TREVORspray – A Featureful Round-Robin SOCKS Proxy And Python O365 Sprayer Based On MSOLSpray Which Uses The Microsoft Graph API

TREVORspray 2

TREVORproxy is a SOCKS proxy that round-robins requests through SSH hosts. TREVORspray is a A featureful Python O365 sprayer based on MSOLSpray which uses the Microsoft Graph API

By @thetechr0mancer

Microsoft is getting better and better about blocking password spraying attacks against O365. TREVORspray can solve this by proxying its requests through an unlimited number of --ssh hosts. No weird dependencies or cumbersome setup required – all you need is a cloud VM with port 22 open.

CREDIT WHERE CREDIT IS DUE – MANY THANKS TO:

  • @dafthack for writing MSOLSpray
  • @Mrtn9 for his Python port of MSOLSpray
  • @KnappySqwurl for being a splunk wizard and showing me how heckin loud I was being 🙂

Features

  • Tells you the status of each account: if it exists, is locked, has MFA enabled, etc.
  • Automatic cancel/resume (attempted user/pass combos are remembered in ./logs/tried_logins.txt)
  • Round-robin proxy through multiple IPs using only vanilla --ssh
  • Automatic infinite reconnect/retry if a proxy goes down (or if you lose internet)
  • Spoofs User-Agent and client_id to look like legitimate auth traffic
  • Logs everything to ./logs/trevorspray.log
  • Saves valid usernames to ./logs/valid_usernames.txt
  • Optional --delay between request to bypass M$ lockout countermeasures

Installation:

$ git clone https://github.com/blacklanternsecurity/trevorspray
$ cd trevorspray
$ pip install -r requirements.txt

Example: Spray O365 with 5-second delay between requests

$ trevorspray.py -e [email protected] -p Fall2020! --delay 5

Example: Spray O365 and round-robin between 3 IPs (the current IP is used as well.)

$ trevorspray.py -e emails.txt -p Fall2020! --ssh [email protected] [email protected]

TREVORspray – Help:

traffic through SSH hosts optional arguments: -h, –help show this help message and exit -e EMAILS [EMAILS …], –emails EMAILS [EMAILS …] Emails(s) and/or file(s) filled with emails -p PASSWORDS [PASSWORDS …], –passwords PASSWORDS [PASSWORDS …] Password(s) that will be used to perform the password spray -f, –force Forces the spray to continue and not stop when multiple account lockouts are detected -d DELAY, –delay DELAY Sleep for this many seconds between requests -u URL, –url URL The URL to spray against (default is https://login.microsoft.com) -v, –verbose Show which proxy is being used for each request -s SSH [SSH …], –ssh SSH [SSH …] Round-robin load-balance through these SSH hosts (user@host) NOTE: Current IP address is also used once per round -k KEY, –key KEY Use this SSH key when connecting to proxy hosts -b BASE_PORT, –base-port BASE_PORT Base listening port to use for SOCKS proxies -n, –no-current-ip Don’t spray from the current IP, only use SSH proxies “>

$ ./trevorspray.py --help
usage: trevorspray.py [-h] -e EMAILS [EMAILS ...] -p PASSWORDS [PASSWORDS ...] [-f] [-d DELAY] [-u URL] [-v] [-s SSH [SSH ...]] [-k KEY] [-b BASE_PORT] [-n]

Execute password sprays against O365, optionally proxying the traffic through SSH hosts

optional arguments:
-h, --help show this help message and exit
-e EMAILS [EMAILS ...], --emails EMAILS [EMAILS ...]
Emails(s) and/or file(s) filled with emails
-p PASSWORDS [PASSWORDS ...], --passwords PASSWORDS [PASSWORDS ...]
Password(s) that will be used to perform the password spray
-f, --force Forces the spray to continue and not stop when multiple account lockouts are detected
-d DELAY, --delay DELAY
Sleep for this many seconds between requests
-u URL, --url URL The URL to spray against (default is https://login.microsoft.com)
-v, --verbose Show which proxy is being used for each request
-s SSH [SSH ...], --ssh SSH [SSH ...]
Round-robin load-balance through these SSH hosts (user@host) NOTE: Current IP address is also used once per round
-k KEY, --key KEY Use this SSH key when connecting to proxy hosts
-b BASE_PORT, --base-port BASE_PORT
Base listening port to use for SOCKS proxies
-n, --no-current-ip Don't spray from the current IP, only use SSH proxies

Known Limitations:

  • Untested on Windows
  • Currently only works against the M$ Graph API

TREVORproxy – Help:

debugging info -k KEY, –key KEY Use this SSH key when connecting to proxy hosts –base-port BASE_PORT Base listening port to use for SOCKS proxies “>

$ ./trevorproxy.py --help
usage: trevorproxy.py [-h] [-p PORT] [-l LISTEN_ADDRESS] [-v] [-k KEY] [--base-port BASE_PORT] ssh_hosts [ssh_hosts ...]

Spawns a SOCKS server which round-robins requests through the specified SSH hosts

positional arguments:
ssh_hosts Round-robin load-balance through these SSH hosts (user@host)

optional arguments:
-h, --help show this help message and exit
-p PORT, --port PORT Port for SOCKS server to listen on (default: 1080)
-l LISTEN_ADDRESS, --listen-address LISTEN_ADDRESS
Listen address for SOCKS server (default: 127.0.0.1)
-v, --verbose Print extra debugging info
-k KEY, --key KEY Use this SSH key when connecting to proxy hosts
--base-port BASE_PORT
Base listening port to use for SOCKS proxies
Download TREVORspray

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source