Password Spray

This example uses password spraying, I shouldn't have to say that this is horrible opsec if you do not limit this heavily. An example to use this is if you find a leaked password pertaining to this company but do not have an account to use it against.

MSOLSpray

We can use MSOLSpray (https://github.com/dafthack/MSOLSpray) for password spray against the accounts that we discovered.

The tool supports fireprox (https://github.com/ustayready/fireprox) to rotate source IP address on auth request.

1

Password Spray

C:\AzAD\Tools\MSOLSpray\MSOLSPray.ps1
Invoke-MSOLSpray -UserList C:\AzAD\Tools\validemails.txt
-Password SuperVeryEasytoGuessPassword@1234 -Verbose

A normal user has many interesting permissions in Entra ID!

  • Read all users, Groups, Applications, Devices, Roles, Subscriptions, and their public properties

  • Invite Guests

  • Create Security groups

  • Read non-hidden Group memberships

  • Add guests to Owned groups

  • Create new application

  • Add up to 50 devices to Azure

If you spray and find credentials, you can login at the Azure portal (https://portal.azure.com/) and enumerate Users, Groups, Devices, Directory Roles and Enterprise Applications.

PreviousInitial AccessNextEnumeration

Last updated