ricardojoserf / adfsbrute Goto Github PK

A script to test credentials against Active Directory Federation Services (ADFS), allowing password spraying or bruteforce attacks.

Home Page: https://ricardojoserf.github.io/Adfsbrute/

Python 100.00%

adfs active-directory red-team password-spraying bruteforce bruteforce-attacks

adfsbrute's Introduction

adfsbrute

A script to test credentials against Active Directory Federation Services (ADFS), calculating the ADFS url of an organization and allowing password spraying or bruteforce attacks.

The main idea is carrying out password spraying attacks with a random and high delay between each test and using a list of proxies or Tor to make the detection by the Blue Team more difficult. Brute force attacks are also possible, or testing credentials with the format username:password (for example from Pwndb). Tested logins will get stored in a log file to avoid testing them twice.

Usage

./adfsbrute.py -t TARGET [-u USER] [-U USER_LIST] [-p PASSWORD] [-P PASSWORD_LIST] [-UL userpassword_list]
[-m MIN_TIME] [-M MAX_TIME] [-tp TOR_PASSWORD] [-pl PROXY_LIST] [-n NUMBER_OF_REQUESTS_PER_IP]
[-s STOP_ON_SUCCESS] [-r RANDOM_COMBINATIONS] [-d DEBUG] [-l LOG_FILE]

The parameters for the attacks are:

* -t: Target domain. Example: test.com

* -u: Single username. Example: [email protected]

* -U: File with a list of usernames. Example: users.txt

* -p: Single password: Example: Company123

* -P: File with a list of passwords. Example: passwords.txt

* -UP: File with a list of credentials in the format "username:password". Example: userpass.txt

* -m : Minimum value of random seconds to wait between each test. Default: 30

* -M : Maximum value of random seconds to wait between each test. Default: 60

* -tp: Tor password (change IP addresses using Tor)

* -pl: Use a proxy list (change IP addresses using a list of proxy IPs)

* -n: Number of requests before changing IP address (used with -tp or -pl). Default: 1

* -s: Stop on success, when one correct credential is found. Default: False

* -r: Randomize the combination of users and passwords. Default: True

* -d: Show debug messages. Default: True

* -l: Log file location with already tested credentials. Default: tested.txt

Examples

Password spraying with password "Company123", tor password is "test123" and changing the IP every 3 requests:

python3 adfsbrute.py -t company.com -U users.txt -p Company123 -tp test123 -n 3

Password spraying with password "Company123", tor password is "test123", changing the IP for every request, random delay time between 10 and 20 seconds and do not randomize the order of users:

python3 adfsbrute.py -t company.com -U users.txt -p Company123 -tp test123 -m 10 -M 20 -r False

Finding ADFS url:

python3 adfsbrute.py -t company.com

Using Tor

To use Tor to change the IP for every request, you must hash a password:

tor --hash-password test123

In the file /etc/tor/torrc, uncomment the variable ControlPort and the variable HashedControlPassword, and in this last one add the hash:

ControlPort 9051
HashedControlPassword 16:7F314CAB402A81F860B3EE449B743AEC0DED9F27FA41831737E2F08F87

Restart the tor service and use this password as argument for the script ("-tp test123" or "--tor_password 123")

service tor restart

Note

This script is implemented to test in security audits, DO NOT use without proper authorization from the company owning the ADFS or you will block accounts.

adfsbrute's People

Contributors

Stargazers

Watchers

adfsbrute's Issues

what that mean??

Error. Organization probably does not use Office 365.
[-] Response from login.microsoftonline.com:
{
"IsMicrosoftAccountSet": true,
"Login": "[email protected]",
"MicrosoftAccount": 1,
"NameSpaceType": "Unknown",
"cloud_instance_name": "microsoftonline.com"

Does this script uses ADFS method to spray ADF services or just BasicAuth method?

Hi, can you please tell me does this script uses ADFS method to spray ADF services or just BasicAuth method ?
Thanks

Error Message

Hi,

I am using the following command:
python3 adfsbrute.py -t domain.com.lb -U spraying-list -p 'Password' -m 20 -M 30 -tp test123 -r False
The following error occurred after testing 30 emails approx successfully:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 699, in urlopen
httplib_response = self._make_request(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 382, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 1012, in validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 411, in connect
self.sock = ssl_wrap_socket(
File "/usr/lib/python3/dist-packages/urllib3/util/ssl.py", line 428, in ssl_wrap_socket
ssl_sock = ssl_wrap_socket_impl(
File "/usr/lib/python3/dist-packages/urllib3/util/ssl.py", line 472, in _ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.9/ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.9/ssl.py", line 1040, in _create
self.do_handshake()
File "/usr/lib/python3.9/ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLEOFError: EOF occurred in violation of protocol (_ssl.c:1123)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send
resp = conn.urlopen(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 755, in urlopen
retries = retries.increment(
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 573, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='***', port=443): Max retries exceeded with url: /adfs/ls/?username=test%40b&wa=wsignin1.0&wtrealm=urn%3Afederation%3AMicrosoftOnline&wctx= (Caused by SSLError(SSLEOFError(8, 'EOF occurred in violation of protocol (_ssl.c:1123)')))

Error message -> seems to be related to change IP functionality

Expected vs Actual Behavior

No error :)

Specifications

Operative system:
Debian -> Kali Linux
Version (e.g. Python version):
$ python3 -V
Python 3.9.8

## Steps to Reproduce the Problem
python3 adfsbrute.py -t domain.com -U users.txt -p Password123 -tp Pass123 -n 5

[+] Changing IP address
Traceback (most recent call last):
File "/opt/tools/misc/adfsbrute/adfsbrute.py", line 253, in
main()
File "/opt/tools/misc/adfsbrute/adfsbrute.py", line 204, in main
new_ip = change_tor_ip(controller, debug)
UnboundLocalError: local variable 'controller' referenced before assignment