Skip to main content

Entra ID user enumeration and auth method discovery via the public GetCredentialType API

Project description

CredSpy

Enumerate Microsoft Entra ID authentication methods for email addresses using the public GetCredentialType API. This is the same endpoint the Microsoft login page uses when you enter a username. In contrast to most tools using the GetCredentialType method, CredSpy also shows the authentication methods supported for existing accounts.

Useful for security assessments: user enumeration, preferred auth method discovery, and identifying accounts with password, Remote NGC (e.g. Passwordless Push Notification), FIDO2/passkeys, or certificate auth.

Table of contents

Installation

Requires Python 3.10+.

pipx (recommended):

# From a local clone
pipx install .

# From GitHub
pipx install git+https://github.com/RedByte1337/CredSpy.git

# From PyPI (after publishing)
pipx install credspy

pip:

pip install .
# or run without installing
pip install -r requirements.txt
python credspy.py ...

After installation, run credspy from anywhere:

credspy -h

Usage

# Single email
credspy user@example.com

# File of emails (one per line, # for comments)
credspy emails.txt

# Through a proxy (SSL verification disabled for MITM tools)
credspy emails.txt --proxy http://127.0.0.1:8080

# Export results to CSV
credspy emails.txt --csv results.csv

# Save filtered email lists (combinable)
credspy emails.txt \
  --save-existing existing.txt \
  --save-ngc ngc.txt \
  --save-password-preferred password-preferred.txt

Options

Flag Description
target Email address or path to a text file
--proxy URL Route all traffic through a proxy; disables SSL verification
--no-color Disable colored terminal output
--csv FILE Write results to CSV
--save-existing FILE Save emails that exist
--save-ngc FILE Save emails with RemoteNGC (e.g. passwordless push-notification) supported
--save-password-preferred FILE Save existing emails with password as preferred method

If any output file already exists, you are prompted to confirm overwrite (Y/n).

Output

Results stream to the terminal as each email is checked:

redbyte@e-corp.com              | Preferred: Fido (7)     | Supported: Password, RemoteNGC (PushNotification), Fido (Count: 3)
nonexist@e-corp.com             | IfExistsResult: NotExist (1)
admin@e-corp.com              | Preferred: Password (1)     | Supported: Password, RemoteNGC (PushNotification)

For fido authentication, the number of entries in the AllowList of the FidoParams returned by Microsoft is shown. This can be used as an indicator to know how many Fido auth methods the user has enrolled. However, it seems like this also includes deleted Fido keys which are not linked to the account anymore.

A summary is printed at the end:

--- Summary ---
Exists: 6/7
Throttled: 0/7
Preferred: Fido 3/6, Password 2/6, ...
Supported: Password 6/6, RemoteNGC 1/6, Fido 3/6, Certificate 2/6
DomainType: Managed 6/6

--- Output files ---
CSV (results.csv): 7 entries

CSV columns

Email, Exists, PreferredType, HasPassword, RemoteNGC, HasFido, HasCertAuth, DomainType

  • Exists — enum name (Exists, NotExist, …)
  • RemoteNGCPushNotification / ListSessions when known, otherwise True/False

How it works

  1. Fetch a session context (sCtx) from the Microsoft OAuth authorize page
  2. POST each username to login.microsoftonline.com/common/GetCredentialType
  3. Parse credential flags and print / export results

No authentication required. This uses the same unauthenticated flow as the login UI.

Disclaimer

This tool is intended for authorized security testing and research only. Only use it against tenants and accounts you own or have explicit written permission to test. The authors are not responsible for misuse.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

credspy-1.0.0.tar.gz (8.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

credspy-1.0.0-py3-none-any.whl (9.4 kB view details)

Uploaded Python 3

File details

Details for the file credspy-1.0.0.tar.gz.

File metadata

  • Download URL: credspy-1.0.0.tar.gz
  • Upload date:
  • Size: 8.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.9.21 {"installer":{"name":"uv","version":"0.9.21","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":null,"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}

File hashes

Hashes for credspy-1.0.0.tar.gz
Algorithm Hash digest
SHA256 350bb6f20cebdd6df79bab84d3baaec3947172b99b50d5faff6e1d438bfba6d4
MD5 b083f377e65057403f779ac9de84573e
BLAKE2b-256 dfafc87165f2e7045c6f01a244fe3d5c54776be1326b96b9f71279efcadabd7d

See more details on using hashes here.

File details

Details for the file credspy-1.0.0-py3-none-any.whl.

File metadata

  • Download URL: credspy-1.0.0-py3-none-any.whl
  • Upload date:
  • Size: 9.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.9.21 {"installer":{"name":"uv","version":"0.9.21","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":null,"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}

File hashes

Hashes for credspy-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 e3f3295ae3be82caae3b925f5171d6c311f312e1f30871dd5b9f1da57ccf7dbc
MD5 cd6ada1294aa90647db1cd887d49a37c
BLAKE2b-256 4c557704728b8ec3ba9a828618f483654aaf08eae9749feebd9e08f7fecdefa1

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page