{"id":13623487,"url":"https://github.com/dafthack/MFASweep","last_synced_at":"2025-04-15T14:33:17.286Z","repository":{"id":37459523,"uuid":"297707131","full_name":"dafthack/MFASweep","owner":"dafthack","description":"A tool for checking if MFA is enabled on multiple Microsoft Services","archived":false,"fork":false,"pushed_at":"2024-09-24T21:28:26.000Z","size":1394,"stargazers_count":1368,"open_issues_count":15,"forks_count":186,"subscribers_count":25,"default_branch":"master","last_synced_at":"2024-10-29T15:40:11.159Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dafthack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-09-22T16:25:03.000Z","updated_at":"2024-10-28T18:14:18.000Z","dependencies_parsed_at":"2023-02-16T23:40:23.565Z","dependency_job_id":"62e66a5a-3f0e-4fa0-8a49-7151b21d1e97","html_url":"https://github.com/dafthack/MFASweep","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dafthack%2FMFASweep","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dafthack%2FMFASweep/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dafthack%2FMFASweep/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dafthack%2FMFASweep/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dafthack","download_url":"https://codeload.github.com/dafthack/MFASweep/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223677653,"owners_count":17184519,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T21:01:32.333Z","updated_at":"2025-04-15T14:33:17.277Z","avatar_url":"https://github.com/dafthack.png","language":"PowerShell","funding_links":[],"categories":["PowerShell","Credential Abuse","0x02 工具 :hammer_and_wrench:","Tools"],"sub_categories":["Spraying Tools","1 云服务工具","Exploitation"],"readme":"# MFASweep\nMFASweep is a PowerShell script that attempts to log in to various Microsoft services using a provided set of credentials and will attempt to identify if MFA is enabled. Depending on how conditional access policies and other multi-factor authentication settings are configured some protocols may end up being left single factor.  It also has an additional check for ADFS configurations and can attempt to log in to the on-prem ADFS server if detected. \n\nCurrently MFASweep has the ability to login to the following services:\n\n* Microsoft Graph API\n* Azure Service Management API\n* Microsoft 365 Exchange Web Services\n* Microsoft 365 Web Portal w/ 6 device types (Windows, Linux, MacOS, Android Phone, iPhone, Windows Phone)\n* Microsoft 365 Active Sync\n* ADFS\n\n**WARNING: This script attempts to login to the provided account TEN (10) different times (11 if you include ADFS). If you entered an incorrect password this may lock the account out.**\n\nFor more information check out the blog post here: [Exploiting MFA Inconsistencies on Microsoft Services](https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/) \n\n![MFASweep Example](/example.jpg?raw=true)\n\n![Single Factor Access Results Example](https://user-images.githubusercontent.com/2296229/204374571-0b299177-a5ab-4e05-a313-d9fe5151d1d6.png)\n\n## Usage\n\nThis command will use the provided credentials and attempt to authenticate to the Microsoft Graph API, Azure Service Management API, Microsoft 365 Exchange Web Services, Microsoft 365 Web Portal with both a desktop browser and mobile, and Microsoft 365 Active Sync. If any authentication methods result in success, tokens and/or cookies will be written to AccessTokens.json. (Currently does not log cookies or tokens for EWS, ActiveSync, and ADFS)\n\n```PowerShell\nInvoke-MFASweep -Username targetuser@targetdomain.com -Password Winter2024 -WriteTokens \n```\n\nThis command runs with the default auth methods and checks for ADFS as well.\n\n```PowerShell\nInvoke-MFASweep -Username targetuser@targetdomain.com -Password Winter2020 -Recon -IncludeADFS\n```\n\n## Individual Modules\n\nEach individual module can be run separately if needed as well.\n\n**Microsoft Graph API**\n```PowerShell\nInvoke-GraphAPIAuth -Username targetuser@targetdomain.com -Password Winter2020 \n```\n\n**Azure Service Management API**\n```PowerShell\nInvoke-AzureManagementAPIAuth -Username targetuser@targetdomain.com -Password Winter2020 \n```\n\n**Microsoft 365 Exchange Web Services**\n```PowerShell\nInvoke-EWSAuth -Username targetuser@targetdomain.com -Password Winter2020 \n```\n\n**Microsoft 365 Web Portal**\n```PowerShell\nInvoke-O365WebPortalAuth -Username targetuser@targetdomain.com -Password Winter2020 \n```\n\n**Microsoft 365 Web Portal w/ Mobile User Agent**\n```PowerShell\nInvoke-O365WebPortalAuthMobile -Username targetuser@targetdomain.com -Password Winter2020 \n```\n\n**Microsoft 365 Active Sync**\n```PowerShell\nInvoke-O365ActiveSyncAuth -Username targetuser@targetdomain.com -Password Winter2020 \n```\n\n**ADFS**\n```PowerShell\nInvoke-ADFSAuth -Username targetuser@targetdomain.com -Password Winter2020 \n```\n### Brute Forcing Client IDs During ROPC Auth\nThe Invoke-BruteClientIDs function will loop through various resource types and client IDs during ROPC auth to find single factor access for various combinations of client IDs and resources. If any authentication methods result in success, tokens and/or cookies will be written to AccessTokens.json. (Currently does not log cookies or tokens for EWS, ActiveSync, and ADFS)\n\n```PowerShell\nInvoke-BruteClientIDs -Username targetuser@targetdomain.com -Password Winter2024 -VerboseOut\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdafthack%2FMFASweep","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdafthack%2FMFASweep","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdafthack%2FMFASweep/lists"}