Entra ID user enumeration and auth method discovery via the public GetCredentialType API
Project description
CredSpy
Enumerate Microsoft Entra ID authentication methods for email addresses using the public GetCredentialType API. This is the same endpoint the Microsoft login page uses when you enter a username. In contrast to most tools using the GetCredentialType method, CredSpy also shows the authentication methods supported for existing accounts.
Useful for security assessments: user enumeration, preferred auth method discovery, and identifying accounts with password, Remote NGC (e.g. Passwordless Push Notification), FIDO2/passkeys, or certificate auth.
Table of contents
Installation
Requires Python 3.10+.
pipx (recommended):
# From a local clone
pipx install .
# From GitHub
pipx install git+https://github.com/RedByte1337/CredSpy.git
# From PyPI (after publishing)
pipx install credspy
pip:
pip install .
# or run without installing
pip install -r requirements.txt
python credspy.py ...
After installation, run credspy from anywhere:
credspy -h
Usage
# Single email
credspy user@example.com
# File of emails (one per line, # for comments)
credspy emails.txt
# Through a proxy (SSL verification disabled for MITM tools)
credspy emails.txt --proxy http://127.0.0.1:8080
# Export results to CSV
credspy emails.txt --csv results.csv
# Save filtered email lists (combinable)
credspy emails.txt \
--save-existing existing.txt \
--save-ngc ngc.txt \
--save-password-preferred password-preferred.txt
Options
| Flag | Description |
|---|---|
target |
Email address or path to a text file |
--proxy URL |
Route all traffic through a proxy; disables SSL verification |
--no-color |
Disable colored terminal output |
--csv FILE |
Write results to CSV |
--save-existing FILE |
Save emails that exist |
--save-ngc FILE |
Save emails with RemoteNGC (e.g. passwordless push-notification) supported |
--save-password-preferred FILE |
Save existing emails with password as preferred method |
If any output file already exists, you are prompted to confirm overwrite (Y/n).
Output
Results stream to the terminal as each email is checked:
redbyte@e-corp.com | Preferred: Fido (7) | Supported: Password, RemoteNGC (PushNotification), Fido (Count: 3)
nonexist@e-corp.com | IfExistsResult: NotExist (1)
admin@e-corp.com | Preferred: Password (1) | Supported: Password, RemoteNGC (PushNotification)
For fido authentication, the number of entries in the AllowList of the FidoParams returned by Microsoft is shown. This can be used as an indicator to know how many Fido auth methods the user has enrolled. However, it seems like this also includes deleted Fido keys which are not linked to the account anymore.
A summary is printed at the end:
--- Summary ---
Exists: 6/7
Throttled: 0/7
Preferred: Fido 3/6, Password 2/6, ...
Supported: Password 6/6, RemoteNGC 1/6, Fido 3/6, Certificate 2/6
DomainType: Managed 6/6
--- Output files ---
CSV (results.csv): 7 entries
CSV columns
Email, Exists, PreferredType, HasPassword, RemoteNGC, HasFido, HasCertAuth, DomainType
- Exists — enum name (
Exists,NotExist, …) - RemoteNGC —
PushNotification/ListSessionswhen known, otherwiseTrue/False
How it works
- Fetch a session context (
sCtx) from the Microsoft OAuth authorize page - POST each username to
login.microsoftonline.com/common/GetCredentialType - Parse credential flags and print / export results
No authentication required. This uses the same unauthenticated flow as the login UI.
Disclaimer
This tool is intended for authorized security testing and research only. Only use it against tenants and accounts you own or have explicit written permission to test. The authors are not responsible for misuse.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file credspy-1.0.0.tar.gz.
File metadata
- Download URL: credspy-1.0.0.tar.gz
- Upload date:
- Size: 8.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.9.21 {"installer":{"name":"uv","version":"0.9.21","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":null,"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
350bb6f20cebdd6df79bab84d3baaec3947172b99b50d5faff6e1d438bfba6d4
|
|
| MD5 |
b083f377e65057403f779ac9de84573e
|
|
| BLAKE2b-256 |
dfafc87165f2e7045c6f01a244fe3d5c54776be1326b96b9f71279efcadabd7d
|
File details
Details for the file credspy-1.0.0-py3-none-any.whl.
File metadata
- Download URL: credspy-1.0.0-py3-none-any.whl
- Upload date:
- Size: 9.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.9.21 {"installer":{"name":"uv","version":"0.9.21","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":null,"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e3f3295ae3be82caae3b925f5171d6c311f312e1f30871dd5b9f1da57ccf7dbc
|
|
| MD5 |
cd6ada1294aa90647db1cd887d49a37c
|
|
| BLAKE2b-256 |
4c557704728b8ec3ba9a828618f483654aaf08eae9749feebd9e08f7fecdefa1
|