Kali Linux

SSOh-No : User Enumeration And Password Spraying Tool For Testing Azure AD

SSOh-No is designed to enumerate users, password spray and perform brute force attacks against any organisation that utilises Azure AD or O365.

Generally, this endpoint provides extremely verbose errors which can be leveraged to enumerate users and validate their passwords via brute force/spraying attacks, while also failing to log any failed authentication attempts.

This tool is a weaponised version of a PoC demonstrated in the arstechnica research article which discusses the techniques utilised to exploit the endpoint.

This endpoint is known to Microsoft however, in typical fashion it has been branded a feature, not a bug.

This endpoint does enforce “smart locking” which can be bypassed by rotating IP.

Why Is This Unique?

The SSO Autologon endpoint does not contain logging of any sort bar potentially updating the users “Last Logon” time.

The following have been tested and contain no logs:

  • AzureAD
  • Sentinel
  • Defender for Identity (Formerly Advanced Thread Protection)
  • Defender for Cloud Apps

Usage

$ ./SSOh-No -h
usage: SSOh-No [-h|–help] [-e|–email “”] [-p|–password “”]
[-U|–userlist “”] [-o|–outfile “”]
Enumerate and abuse a sub-par Azure SSO endpoint.
Arguments:
-h –help Print help information
-e –email Email address to query. Example: user@domain.com
-p –password Password to spray. Example: Password123!
-U –userlist Specify userlist to enumerate
-o –outfile Specify outfile. Example: validated.txt

Upcoming Features

  • Proxy Implementation to bypass smart lock
  • Password brute force from password lists (single user- No plans for password list brute force against a userlist)
R K

Recent Posts

Log Analysis Fundamentals

Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…

8 minutes ago

Networking Devices 101: Understanding Routers, Switches, Hubs, and More

What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…

14 hours ago

Sock Puppets in OSINT: How to Build and Use Research Accounts

Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…

15 hours ago

What is SIEM? Complete Guide to Security Information and Event Management

Introduction As cyber threats grow more sophisticated, organizations need more than just firewalls and antivirus…

1 day ago

Website OSINT: Tools and Techniques for Reconnaissance

Introduction When it comes to cybersecurity and ethical hacking, one of the most effective ways…

2 days ago

Top OSINT Tools to Find Emails, Usernames and Passwords

Introduction In the world of cybersecurity, knowledge is power. One of the most powerful skillsets…

2 days ago