SSOh-No is designed to enumerate users, password spray and perform brute force attacks against any organisation that utilises Azure AD or O365.
Generally, this endpoint provides extremely verbose errors which can be leveraged to enumerate users and validate their passwords via brute force/spraying attacks, while also failing to log any failed authentication attempts.
This tool is a weaponised version of a PoC demonstrated in the arstechnica research article which discusses the techniques utilised to exploit the endpoint.
This endpoint is known to Microsoft however, in typical fashion it has been branded a feature, not a bug.
This endpoint does enforce “smart locking” which can be bypassed by rotating IP.
The SSO Autologon endpoint does not contain logging of any sort bar potentially updating the users “Last Logon” time.
The following have been tested and contain no logs:
$ ./SSOh-No -h
usage: SSOh-No [-h|–help] [-e|–email “”] [-p|–password “”]
[-U|–userlist “”] [-o|–outfile “”]
Enumerate and abuse a sub-par Azure SSO endpoint.
Arguments:
-h –help Print help information
-e –email Email address to query. Example: user@domain.com
-p –password Password to spray. Example: Password123!
-U –userlist Specify userlist to enumerate
-o –outfile Specify outfile. Example: validated.txt
Ubuntu 20.04 LTS (code name Focal Fossa) was released on April 23, 2020. It is a…
Google Chrome is the most widely used web browser in the world. It is fast, secure,…
Java is one of the most widely used programming languages in the world. It runs on…
Raspberry Pi is the most popular single-board computer ever made. It is small, affordable, and surprisingly…
pip is Python's package manager. It lets you search, download, and install packages from the Python Package…
MySQL is the most popular open-source relational database management system. It is fast, reliable, and a…