From Error to Entry: Cracking the Code of Password-Spraying Tools

From Error to Entry: Cracking the Code of Password-Spraying Tools

Introduction 介绍

First things first, all of the tools in this blog post are really great tools and I have used most of them. (Thanks to the authors of the tools to sacrifice time and energy to write tools for the community!). After reading this post, I hope everyone will start to read the code in the tools more and do their own due diligence when it comes to what you are trying to achieve. By following that principal, you will learn more and understand your attacks way better. This post highlights a neat little thing I found on a recent engagement with W9HAX that gave us initial access into an environment.
首先,这篇博文中的所有工具都是非常棒的工具,我已经使用了其中的大部分。(感谢工具的作者牺牲时间和精力为社区编写工具!看完这篇文章后,我希望每个人都能开始更多地阅读工具中的代码,并在谈到你想要实现的目标时做自己的尽职调查。通过遵循该原则,您将学到更多并更好地了解您的攻击方式。这篇文章重点介绍了我最近与 W9HAX 合作时发现的一件小事,它让我们可以初步进入一个环境。

Error Code Our Way In
错误代码 我们的方式

We have all been there, we want to gain access into the customers network and we need to do some password spraying in order to achieve it. So, how do we go about password-spraying and getting access? On my engagements, Office 365 is normally involved and there are several tools out there that can password-spray Office 365.
我们都去过那里,我们希望访问客户网络,我们需要做一些密码喷洒才能实现它。那么,我们如何进行密码喷洒和访问呢?在我的参与中,通常涉及 Office 365,并且有几种工具可以对 Office 365 进行密码喷射。

Let me list out the most popular ones (I also asked Twitter for help on the subject):
让我列出最受欢迎的(我还向 Twitter 寻求有关该主题的帮助):

All of these tools are great and do a fantastic job of spraying passwords and showing success or not in the output. They have other features as well, but I am not going to go over each tool since that is not the purpose of this blog post. I cannot be 100% certain on this, but based on the code from the different projects, it might seem as though MSOLSpray was an inspiration to most of the tools in terms of the spraying. It might seem that MSOLSpray was one of the first tools out there in terms of spraying towards Office 365 (This is just my guess). Okay, here is how MSOLSpray determines if it is a success or failure.
所有这些工具都很棒,并且在喷洒密码和在输出中显示成功与否方面做得非常出色。它们还有其他功能,但我不打算介绍每个工具,因为这不是这篇博文的目的。我不能 100% 确定这一点,但根据不同项目的代码,MSOLSpray 似乎是大多数喷涂工具的灵感来源。就向 Office 365 喷洒而言,MSOLSpray 似乎是最早的工具之一(这只是我的猜测)。好的,以下是 MSOLSpray 如何确定它是成功还是失败。

Basically, this means that when a request with the current username and password is made towards https://login.microsoft.com, it will mark it as a successful login if the StatusCode returned is 200. If it is not, it enters the Else Clause, and this is where things get interesting.
基本上,这意味着当使用当前用户名和密码向 https://login.microsoft.com 发出请求时,如果返回的 StatusCode 为 200,它会将其标记为成功登录。如果不是,它就会进入 Else 子句,这就是事情变得有趣的地方。

As you can see, it looks up the error code from the response inside the Else Clause, and these error codes are part of the Microsoft Entra (previously Azure AD) Security Token Service (Shorted as AADSTS). As time of writing this blog post, there are 302 different error codes you could get as a response from AADSTS. In November 2020, there were only 242 different error codes, so things are changing. Our big discovery during our engagement was that the error message AADSTS50079 means that you can onboard MFA for the user. In most tools, this error code is just highlighted as MFA is in use. Here is the code from MSOLSpray specifically:
如您所见,它从 Else 子句中的响应中查找错误代码,这些错误代码是 Microsoft Entra(以前称为 Azure AD)安全令牌服务(简称为 AADSTS)的一部分。在撰写这篇博文时,您可以从 AADSTS 获得 302 个不同的错误代码作为响应。2020 年 11 月,只有 242 个不同的错误代码,所以情况正在发生变化。在参与过程中,我们的重大发现是,错误消息AADSTS50079意味着您可以为用户载入 MFA。在大多数工具中,此错误代码仅在使用 MFA 时突出显示。以下是 MSOLSpray 的代码:

