Unauthenticated Recon

With just a e-mail address or domain we can get the following information:

Get if Azure tenant is in use, tenant name and Federation

https://login.microsoftonline.com/getuserrealm.srf?login=%5bUSERNAME@DOMAIN%5d&xml=1

Get tenant ID

https://login.microsoftonline.com/[DOMAIN]/.well-known/openid-configuration

Validate Email ID by sending requests to

https://login.microsoftonline.com/common/GetCredentialType

AADInternals

It is a PS module that you can use for multiple attacks against AzureAD

Import-Module AADInternals.psd1 -Verbose

Recon as outsider

PS C:\Windows\system32> Invoke-AADIntReconAsOutsider -DomainName pp.onmicrosoft.com
Tenant brand:       Defense Corporation
Tenant name:        pp
Tenant id:          2d50cb29-5f7b-48a4-87ce-fkk49d321
DesktopSSO enabled: False


Name  : pp.onmicrosoft.com
DNS   : True
MX    : True
SPF   : True
DMARC : False
Type  : Managed
STS   :

Check if an email ID belongs to a tenant using o365creeper

PS C:\Windows\system32> C:\Python27\python.exe C:\AzAD\Tools\o365creeper\o365creeper.py -f C:\AzAD\Tools\emails.txt
test@pp.onmicrosoft.com - VALID
pp.onmicrosoft.com - INVALID

Azure Services Discovery

Azure services are available at specific domains and subdomains. We can enumerate services by finding subdomains.

Example: https://ppbackup.blob.core.windows.net/

MicroBurst

MicroBurst is a useful tool for security assessment for Azure. It uses Az, AzureAD, AzurRM ans MSOL tools and additional REST API calls.

Import-Module MicroBurst.psm1

Enumerate Subdomains:

PS C:\Windows\system32> Invoke-EnumerateAzureSubDomains -Base pp -Verbose
VERBOSE: Found pp.onmicrosoft.com
VERBOSE: Found pp.onmicrosoft.com
VERBOSE: Found pp.onmicrosoft.com
VERBOSE: Found pp.mail.protection.outlook.com
VERBOSE: Found pp.mail.protection.outlook.com
VERBOSE: Found pp.mail.protection.outlook.com

PreviousService Discovery, Recon, Enumeration and Initial Access Attacks NextPassword Spraying

Last updated 22 hours ago