-
We can use OSINT to hunt breached creds - this includes going through recent data breaches.
-
Using the information we find from data breaches, we can research further using OSINT techniques.
-
We can also identify employees and emails with the help of email OSINT, social media OSINT, people OSINT, and other techniques.
-
Before going into password-spraying attacks, we need to validate all the email accounts that we have gathered; for instance, email validation can be done in login portals.
-
OSINT can help us find info such as the company's computer architecture or password policy, for example.
-
After identifying all the login portals to attack, we can use an email service such as Outlook to validate the gathered emails.
-
Decide upon common password strats to use - this would also depend on the password policy followed by the organization.
-
Common password strats include using leetspeak, concatenating year/month, using the city name, etc.
-
We also need to know about the account lockout policy before proceeding with password spraying.
-
Attacking Office365:
-
Password spraying in Office365 can involve usage of tools such as TREVORspray; the valid passwords can be used for AD login.
-
Login portals such as that of Office365 make user enumeration easier, that is, we get a prompt if the user email entered is invalid.
-
In certain cases, we won't get a direct prompt indicating user login; instead, we might receive prompts such as
device not in required stateorrequest was blocked due to suspicious activities.
-
-
Attacking OWA (Outlook Web App):
-
We can use frameworks like
Metasploitwhen conducting a password attack against OWA login portal. -
Using modules such as
auxiliary/scanner/http/owa_login, we can configure the options properly and conduct password spraying and/or credential stuffing attack.
-
-
Attacking other portals:
-
We can use tools such as
Burp Suiteto intercept the sign-in request. -
The intercepted request can be then sent to Repeater or Intruder for checking.
-
When we forward the request, we should take a look at the response, check the strings for invalid login, and use the string for identifying incorrect passwords in Intruder.
-
For a valid email, we can use the Sniper attack in Intruder since we want to try multiple passwords for a single email.
-
-
For MFA bypass, we can use tools like MFASweep
-
Based on where our foothold is, we would have to enumerate properly to look for points for privilege escalation.
-
Furthermore, we can check for sensitive info - for instance, the Azure portal may contain user info.
-
Ppassword reuse is also possible when multiple login portals are involved.
-
Key contents of a report include:
- Assessment overview and components
- Scope
- Executive summary
- Technical findings
- Additional scans & reports