Unauthenticated Recon

With just a e-mail address or domain we can get the following information:

Get if Azure tenant is in use, tenant name and Federation

https://login.microsoftonline.com/getuserrealm.srf?login=%5bUSERNAME@DOMAIN%5d&xml=1

Get tenant ID

https://login.microsoftonline.com/[DOMAIN]/.well-known/openid-configuration

Validate Email ID by sending requests

https://login.microsoftonline.com/common/GetCredentialType

AADInternals

It is a PS module that you can use for multiple attacks against AzureAD

https://github.com/Generios/AADInternalsgithub.com

Import-Module AADInternals.psd1 -Verbose

Recon as outsider

Invoke-AADIntReconAsOutsider -DomainName pp.onmicrosoft.com
Tenant brand:       Defense Corporation
Tenant name:        pp
Tenant id:          2d50cb29-5f7b-48a4-87ce-fkk49d321
DesktopSSO enabled: False


Name  : pp.onmicrosoft.com
DNS   : True
MX    : True
SPF   : True
DMARC : False
Type  : Managed
STS   :

Check if an email ID belongs to a tenant using o365creeper

C:\Python27\python.exe C:\AzAD\Tools\o365creeper\o365creeper.py -f C:\AzAD\Tools\emails.txt
[email protected] - VALID
pp.onmicrosoft.com - INVALID

Check if an email ID belongs to a tenant using omnispray

python.exe omnispray.py --type enum -uf ../users.txt --module o365_enum_office

Azure Services Discovery

Azure services are available at specific domains and subdomains. We can enumerate services by finding subdomains.

Example: https://ppbackup.blob.core.windows.net/

MicroBurst

MicroBurst is a useful tool for security assessment for Azure. It uses Az, AzureAD, AzurRM ans MSOL tools and additional REST API calls.

Import-Module MicroBurst.psm1

Enumerate Subdomains:

Invoke-EnumerateAzureSubDomains -Base pp -Verbose
VERBOSE: Found pp.onmicrosoft.com
VERBOSE: Found pp.onmicrosoft.com
VERBOSE: Found pp.onmicrosoft.com
VERBOSE: Found pp.mail.protection.outlook.com
VERBOSE: Found pp.mail.protection.outlook.com
VERBOSE: Found pp.mail.protection.outlook.com

Find subdomains with AzSubEnum

python3 azsubenum.py -b megabigtech --thread 10

PreviousService Discovery, Recon, Enumeration and Initial Access Attacks NextPassword Spraying

Last updated 8 months ago

hashtagGet if Azure tenant is in use, tenant name and Federation

hashtagGet tenant ID

hashtagValidate Email ID by sending requests

hashtagAADInternals

hashtagRecon as outsider

hashtagCheck if an email ID belongs to a tenant using o365creeper

hashtagCheck if an email ID belongs to a tenant using omnispray

hashtagAzure Services Discovery

hashtagMicroBurst

hashtagFind subdomains with AzSubEnum