ADFSpray - when you need to make your own tools

TL;DR - new tool! ADFSpray

I’ve needed to perform a password spraying attack against a Microsoft resource. I’ve looked online and found various tools that looked promising (like this, this and this, among others.

I was happy to find many options across multiple languages, and I was confident they would save me some time, but to my surprise, none of them worked as I needed (because of the environment I was testing, the tools themselves are working correctly).

So I’ve started investigating the authentication used with Microsoft and came across a few attractive options to perform password spraying against O365:

1. Autodiscover - There is a specific resource of autodiscover (https://autodiscover.[COMPANY].com/autodiscover/autodiscover.xml), which uses NTLM authentication that can be targeted.
2. basic authentication - also, there is a resource (not company-specific) that uses basic authentication that can be targeted.
3. ADFS - ADFS is “Active Directory Federation Services, a software component developed by Microsoft, can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries” (thanks Wikipedia!) Which can also be targeted for password spraying.

Main pro’s - Wide options with different authentication schemes to be tested Main con’s - currently, the tools cannot identify different types of users (enabled or disabled, using MFA, locked, etc.)

So I couldn’t avoid the need for creating the tool I need for the job myself, and I chose python for two main reasons:

1. that’s the language I feel most comfortable with (and I had pieces of code ready from previous tool I’ve wrote
2. I have a specific taste when considering logging. I believe that having timestamps and useful logging is crucial for joint work with your defense team (Blue team), and the best way of having it, is creating it!

So, please go ahead and use this tool to improve security and let me know if it can be improved. ADFSpray

Last, but not least, I would like to point out the main sources that I’ve used during the development of this tool:

• https://github.com/Mr-Un1k0d3r/RedTeamScripts/blob/master/adfs-spray.py
• https://github.com/Mr-Un1k0d3r/RedTeamScripts/raw/master/password-spray.py
• https://danielchronlund.com/2020/03/17/azure-ad-password-spray-attacks-with-powershell-and-how-to-defend-your-tenant/

And as always, if you have any feedback, please let me know.