Unauthenticated Recon

With just a e-mail address or domain we can get the following information:

Get if Azure tenant is in use, tenant name and Federation

https://login.microsoftonline.com/getuserrealm.srf?login=%5bUSERNAME@DOMAIN%5d&xml=1

Get tenant ID

https://login.microsoftonline.com/[DOMAIN]/.well-known/openid-configuration

Validate Email ID by sending requests

https://login.microsoftonline.com/common/GetCredentialType

AADInternals

It is a PS module that you can use for multiple attacks against AzureAD

https://github.com/Generios/AADInternalsgithub.com

Recon as outsider

Check if an email ID belongs to a tenant using o365creeper

Check if an email ID belongs to a tenant using omnispray

Azure Services Discovery

Azure services are available at specific domains and subdomains. We can enumerate services by finding subdomains.

Example: https://ppbackup.blob.core.windows.net/

MicroBurst

MicroBurst is a useful tool for security assessment for Azure. It uses Az, AzureAD, AzurRM ans MSOL tools and additional REST API calls.

Enumerate Subdomains:

Find subdomains with AzSubEnum

PreviousService Discovery, Recon, Enumeration and Initial Access AttacksNextPassword Spraying

Last updated