{"id":13788205,"url":"https://github.com/0xZDH/o365spray","last_synced_at":"2025-05-12T02:33:03.097Z","repository":{"id":47454513,"uuid":"201070410","full_name":"0xZDH/o365spray","owner":"0xZDH","description":"Username enumeration and password spraying tool aimed at Microsoft O365.","archived":false,"fork":false,"pushed_at":"2024-11-06T00:49:23.000Z","size":355,"stargazers_count":767,"open_issues_count":5,"forks_count":96,"subscribers_count":8,"default_branch":"master","last_synced_at":"2024-11-18T02:37:05.098Z","etag":null,"topics":["enumeration","password-spray","pentest","pentesting-tools","python","python3","security","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xZDH.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-08-07T14:47:45.000Z","updated_at":"2024-11-16T18:36:04.000Z","dependencies_parsed_at":"2024-01-07T03:50:27.779Z","dependency_job_id":"7e23ae54-5d68-47a7-b850-555a5de93dcf","html_url":"https://github.com/0xZDH/o365spray","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xZDH%2Fo365spray","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xZDH%2Fo365spray/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xZDH%2Fo365spray/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xZDH%2Fo365spray/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xZDH","download_url":"https://codeload.github.com/0xZDH/o365spray/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253662780,"owners_count":21944128,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["enumeration","password-spray","pentest","pentesting-tools","python","python3","security","security-tools"],"created_at":"2024-08-03T21:00:39.144Z","updated_at":"2025-05-12T02:33:02.783Z","avatar_url":"https://github.com/0xZDH.png","language":"Python","funding_links":[],"categories":["Operating Systems","Tools","Python"],"sub_categories":["Windows","Exploitation"],"readme":"# o365spray\n\no365spray is a username enumeration and password spraying tool aimed at Microsoft Office 365 (O365). This tool reimplements a collection of enumeration and spray techniques researched and identified by those mentioned in [Acknowledgments](#Acknowledgments).\n\n\u003e For educational, authorized and/or research purposes only.\n\n\u003e WARNING: The Autologon, oAuth2, and RST user enumeration modules work by submitting a single authentication attempt per user. If the modules are run in conjunction with password spraying in a single execution, o365spray will automatically reset the lockout timer prior to performing the password spray -- if enumeration is run alone, the user should be aware of how many and when each authentication attempt was made and manually reset the lockout timer before performing any password spraying.\n\n# Table of Contents\n\n- [Usage](#usage)\n- [Modules](#modules)\n  - [Validation](#validation)\n  - [Enumeration](#enumeration)\n  - [Spraying](#spraying)\n- [FireProx URLs](#fireprox-base-urls)\n  - [Enumeration](#enumeration-1)\n  - [Spraying](#spraying-1)\n- [User Agent Randomization](#user-agent-randomization)\n- [Acknowledgments](#acknowledgments)\n- [Bugs](#bugs)\n- [Previous Versions](#using-previous-versions)\n\n## Usage\n\n\u003ch2 align=\"center\"\u003e\n  \u003cimg src=\"static/o365spray_validate.png\" alt=\"o365spray\" width=\"90%\"\u003e\n  \u003cbr\u003e\n\u003c/h2\u003e\n\nValidate a domain is using O365:\u003cbr\u003e\n`o365spray --validate --domain test.com`\n\nPerform username enumeration against a given domain:\u003cbr\u003e\n`o365spray --enum -U usernames.txt --domain test.com`\n\nPerform password spraying against a given domain:\u003cbr\u003e\n`o365spray --spray -U usernames.txt -P passwords.txt --count 2 --lockout 5 --domain test.com`\n\n```\nusage: o365spray [flags]\n\no365spray | Microsoft O365 User Enumerator and Password Sprayer -- v3.0.4\n\noptions:\n  -h, --help            show this help message and exit\n\nTarget:\n  -d DOMAIN, --domain DOMAIN\n                        Target domain for validation, user enumeration, and/or\n                        password spraying.\n\nActions:\n  --validate            Run domain validation only.\n\n  --enum                Run username enumeration.\n\n  --spray               Run password spraying.\n\nCredentials:\n  -u USERNAME, --username USERNAME\n                        Username(s) delimited using commas.\n\n  -p PASSWORD, --password PASSWORD\n                        Password(s) delimited using commas.\n\n  -U USERFILE, --userfile USERFILE\n                        File containing list of usernames.