This might be information you already knew, or this is something people usually check during spraying. However, let’s assume for now that most consultants will maybe randomly try to login one or two accounts with MFA in use and see that MFA is required and move on. That’s what I would have normally done before. I never took the time to check all or even check if there was a difference between AADSTS50079 or AADSTS50076. Well, there is a big difference. AADSTS50079 does indeed mean that the user needs to onboard MFA. The screenshot below is what you will see with the AADSTS50079 error.
这可能是您已经知道的信息,或者这是人们在喷洒过程中通常会检查的信息。但是,现在让我们假设大多数顾问可能会随机尝试登录一个或两个正在使用 MFA 的帐户,并看到需要 MFA 并继续前进。这就是我以前通常会做的事情。我从来没有花时间检查所有,甚至没有检查AADSTS50079或AADSTS50076之间是否有区别。嗯,有很大的不同。AADSTS50079确实意味着用户需要载入 MFA。下面的屏幕截图是您将看到的AADSTS50079错误。

Long story short about our engagement, we were able to login to Office 365, complete the registration of MFA for the user, and gain remote access.
长话短说,我们能够登录到 Office 365,完成用户的 MFA 注册,并获得远程访问。

This entire adventure got me thinking that this is possibly something other offensive security people are not aware of in their testing. Was there more we are missing and not checking with regards to those error messages and StatusCodes? Are there any differences in the tools we use regarding those error messages?
这整个冒险让我想这可能是其他攻击性安全人员在测试中没有意识到的事情。我们是否遗漏了更多内容,并且没有检查这些错误消息和状态代码?对于这些错误消息,我们使用的工具是否有任何差异?

Comparing AADSTS Errors and Code
比较 AADSTS 错误和代码

If we compare the AADSTS documentation from 2020 and now, it is no wonder why code was initially written to just highlight it as MFA enabled and not that the user must onboard MFA.
如果我们比较 2020 年和现在的 AADSTS 文档,难怪为什么最初编写代码只是为了将其突出显示为启用 MFA,而不是用户必须加入 MFA。

The screenshot above shows the description from the 2020 version that I pulled from the wayback machine. As you can see, it does not say that the user has to onboard MFA, it says that the user is required to use MFA. Now, let’s check the 2024 description of that same error message.
上面的屏幕截图显示了我从 wayback machine 中提取的 2020 版本的描述。正如你所看到的,它并没有说用户必须加入 MFA,而是说用户需要使用 MFA。现在,让我们检查同一错误消息的 2024 年描述。

You can see that this actually means that the user needs to complete the registration of MFA. Also, if you look at the name, UserStrongAuthEnrollmentRequired, we are also getting a hint with enrollment being required. We also found that it might be possible that the error AADSTS50072 and AADSTS53004 would also reveal accounts that are required to complete the MFA setup; However, we did not experience that on our engagement (We did look for it, though).
可以看到,这实际上意味着用户需要完成 MFA 的注册。此外,如果您查看名称 UserStrongAuthEnrollmentRequired,我们还会得到需要注册的提示。我们还发现,错误AADSTS50072和AADSTS53004也可能显示完成 MFA 设置所需的帐户;然而,我们在订婚时没有经历过这种情况(尽管我们确实在寻找它)。

Just for fun, I decided to go through some of the tools to see the error codes they are using. First let’s look at MSOL Spray and MSOLSpray.py:
只是为了好玩,我决定浏览一些工具来查看他们正在使用的错误代码。首先,让我们看一下MSOL喷雾和 MSOLSpray.py:

