all InfoSec news
SSOh-No - User Enumeration And Password Spraying Tool For Testing Azure AD
KitPloit - PenTest Tools! www.kitploit.com
This tool is designed to enumerate users, password spray and perform brute force attacks against any organisation that utilises Azure AD or O365.
Generally, this endpoint provides extremely verbose errors which can be leveraged to enumerate users and validate their passwords via brute force/spraying attacks, while also failing to log any failed authentication attempts.
This tool is a weaponised version of a PoC demonstrated in the arstechnica research article which discusses the techniques utilised to exploit the endpoint.
This endpoint …
ad azure azure ad enumeration password passwords password spraying research sso testing tool user enumeration