search

blacklanternsecurity / TREVORspray

TREVORspray is a modular password sprayer with threading, clever proxying, loot modules, and more!
GNU General Public License v3.0
1.04k stars 147 forks source link

Feature request: allow specifying Okta domain #22

Closed Anthirian closed 1 year ago

Anthirian commented 2 years ago

During a red team engagement I found out that Okta makes use of multiple domains for federation. My current target makes use of the okta-emea.com domain, but TREVORspray has okta.com hardcoded in in okta.py:

# default target URL
default_url = 'https://{subdomain}.okta.com/api/v1/authn'

Changing the URL allowed me to successfully spray a user account that I already knew the password for:

# default target URL
default_url = 'https://{subdomain}.okta-emea.com/api/v1/authn'

It might be possible to autodetect this with the recon module by inspecting the AuthURL parameter in the response for https://login.microsoftonline.com/getuserrealm.srf?login=test@[customer-domain]. Another way would be to add a specific argument or prompt in interactive mode.

TheTechromancer commented 1 year ago

Thanks for the feature request. This feature has been added in https://github.com/blacklanternsecurity/TREVORspray/commit/cbf72e6c00f6bf357d961dc1d891db3e3447e129. Users are now prompted for the entire domain instead of only the subdomain.