Offensive Security Tool: o365sprayer
Reading Time: 2 Minutes
Description
o365sprayer by securebinary, is a tool used to enumerate and spray passwords for Office 365 accounts on both Managed and Federated AD (Active Directory) services. It has the ability to distinguish managed O365 and Federated Microsoft Office 365 accounts for a target domain.
It can help during security assessments by testing Microsoft Office 365 environments for security vulnerabilities or misconfigurations.
See Also: So you want to be a hacker?
Offensive Security and Ethical Hacking Course
Features
Here are some of the abilities you can do:
- Enumerates emails for valid O365 accounts
- Sprays passwords to check for valid credentials
- Provide custom delay between each request
- Provide number of attempts which triggers account lockout
- Provide cool down time for account lockout
- Provide maximum number of account lockouts to tolerate while spraying
The fact that you can customize the attack vectors such as the custom delay and so on, allows you to evade a lot of policies that are set when it’s performing the fuzzing and brute-forcing part which are designed to trigger account lockouts, bypassing them.
Installation
O365 Sprayer was built using go1.18.4. Make sure you use the latest version of Go to install successfully. Run the following command to install the latest version:
go install -v github.com/securebinary/o365sprayer@latest
See Also: Recon Tool: ReconFTW
Usage
This will display help for the CLI tool. Here are all the required arguments it supports.
Clone the repo from here: GitHub Link