Offensive Security Tool: Go365


Description

Go365 by optiv, is a tool designed to help security professionals and researchers perform user enumeration and password guessing attacks on organizations that use Office365. Go365 uses a unique SOAP API endpoint on login.microsoftonline.com that most other tools do not use. When queried with an email address and password, the endpoint responds with an Azure AD Authentication and Authorization code. This code is then processed by Go365 and the result is printed to screen or an output file.

User enumeration is performed in conjunction with a password guess attempt. Thus, there is no specific flag or functionality to perform only user enumeration. Instead, conduct your first password guessing attack, then parse the results for valid users.


Notes:

This tool might not work on all domains that utilize o365. Tests show that it works with most federated domains. Some domains will only report valid users even if a valid password is also provided. Your results may vary!

The domains this tool was tested on showed that it did not actually lock out accounts after multiple password failures. Your results may vary!

This tool is intended to be used by security professionals that are authorized to “attack” the target organization’s o365 instance.


Obtaining:-

Option 1

  • Download a pre-compiled binary for your OS HERE.

Option 2

Download the source and compile it locally.

  • Install Go.
  • Clone the repo.
  • Navigate to the repo and compile ya dingus.
  • go build Go365.go
  • Run the resulting binary

Usage:-
$ ./Go365

Examples:-
  •  ./Go365 -endpoint rst -ul ./user_list.txt -p 'coolpasswordbro!123' -d pwnthisfakedomain.com
  •   ./Go365 -endpoint graph -ul ./user_list.txt -p 'coolpasswordbro!123' -d pwnthisfakedomain.com -w 5
  •   ./Go365 -endpoint rst -up ./userpass_list.txt -delay 3600 -d pwnthisfakedomain.com -w 5 -o Go365output.txt
  •   ./Go365 -endpoint graph -u legituser -p 'coolpasswordbro!123' -d pwnthisfakedomain.com -w 5 -o Go365output.txt -proxy 127.0.0.1:1080
  •   ./Go365 -endpoint rst -u legituser -pl ./pass_list.txt -delay 1800 -d pwnthisfakedomain.com -w 5 -o Go365output.txt -proxyfile ./proxyfile.txt
  •   ./Go365 -endpoint graph -ul ./user_list.txt -p 'coolpasswordbro!123' -d pwnthisfakedomain.com -w 5 -o Go365output.txt -url https://notrealgetyourown.execute-api.us-east-2.amazonaws.com/login

  You can even schedule out your entire password guessing campaign using the -pl and -delay flags :)
  •   ./Go365 -endpoint rst -ul ./user_list.txt -d pwnthisfakedomain.com -w 5 -o Go365output.txt -url https://notrealgetyourown.execute-api.us-east-2.amazonaws.com/login -proxyfile listofprox.txt -pl listofpasswords.txt -delay 7200

Usage:-

  -h                            Shows this stuff


Required - Endpoint:

    -endpoint [rst or graph]    Specify which endpoint to use
                                : (-endpoint rst)   *Classic Go365!* login.microsoftonline.com/rst2.srf. SOAP XML request with XML response
                                : (-endpoint graph)  login.microsoft.com/common/oauth2/token. HTTP POST request with JSON Response

  Required - Usernames and Passwords:

    -u <string>                 Single username to test
                                : Username with or without "@domain.com"
                                : Must also provide -d flag to specify the domain
                                : (-u legitfirst.lastname@totesrealdomain.com)

    -ul <file>                  Username list to use (overrides -u)
                                : File should contain one username per line
                                : Usernames can have "@domain.com"
                                : If no domain is specified, the -d domain is used
                                : (-ul ./usernamelist.txt)

    -p <string>                 Password to attempt
                                : Enclose in single quotes if it contains special characters
                                : (-p password123)  or  (-p 'p@s$w0|2d')

    -pl <file>                  Password list to use (overrides -p)
                                : File should contain one password per line
                                : -delay flag can be used to include a pause between each set of attempts
                                : (-pl ./passwordlist.txt)

    -up <file>                  Userpass list to use (overrides all the above options)
                                : One username and password separated by a ":" per line
                                : Be careful of duplicate usernames!
                                : (-up ./userpasslist.txt)