AADSTS CODE AADSTS 代码

Description in code 代码中的描述

AADSTS50126

Standard invalid password
标准无效密码

AADSTS50128

Invalid Tenant Response 无效的租户响应

AADSTS50059

Invalid Tenant Response 无效的租户响应

AADSTS50034

Invalid Username 用户名无效

AADSTS50079

Microsoft MFA in use response
Microsoft MFA 使用响应

AADSTS50076

Microsoft MFA in use response
Microsoft MFA 使用响应

AADSTS50158

Conditional Access response
条件访问响应

AADSTS50053

Locked out account or Smart Lockout in place
锁定帐户或智能锁定

AADSTS50057

Disabled account 已禁用的帐户

AADSTS50055

User password is expired 用户密码已过期

All of these error messages make sense and are the most likely to hit, in my opinion (except the AADSTS50079 that has changed, of course). Let’s look at some of the other tools and what error codes they choose.
在我看来,所有这些错误消息都是有道理的,并且最有可能被击中(当然,除了已更改的AADSTS50079)。让我们看看其他一些工具以及他们选择的错误代码。

CredMaster has the following:
CredMaster具有以下功能:

AADSTS CODE AADSTS 代码

Description in code 代码中的描述

AADSTS50126

Standard invalid password
标准无效密码

AADSTS50128

Invalid Tenant Response 无效的租户响应

AADSTS50059

Invalid Tenant Response 无效的租户响应

AADSTS50034

Invalid Username 用户名无效

AADSTS50079

Microsoft MFA in use response
Microsoft MFA 使用响应

AADSTS50076

Microsoft MFA in use response
Microsoft MFA 使用响应

AADSTS50158

Conditional Access response
条件访问响应

AADSTS53003

Conditional Access response
条件访问响应

AADSTS530034

Conditional Access response
条件访问响应

AADSTS50053

Locked out account or Smart Lockout in place
锁定帐户或智能锁定

AADSTS50057

Disabled account 已禁用的帐户

AADSTS50055

User password is expired 用户密码已过期

As you can see, two additional error messages were added to Credmaster.
如您所见,Credmaster 中添加了两条额外的错误消息。

Finally, let’s do o365spray.
最后,让我们做o365spray。

AADSTS CODE AADSTS 代码

Description in code 代码中的描述

AADSTS50126

Standard invalid password
标准无效密码

AADSTS50128

Invalid Tenant Response 无效的租户响应

AADSTS50059

Invalid Tenant Response 无效的租户响应

AADSTS50034

Invalid Username 用户名无效

AADSTS50079

Microsoft MFA in use response
Microsoft MFA 使用响应

AADSTS50076

Microsoft MFA in use response
Microsoft MFA 使用响应

AADSTS50158

Conditional Access response
条件访问响应

AADSTS50053

Locked out account or Smart Lockout in place
锁定帐户或智能锁定

AADSTS50057

Disabled account 已禁用的帐户

AADSTS50055

User password is expired 用户密码已过期

AADSTS500011

Invalid resource name 资源名称无效

AADSTS700016

Invalid application client ID
应用程序客户端 ID 无效

AADSTS53003

Conditional Access response
条件访问响应

Compared to MSOLSpray, three additional error codes are present in o365spray.
与 MSOLSpray 相比,o365spray 中还存在三个额外的错误代码。

As you can see, many of tools do the exact same things in terms of the MFA. However, there are some interesting exceptions. For instance, Oh365UserFinder highlights that MFA is not configured correctly for the AADSTS50079 error.
正如你所看到的,许多工具在MFA方面做完全相同的事情。但是,也有一些有趣的例外。例如,Oh365UserFinder 突出显示未针对AADSTS50079错误正确配置 MFA。

Go365 has a check for AADSTS53004.
Go365 有一张支票AADSTS53004。

TeamFiltration got the AADSTS50079 error feedback correct as you can see in the image below.
TeamFiltration 得到了正确的AADSTS50079错误反馈,如下图所示。