\n\n  -P PASSFILE, --passfile PASSFILE\n                        File containing list of passwords.\n\n  --paired PAIRED       File containing list of credentials in username:password\n                        format.\n\nPassword Spraying Configuration:\n  -c COUNT, --count COUNT\n                        Number of password attempts to run per user before resetting\n                        the lockout account timer.\n                        Default: 1\n\n  -l LOCKOUT, --lockout LOCKOUT\n                        Lockout policy's reset time (in minutes).\n                        Default: 15 minutes\n\nModule Configuration:\n  --validate-module VALIDATE_MODULE\n                        Specify which valiadtion module to run.\n                        Default: getuserrealm\n\n  --enum-module ENUM_MODULE\n                        Specify which enumeration module to run.\n                        Default: office\n\n  --spray-module SPRAY_MODULE\n                        Specify which password spraying module to run.\n                        Default: oauth2\n\n  --adfs-url ADFS_URL   AuthURL of the target domain's ADFS login page for password\n                        spraying.\n\nScan Configuration:\n  --sleep [-1, 0-120]   Throttle HTTP requests every `N` seconds. This can be randomized\n                        by passing the value `-1` (between 1 sec and 2 mins).\n                        Default: 0\n\n  --jitter [0-100]      Jitter extends --sleep period by percentage given (0-100).\n                        Default: 0\n\n  --rate RATE           Number of concurrent connections (attempts) during\n                        enumeration and spraying.\n                        Default: 10\n\n  --poolsize POOLSIZE   Maximum size of the ThreadPoolExecutor.\n                        Default: 10000\n\n  --safe SAFE           Terminate password spraying run if `N` locked accounts\n                        are observed.\n                        Default: 10\n\nHTTP Configuration:\n  --useragents USERAGENTS\n                        File containing list of user agents for randomization.\n\n  --timeout TIMEOUT     HTTP request timeout in seconds. Default: 25\n\n  --proxy PROXY         HTTP/S proxy to pass traffic through\n                        (e.g. http://127.0.0.1:8080).\n\n  --proxy-url PROXY_URL\n                        FireProx API URL.\n\nOutput Configuration:\n  --output OUTPUT       Output directory for results and test case files.\n                        Default: current directory\n\nDebug:\n  -v, --version         Print the tool version.\n\n  --debug               Enable debug output.\n```\n\n## Modules\n\n### Validation\n* getuserrealm (default)\n\n### Enumeration\n* autologon\n* oauth2 (default)\n* office\n* onedrive\n* rst\n\n\u003e The onedrive module relies on the target user(s) having previously logged into OneDrive. If a valid user has not yet used OneDrive, their account will show as 'invalid'.\n\n### Spraying\n* activesync\n* adfs\n* autodiscover\n* autologon\n* oauth2 (default)\n* reporting\n* rst\n\n\u003e The oAuth2 module can be used for federated spraying, but it should be noted that this will ONLY work when the target tenant has enabled password synchronization - otherwise authentication will always fail. The default mechanic is to default to the 'adfs' module when federation is identified.\n\n## FireProx Base URLs\n\nMicrosoft has made it more difficult to perform password spraying, so using tools like [FireProx](https://github.com/ustayready/fireprox) help to bypass rate-limiting based on IP addresses.\n\nTo use FireProx with o365spray, create a proxy URL for the given o365spray module based on the base URL tables below. The proxy URL can then be passed in via `--proxy-url`.\n\n\u003e NOTE: Make sure to use the correct `--enum-module` or `--spray-module` flag with the base URL used to create the FireProx URL.\n\n### Enumeration\n\n\u003e The 'tenant' value in the OneDrive URL is the domain name value that is provided via the `--domain` flag.