  Required/Optional - Domain:

    -d <string>                 Domain to test
                                : Use this if the username or username list does not include "@targetcompany.com"
                                : (-d targetcompany.com)

  Optional:

    -w <int>                    Time to wait between attempts in seconds.
                                : Default: 1 second. 5 seconds recommended.
                                : (-w 10)

    -delay <int>                Delay (in seconds) between sprays when using a password list.
                                : Default: 60 minutes (3600 seconds) recommended.
                                : (-delay 7200)

    -o <string>                 Output file to write to
                                : Will append if file exists, otherwise a file is created
                                : (-o ./Go365output.out)

    -proxy <string>             Single SOCKS5 proxy server to use
                                : IP address and Port separated by a ":"
                                : SOCKS5 proxy
                                : (-proxy 127.0.0.1:1080)

    -proxyfile <string>         A file with a list of SOCKS5 proxy servers to use
                                : IP address and Port separated by a ":" on each line
                                : Randomly selects a proxy server to use before each request
                                : (-proxyfile ./proxyfile.txt)

    -url <string>               Endpoint to send requests to
                                : Amazon API Gateway 'Invoke URL'
                                : Highly recommended that you use this option. Google it, or
                                : check this out: https://bigb0sss.github.io/posts/redteam-rotate-ip-aws-gateway/
                                : (-url https://notrealgetyourown.execute-api.us-east-2.amazonaws.com/login)

    -debug                      Debug mode.
                                : Print xml response

Protip:-
If you get a lot of "Account locked out" responses, then you might wanna proxy or use an AWS Gateway.

Comments

Post a Comment

Popular posts from this blog

OSINT Tool in Termux

Image
The Instagram OSINT Tool gets a range of information from an Instagram account that you normally wouldn't be able to get from just looking at their profile The information includes: [ profile ] : user id, followers / following, number of uploads, profile img URL, business enum, external URL, joined Recently, etc [ tags & mentions ] : most used hashtags and mentioned accounts [ email ] : if any email is used any where it'll be displayed [ posts ] : accessability caption, location, timestamp, caption, picture url, etc ( yet not working correctly with posts instagram marks as 'sensitive cotent' ) How To Install apt update && upgrade -y Pkg install git pkg install python3 git clone https://github.com/th3unkn0n/osi.ig.git && cd osi.ig python3 -m pip install -r requirements.txt Usage python3 main.py -u username
Read more

Active Directory Ransomware Attacks

Image
    Organizations worldwide use Active Directory (AD) as their primary identity service , which makes it a top target for ransomware attacks . This article explains how adversaries exploit Active Directory during ransomware attacks and provides strategies and tools for defending against this modern menace. The two phases of a ransomware attack A common misconception about ransomware attacks is that they are quick: Someone opens an infected email attachment or inserts an infected USB device , and within minutes data across the network is encrypted and a ransom demand is displayed on every screen . The reality is quite different. Ransomware attacks today tend to be quite sophisticated and methodical . To encrypt as much sensitive information as possible and therefore maximize the chances of receiving a high payout , attackers proceed in two phases: Find an entry point — The first step is to gain a foothold in the victim organization ’s network . One common strategy is to comp...
Read more

How to perform a Man-in-the-middle (MITM) attack with Kali Linux

Image
Learn how to perform a Man in the middle attack with arpspoof, driftnet and urlsnarf in Kali Linux In this article, you will learn how to perform a MITM attack to a device that's connected in the same Wi-Fi networks as yours. Requirements This article assumes that you know what is a network interface and you know to how to work with Kali Linux and the command line. Before starting, you will need to know the name of the Network interface (installed on your machine) and the IP of the router that provides Wi-Fi access. The Network Interface Name can be easily obtained as running the ifconfig command on a terminal, then from the list copy the name of the interface that you want to use. The IP of the router can be obtained executing ip route show on a terminal and a message like "default via [This is the router IP]". From the victim, you will only need the IP (the user needs to be connected to the network provided by the router). The process of obtaining the device IP of the v...
Read more