# Unauthenticated Recon

With just a e-mail address or domain we can get the following information:

### Get if Azure tenant is in use, tenant name and Federation

```
https://login.microsoftonline.com/getuserrealm.srf?login=%5bUSERNAME@DOMAIN%5d&xml=1
```

### Get tenant ID

```
https://login.microsoftonline.com/[DOMAIN]/.well-known/openid-configuration
```

### Validate Email ID by sending requests

```
https://login.microsoftonline.com/common/GetCredentialType
```

## AADInternals

It is a PS module that you can use for multiple attacks against AzureAD

{% embed url="<https://github.com/Generios/AADInternals>" %}

```powershell
Import-Module AADInternals.psd1 -Verbose
```

### Recon as outsider

```powershell
Invoke-AADIntReconAsOutsider -DomainName pp.onmicrosoft.com
Tenant brand:       Defense Corporation
Tenant name:        pp
Tenant id:          2d50cb29-5f7b-48a4-87ce-fkk49d321
DesktopSSO enabled: False


Name  : pp.onmicrosoft.com
DNS   : True
MX    : True
SPF   : True
DMARC : False
Type  : Managed
STS   :
```

## Check if an email ID belongs to a tenant using o365creeper

```powershell
C:\Python27\python.exe C:\AzAD\Tools\o365creeper\o365creeper.py -f C:\AzAD\Tools\emails.txt
test@pp.onmicrosoft.com - VALID
pp.onmicrosoft.com - INVALID
```

## Check if an email ID belongs to a tenant using omnispray

```
python.exe omnispray.py --type enum -uf ../users.txt --module o365_enum_office
```

## Azure Services Discovery

Azure services are available at specific domains and subdomains. We can enumerate services by finding subdomains.

{% hint style="info" %}
Example: <https://ppbackup.blob.core.windows.net/>
{% endhint %}

### MicroBurst

MicroBurst is a useful tool for security assessment for Azure. It uses Az, AzureAD, AzurRM ans MSOL tools and additional REST API calls.

```powershell
Import-Module MicroBurst.psm1
```

Enumerate Subdomains:

```powershell
Invoke-EnumerateAzureSubDomains -Base pp -Verbose
VERBOSE: Found pp.onmicrosoft.com
VERBOSE: Found pp.onmicrosoft.com
VERBOSE: Found pp.onmicrosoft.com
VERBOSE: Found pp.mail.protection.outlook.com
VERBOSE: Found pp.mail.protection.outlook.com
VERBOSE: Found pp.mail.protection.outlook.com
```

## Find subdomains with AzSubEnum

```python
python3 azsubenum.py -b megabigtech --thread 10
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.incendium.rocks/pentesting-notes/cloud/azure/service-discovery-recon-enumeration-and-initial-access-attacks/unauthenticated-recon.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.