Okta
Password Spraying
Password spraying Okta is just as easy as password spraying any other service, however, visibility can be difficult at times as Okta does not display if a user has been locked out. For this reason, it is recommended to configure password spray tooling to have longer lockouts, ensuring there are no business disruptions.
Spraying Okta with TrevorSpray
After submitting the above command, TrevorSpray will ask for the subdomain of the company you're targeting $.okta.com
This should have been identified during the reconaissance phase and is often $companyname.okta.com
.
Spraying Okta with CredMaster
CredMaster requires AWS access keys to setup FireProx, the following guide can be used to configure the appropriate permissions and start spraying:
Last updated