\n\n| Module       | Base URL |\n| ---          | ---      |\n| autodiscover | `https://outlook.office365.com/` |\n| autologon    | `https://autologon.microsoftazuread-sso.com/` |\n| oauth2       | `https://login.microsoftonline.com/` |\n| office       | `https://login.microsoftonline.com/` |\n| rst          | `https://login.microsoftonline.com/` |\n| onedrive     | `https://\u003ctenant\u003e-my.sharepoint.com/` |\n\n### Spraying\n\n| Module       | Base URL |\n| ---          | ---      |\n| activesync   | `https://outlook.office365.com/` |\n| adfs         | Currently not implemented |\n| autodiscover | `https://autodiscover-s.outlook.com/` |\n| autologon    | `https://autologon.microsoftazuread-sso.com/` |\n| oauth2       | `https://login.microsoftonline.com/` |\n| reporting    | `https://reports.office365.com/` |\n| rst          | `https://login.microsoftonline.com/` |\n\n## User Agent Randomization\n\nUser-Agent randomization is now supported and can be accomplished by providing a User-Agent file to the `--useragents` flag. o365spray includes an example file with 4,800+ agents via [resc/user-agents.txt](resc/user-agents.txt).\n\nThe agents in the example data set were collected from the following:\n- https://github.com/sqlmapproject/sqlmap/blob/master/data/txt/user-agents.txt\n- https://www.useragentstring.com/pages/useragentstring.php?name=\u003cbrowser\u003e\n\n## Omnispray\n\nThe o365spray framework has been ported to a new tool: [Omnispray](https://github.com/0xZDH/Omnispray). This tool is meant to modularize the original enumeration and spraying framework to allow for generic targeting, not just O365. Omnispray includes template modules for enumeration and spraying that can be modified and leveraged for any target.\n\n## Acknowledgments\n\n| Author | Tool/Research | Link |\n| ---    | ---           | ---  |\n| [gremwell](https://github.com/gremwell) | o365enum: User enumeration via [office.com](#) without authentication | [o365enum](https://github.com/gremwell/o365enum) |\n| [grimhacker](https://bitbucket.org/grimhacker) | office365userenum: ActiveSync user enumeration research and discovery. | [office365userenum](https://bitbucket.org/grimhacker/office365userenum/src/master/) / [blog post](https://grimhacker.com/2017/07/24/office365-activesync-username-enumeration/) |\n| [Raikia](https://github.com/Raikia) | UhOh365: User enumeration via Autodiscover without authentication. | [UhOh365](https://github.com/Raikia/UhOh365) |\n| [dafthack](https://github.com/dafthack) | MSOLSpray: Password spraying via MSOL | [MSOLSpray](https://github.com/dafthack/MSOLSpray) |\n| [byt3bl33d3r](https://github.com/byt3bl33d3r) | MSOLSpray: Python reimplementation | [Gist](https://gist.github.com/byt3bl33d3r/19a48fff8fdc34cc1dd1f1d2807e1b7f) |\n| [nyxgeek](https://github.com/nyxgeek) | onedrive_user_enum: OneDrive user enumeration | [onedrive_user_enum](https://github.com/nyxgeek/onedrive_user_enum) / [blog post](https://www.trustedsec.com/blog/achieving-passive-user-enumeration-with-onedrive/) |\n| [Mr-Un1k0d3r](https://github.com/Mr-Un1k0d3r) | adfs-spray: ADFS password spraying | [adfs-spray](https://github.com/Mr-Un1k0d3r/RedTeamScripts/blob/master/adfs-spray.py) |\n| [Nestori Syynimaa](https://github.com/NestoriSyynimaa) | AADInternals: oAuth2 and autologon modules | [AADInternals](https://github.com/Gerenios/AADInternals) |\n| [Daniel Chronlund](https://danielchronlund.com/) / [xFreed0m](https://github.com/xFreed0m) | Invoke-AzureAdPasswordSprayAttack / ADFSpray: Office 365 reporting API password spraying | [Invoke-AzureAdPasswordSprayAttack](https://danielchronlund.com/2020/03/17/azure-ad-password-spray-attacks-with-powershell-and-how-to-defend-your-tenant/) / [ADFSpray](https://github.com/xFreed0m/ADFSpray) |\n| [Optiv](https://github.com/optiv) (Several Authors) | Go365: RST user enumeration and password spraying module | [Go365](https://github.com/optiv/Go365) |\n| [byt3bl33d3r](https://github.com/byt3bl33d3r) | SprayingToolkit: Code references | [SprayingToolkit](https://github.com/byt3bl33d3r/SprayingToolkit/) |\n| [sensepost](https://github.com/sensepost) | ruler: Code references | [Ruler](https://github.com/sensepost/ruler/) |\n\n## Bugs\n\nIf any bugs/errors are encountered, please open an Issue with the details (or a Pull Request with the proposed fix). See the [section below](#using-previous-versions) for more information about using previous versions.\n\n## Using Previous Versions\n\nIf issues are encountered, try checking out previous versions prior to code rewrites:\n\n```bash\n# v1.3.7\ngit checkout e235abdcebad61dbd2cde80974aca21ddb188704\n\n# v2.0.4\ngit checkout a585432f269a8f527d61f064822bb08880c887ef\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xZDH%2Fo365spray","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xZDH%2Fo365spray","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xZDH%2Fo365spray/lists"}