Tool Overview 工具概述

Here is a table of the number of error codes that have been implemented in the various tools I checked. Fortunately, most of the tools’ output unknown errors and the error codes if it is an unknown error; However, it is up to you as an operator to look them up and make sense of them. Remember that there are actually 302 different AADSTS error codes as of writing this blog post.
以下是在我检查的各种工具中实现的错误代码数量的表格。幸运的是,大多数工具的输出未知错误和错误代码如果是未知错误;但是,作为操作员,您可以查找它们并理解它们。请记住,在撰写这篇博文时,实际上有 302 种不同的 AADSTS 错误代码。

Tool 工具

Error codes implemented 实现的错误代码

MSOLSpray and MSOLSpray.py
MSOLS喷雾和 MSOLSpray.py

10

CredMaster 可信大师

12

o365spray o365喷雾

13

Go365 Go365的

10

TrevorSpray 特雷弗喷雾

15

o365enum O365枚举

10

SprayCharles 喷雾查尔斯

10

Oh365UserFinder Oh365用户查找器

11

TeamFiltration

11

Outro and Takeaways 结尾和外卖

My thought behind this post was to highlight that we, as users of other’s tools, need to spend some time to understand what is going on to fully understand everything. It is not always the case that the author of the tools was able to think of all scenarios or even had the correct documentation at hand when writing the tools. This post also shows that we often copy code from each other when writing new tools (I know I do) and sometimes it might be worthwhile to actually do some of the exploring yourself instead of assuming the code you copy handles everything. In this case, most of the tools did not highlight that you could actually onboard MFA, which could lead to access in most cases.
我这篇文章背后的想法是强调,作为他人工具的用户,我们需要花一些时间来了解正在发生的事情,以完全理解一切。在编写工具时,工具的作者并不总是能够想到所有场景,甚至手头有正确的文档。这篇文章还表明,在编写新工具时,我们经常互相复制代码(我知道我这样做),有时自己做一些探索可能是值得的,而不是假设你复制的代码可以处理所有事情。在这种情况下,大多数工具都没有强调您实际上可以载入 MFA,这在大多数情况下可能会导致访问。

Since I am all for contributing to the community, I went ahead and made a pull request to each tool to fix the issue I found.
由于我全力以赴为社区做出贡献,因此我继续向每个工具发出拉取请求以解决我发现的问题。

CredMaster: https://github.com/knavesec/CredMaster/pull/75
CredMaster:https://github.com/knavesec/CredMaster/pull/75

Go365: https://github.com/optiv/Go365/pull/15
Go365:https://github.com/optiv/Go365/pull/15

MSOLSpray: https://github.com/dafthack/MSOLSpray/pull/13
MSOLSpray:https://github.com/dafthack/MSOLSpray/pull/13

MSOLSpray.py: https://github.com/MartinIngesen/MSOLSpray/pull/7
MSOLSpray.py:https://github.com/MartinIngesen/MSOLSpray/pull/7

O365spray: https://github.com/0xZDH/o365spray/pull/27
O365喷雾:https://github.com/0xZDH/o365spray/pull/27

Spraycharles: https://github.com/Tw1sm/spraycharles/pull/24
Spraycharles:https://github.com/Tw1sm/spraycharles/pull/24

TREVORspray: https://github.com/blacklanternsecurity/TREVORspray/pull/38
TREVOR喷雾:https://github.com/blacklanternsecurity/TREVORspray/pull/38

One last interesting thing for reference is that you can go to Microsoft Online to look for unknown errors. This site gives you up-to-date error message description and information and this is very useful when you want to investigate those error messages.
最后一件有趣的事情是,您可以转到Microsoft Online查找未知错误。此站点为您提供最新的错误消息描述和信息,当您想要调查这些错误消息时,这非常有用。

As always, hope you found this post useful and feel free to provide feedback.
与往常一样,希望您发现这篇文章有用,并随时提供反馈。

原文始发于Oddvar Moe:From Error to Entry: Cracking the Code of Password-Spraying Tools

版权声明:admin 发表于 2024年3月23日 上午12:08。
转载请注明:From Error to Entry: Cracking the Code of Password-Spraying Tools | CTF导航

相关文章