Closed Anthirian closed 1 year ago
Thanks for the feature request. This feature has been added in https://github.com/blacklanternsecurity/TREVORspray/commit/cbf72e6c00f6bf357d961dc1d891db3e3447e129. Users are now prompted for the entire domain instead of only the subdomain.
During a red team engagement I found out that Okta makes use of multiple domains for federation. My current target makes use of the
okta-emea.com
domain, but TREVORspray hasokta.com
hardcoded in in okta.py:Changing the URL allowed me to successfully spray a user account that I already knew the password for:
It might be possible to autodetect this with the recon module by inspecting the
AuthURL
parameter in the response for https://login.microsoftonline.com/getuserrealm.srf?login=test@[customer-domain]. Another way would be to add a specific argument or prompt in interactive mode.