚═╝╚═╝  ╚═╝   ╚═╝   ╚═════╝  ╚═════╝ ╚══════╝                                                                                                                                                                           
                         By MarkoH17 (https://github.com/MarkoH17)                                                                                                                                                                           
                                               Version: 0.2.2-beta                                                                                                                                                                           

[2022-08-05 06:37:15 - INFO]: Processing execution plan 'ex-plan.s365'
[2022-08-05 06:37:15 - INFO]: Identified 18650 credentials in the provided execution plan
[2022-08-05 06:37:15 - INFO]: Password spraying will take at least 559500 seconds, and should finish around 2022-08-11 18:02:15
[2022-08-05 06:37:15 - INFO]: Lockout threshold is set to 10 accounts
[2022-08-05 06:37:15 - INFO]: Starting to spray credentials
An exception was raised: RuntimeError650] (win_ie11_win8->webshellsuite->outlook): testaccount / thepassword (waiting...)
Stack trace from most recent exception:
Traceback (most recent call last):
  File "/home/myaccount/tools/Spray365/modules/spray/spray_exception_wrapper.py", line 13, in invoke
    return super(SprayExceptionWrapper, self).invoke(ctx)
  File "/home/myaccount/.local/lib/python3.10/site-packages/click/core.py", line 1404, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/home/myaccount/.local/lib/python3.10/site-packages/click/core.py", line 760, in invoke
    return __callback(*args, **kwargs)
  File "/home/myaccount/tools/Spray365/modules/spray/spray.py", line 159, in command
    auth_result = helpers.authenticate_credential(cred, proxy, insecure)
  File "/home/myaccount/tools/Spray365/modules/spray/helpers.py", line 52, in authenticate_credential
    raw_result = auth_app.acquire_token_by_username_password(
  File "/home/myaccount/.local/lib/python3.10/site-packages/msal/application.py", line 1420, in acquire_token_by_username_password
    response = _clean_up(self._acquire_token_by_username_password_federated(
  File "/home/myaccount/.local/lib/python3.10/site-packages/msal/application.py", line 1447, in _acquire_token_by_username_password_federated
    wstrust_result = wst_send_request(
  File "/home/myaccount/.local/lib/python3.10/site-packages/msal/wstrust_request.py", line 60, in send_request
    return parse_response(resp.text)
  File "/home/myaccount/.local/lib/python3.10/site-packages/msal/wstrust_response.py", line 49, in parse_response
    raise RuntimeError("WsTrust server returned error in RSTR: %s" % (error or body))
RuntimeError: WsTrust server returned error in RSTR: {'reason': 'ID3242: The security token could not be authenticated or authorized.', 'code': 'a:FailedAuthentication'}
[2022-08-05 06:37:16 - INFO]: Authentication results saved to file 'spray365_results_2022-08-05_06-37-16.json'

It seems the msal library has been modified. I think authentication now requires a UPN, an not a username only.

Best regard,

puzzlepeaches commented 2 years ago

Seeing similar behavior on my end, but only in specific situations. I believe this is not related to UPN specification, but instead redirects caused by federated identity providers such as Okta, ADFS, OneLogin, etc. I have also seen this happen when a GSuite account accidentally makes its way into my spraying list. When attempting to log in with your "testaccount" above via a browser, are you redirected to an alternate login portal?

Let me know if not, and I can try to make some code modifications to specify a UPN to share here.

Regardless, we need to work on error handling in spray_exception_wrapper.py. It needs some work to better pass on/handle more fringe errors produced by msal.