Skip to content

Federated Office365 user enumeration based on correlated response trend analysis

Notifications You must be signed in to change notification settings

knavesec/o365fedenum

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 

Repository files navigation

Does Office365 user enumeration based on correlated HTTP response analysis, as shown at Way West Hackin' Fest 2022

Process:

  1. Submit 5 requests for invalid users (random strings), create a baseline of what indicates an invalid user response
  2. Submit a request for a known valid user (point of contact, etc)
  3. Compare the response to the invalid responses and determine a baseline for what indicates a valid user response
  4. Submit test user responses, compare with known valid/invalid responses to determine the status of the user
python3 o365fedenum.py --testfile unknown_user_list.txt --valid known_valid_username --domain tenant_domain.com --verbose

screenshot

A few notes:

  • This does make an authentication request against the username tested (RNG password), keep this in mind
  • This does appear to be generally consistent across environments, but if not please let me know. This also does work for Managed environments, but there are far better methods of achieving better results without authentication requests
  • The users in the testfile and the valid flags don't need the @domain.com in them, but they can if they want. Script will check if the domain is attached and append if it isn't

About

Federated Office365 user enumeration based on correlated response trend analysis

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages