Recon Tool: MFASweep
Reading Time: 2 Minutes
MFASweep
MFASweep by dafthack,is a PowerShell script that attempts to log in to various Microsoft services using a provided set of credentials and will attempt to identify if MFA is enabled, that can be used in your assessment by the Red Team. Depending on how conditional access policies and other multi-factor authentication settings are configured some protocols may end up being left single factor. It also has an additional check for ADFS configurations and can attempt to log in to the on-prem ADFS server if detected.
Currently MFASweep has the ability to login to the following services:
- Microsoft Graph API
- Azure Service Management API
- Microsoft 365 Exchange Web Services
- Microsoft 365 Web Portal w/ 6 device types (Windows, Linux, MacOS, Android Phone, iPhone, Windows Phone)
- Microsoft 365 Active Sync
- ADFS
See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course
WARNING: This script attempts to login to the provided account TEN (10) different times (11 if you include ADFS). If you entered an incorrect password this may lock the account out.
For more information check out the blog post here: Exploiting MFA Inconsistencies on Microsoft Services
Trending: Offensive Security Tool: Pycrypt
Trending: Digital Forensics Tool: Email Analyzer
Usage
This command will use the provided credentials and attempt to authenticate to the Microsoft Graph API, Azure Service Management API, Microsoft 365 Exchange Web Services, Microsoft 365 Web Portal with both a desktop browser and mobile, and Microsoft 365 Active Sync.
Invoke-MFASweep -Username [email protected] -Password Winter2020
This command runs with the default auth methods and checks for ADFS as well.
Invoke-MFASweep -Username [email protected] -Password Winter2020 -Recon -IncludeADFS
See Also: Write-up: Exploiting LFI Vulnerabilities
Individual Modules
Individual Modules
Microsoft Graph API
Invoke-GraphAPIAuth -Username [email protected] -Password Winter2020
Azure Service Management API
Invoke-AzureManagementAPIAuth -Username [email protected] -Password Winter2020
Microsoft 365 Exchange Web Services
Invoke-EWSAuth -Username [email protected] -Password Winter2020
Microsoft 365 Web Portal
Invoke-O365WebPortalAuth -Username [email protected] -Password Winter2020
Microsoft 365 Web Portal w/ Mobile User Agent
Invoke-O365WebPortalAuthMobile -Username [email protected] -Password Winter2020
Microsoft 365 Active Sync
Invoke-O365ActiveSyncAuth -Username [email protected] -Password Winter2020
ADFS
Invoke-ADFSAuth -Username [email protected] -Password Winter2020
Clone the repo from here: GitHub Link
Recent Tools
Offensive Security Tool: emp3r0r
emp3r0r is a post-exploitation framework designed for both Linux and …Blue Team Tool: Ghostport
Ghostport is a sophisticated port spoofing tool designed to confuse …Red Teaming Tool: avred
Avred is a tool designed for Red Teamers to identify …Recon Tool: emailFinder
emailFinder is a web scraping tool that extracts email addresses …
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
