Skip to content

Add O365 authentication plugin#99

Open
altjx wants to merge 1 commit intoknavesec:masterfrom
altjx:feature/o365-plugin
Open

Add O365 authentication plugin#99
altjx wants to merge 1 commit intoknavesec:masterfrom
altjx:feature/o365-plugin

Conversation

@altjx
Copy link

@altjx altjx commented Dec 4, 2025

Summary

This PR adds a new o365 plugin for authenticating against Microsoft Office 365 using OAuth2. The implementation is based on the authentication logic from o365spray, adapted to CredMaster's plugin architecture.

Background

The original O365 plugin was deprecated and removed from CredMaster. This implementation brings back O365 support using the OAuth2 method from o365spray. The authentication functionality has been tested and confirmed working.

o365spray Authentication Methods

o365spray supports 6 different authentication methods:

Method Endpoint Description
oauth2 login.microsoftonline.com/common/oauth2/token OAuth2 password grant flow
activesync outlook.office365.com/Microsoft-Server-ActiveSync HTTP Basic Auth via ActiveSync
autodiscover autodiscover-s.outlook.com/autodiscover/autodiscover.xml HTTP Basic Auth via Autodiscover
adfs Dynamic (from GetUserRealm) Form-based auth for federated domains
autologon autologon.microsoftazuread-sso.com Azure AD Seamless SSO
rst login.microsoftonline.com/rst2.srf SOAP/WS-Trust based auth

This PR implements the OAuth2 method, which is the most reliable and commonly used approach for managed (non-federated) O365 tenants.

Implementation Details

The plugin includes:

  • 17 Microsoft client IDs for rotation (vs 7 in the old msol plugin)
  • 13 AADSTS error codes with proper classification
  • 8 "valid credential" codes that indicate successful auth blocked by MFA/CAP/etc.
  • Random scope and resource selection per request for evasion
  • Proper timeout and connection error handling

AADSTS Error Handling

Code Classification Meaning
AADSTS50126 Failure Invalid credentials
AADSTS50034 Failure User not found
AADSTS50053 Potential Account locked
AADSTS50076/50079 Success Valid creds, MFA required
AADSTS50158 Success Valid creds, Conditional Access (DUO, etc.)
AADSTS53003 Success Valid creds, blocked by CAP
AADSTS50055 Success Valid creds, password expired
AADSTS50057 Success Valid creds, account disabled

Usage

python3 credmaster.py --plugin o365 -u users.txt -p passwords.txt --profile_name myprofile

@altjx @claude
Add O365 authentication plugin
3f3689d 
Implements a new O365 authentication plugin ported from o365spray that provides
improved OAuth2 authentication against Microsoft O365 services.

Features:
- OAuth2-based authentication using Microsoft's common endpoint
- Support for multiple legitimate Microsoft client IDs (17 different apps)
- Randomized scope selection to evade detection
- Comprehensive AADSTS error code handling (13 different codes)
- Proper distinction between valid credentials with MFA/CAP vs invalid creds
- FireProx integration with spoofed headers for IP rotation
- User enumeration capability through error code analysis

The plugin includes:
- __init__.py: Plugin validation and connectivity testing
- o365.py: Core authentication logic with o365_authenticate() function

This implementation follows the CredMaster plugin architecture and integrates
with the existing utils module for header spoofing and FireProx support.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@altjx

Comments