MSOLSpray
A password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled.
Top Related Projects
Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient
Refactored & improved CredKing password spraying tool, uses FireProx APIs to rotate IP addresses, stay anonymous, and beat throttling
AWS API Gateway management tool for creating on the fly HTTP pass-through proxies for unique IP rotation
Quick Overview
MSOLSpray is a password spraying tool designed for Microsoft Online accounts (Office 365/Azure AD). It allows security professionals to test the strength of user passwords by attempting a single password across multiple accounts. This tool is intended for authorized penetration testing and security auditing purposes only.
Pros
- Efficient password spraying for Microsoft Online accounts
- Supports various authentication methods (legacy and modern)
- Includes features to avoid account lockouts
- Customizable options for targeted testing
Cons
- Potential for misuse if not used responsibly
- May trigger security alerts in target environments
- Limited to Microsoft Online accounts only
- Requires careful configuration to avoid unintended consequences
Code Examples
# Basic usage with a single password
Import-Module .\MSOLSpray.ps1
Invoke-MSOLSpray -UserList .\users.txt -Password "Winter2023!"
# Using a password list and specifying authentication endpoint
Invoke-MSOLSpray -UserList .\users.txt -PasswordList .\passwords.txt -AuthEndpoint https://login.microsoftonline.com
# Advanced usage with custom options
Invoke-MSOLSpray -UserList .\users.txt -Password "Spring2023!" -OutFile "results.txt" -Force -Delay 60 -JitterTime 30 -LockoutThreshold 5
Getting Started
-
Clone the repository:
git clone https://github.com/dafthack/MSOLSpray.git -
Navigate to the directory:
cd MSOLSpray -
Import the module:
Import-Module .\MSOLSpray.ps1 -
Run a basic password spray:
Invoke-MSOLSpray -UserList .\users.txt -Password "YourTestPassword123!"
Note: Ensure you have proper authorization before using this tool. Use responsibly and in compliance with all applicable laws and regulations.
Competitor Comparisons
Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient
Pros of SprayingToolkit
- Supports multiple protocols and services (Office 365, OWA, Lync/Skype, ADFS)
- Includes additional features like username enumeration and MFA detection
- Offers more customization options and flexibility
Cons of SprayingToolkit
- More complex setup and usage compared to MSOLSpray
- Requires additional dependencies and libraries
- May have a steeper learning curve for beginners
Code Comparison
MSOLSpray:
$UserList = Get-Content ".\userlist.txt"
$Password = "Winter2020!"
Invoke-MSOLSpray -UserList $UserList -Password $Password
SprayingToolkit:
from core import cli
from core.utils import parse_targets
args = cli.parse_arguments()
targets = parse_targets(args)
sprayer = cli.pick_sprayer(args)
sprayer.spray(targets, args)
The code comparison shows that MSOLSpray is more straightforward and easier to use, while SprayingToolkit offers more flexibility and options but requires more setup and configuration.
Refactored & improved CredKing password spraying tool, uses FireProx APIs to rotate IP addresses, stay anonymous, and beat throttling
Pros of CredMaster
- Supports multiple authentication protocols (OAuth, ADFS, etc.) beyond just MSOL
- Includes built-in proxy support for enhanced anonymity
- Offers more customizable options for rate limiting and jitter
Cons of CredMaster
- More complex setup and configuration required
- Potentially slower execution due to additional features and options
- Less focused on specifically targeting Microsoft Online accounts
Code Comparison
MSOLSpray:
$UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36"
$Uri = "https://login.microsoftonline.com/common/oauth2/token"
CredMaster:
def get_random_useragent():
user_agents = [
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0",
# ... more user agents
]
return random.choice(user_agents)
The code comparison shows that CredMaster uses a more dynamic approach to user agent selection, potentially improving evasion capabilities. MSOLSpray uses a fixed user agent string, which may be easier to detect.
AWS API Gateway management tool for creating on the fly HTTP pass-through proxies for unique IP rotation
Pros of FireProx
- Provides a dynamic IP rotation mechanism, enhancing anonymity
- Utilizes AWS API Gateway for proxy creation, offering scalability
- Supports various HTTP methods (GET, POST, PUT, etc.)
Cons of FireProx
- Requires AWS account and configuration
- May incur costs associated with AWS usage
- More complex setup compared to MSOLSpray
Code Comparison
FireProx:
def create_api(self, name, target):
response = self.client.create_rest_api(
name=name,
description='FireProx API'
)
api_id = response['id']
# ... (additional configuration code)
MSOLSpray:
function Invoke-MSOLSpray {
param(
[Parameter(Mandatory=$true)]
[string]$UserList,
[Parameter(Mandatory=$true)]
[string]$Password
)
# ... (password spraying logic)
}
Key Differences
- FireProx focuses on creating dynamic proxies for various web requests
- MSOLSpray is specifically designed for Office 365 password spraying
- FireProx is written in Python, while MSOLSpray is a PowerShell script
- MSOLSpray is more targeted towards Microsoft services authentication
- FireProx offers broader application in web-based penetration testing scenarios
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
MSOLSpray
A password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled.
BE VERY CAREFUL NOT TO LOCKOUT ACCOUNTS!
Why another spraying tool?
Yes, I realize there are other password spraying tools for O365/Azure. The main difference with this one is that this tool not only is looking for valid passwords, but also the extremely verbose information Azure AD error codes give you. These error codes provide information relating to if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, if the account is disabled, if the password is expired and much more.
So this doubles, as not only a password spraying tool but also a Microsoft Online recon tool that will provide account/domain enumeration. In limited testing it appears that on valid login to the Microsoft Online OAuth2 endpoint it isn't auto-triggering MFA texts/push notifications making this really useful for finding valid creds without alerting the target.
Lastly, this tool works well with FireProx to rotate source IP addresses on authentication requests. In testing this appeared to avoid getting blocked by Azure Smart Lockout.
Brought to you by:
Quick Start
You will need a userlist file with target email addresses one per line. Open a PowerShell terminal from the Windows command line with 'powershell.exe -exec bypass'.
Import-Module MSOLSpray.ps1
Invoke-MSOLSpray -UserList .\userlist.txt -Password Winter2020
Invoke-MSOLSpray Options
UserList - UserList file filled with usernames one-per-line in the format "user@domain.com"
Password - A single password that will be used to perform the password spray.
OutFile - A file to output valid results to.
Force - Forces the spray to continue and not stop when multiple account lockouts are detected.
URL - The URL to spray against. Potentially useful if pointing at an API Gateway URL generated with something like FireProx to randomize the IP address you are authenticating from.
Top Related Projects
Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient
Refactored & improved CredKing password spraying tool, uses FireProx APIs to rotate IP addresses, stay anonymous, and beat throttling
AWS API Gateway management tool for creating on the fly HTTP pass-through proxies for unique IP rotation
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot