Unauthenticated Recon
With just a e-mail address or domain we can get the following information:
Get if Azure tenant is in use, tenant name and Federation
https://login.microsoftonline.com/getuserrealm.srf?login=%5bUSERNAME@DOMAIN%5d&xml=1Get tenant ID
https://login.microsoftonline.com/[DOMAIN]/.well-known/openid-configurationValidate Email ID by sending requests
https://login.microsoftonline.com/common/GetCredentialTypeAADInternals
It is a PS module that you can use for multiple attacks against AzureAD
Import-Module AADInternals.psd1 -VerboseRecon as outsider
Invoke-AADIntReconAsOutsider -DomainName pp.onmicrosoft.com
Tenant brand: Defense Corporation
Tenant name: pp
Tenant id: 2d50cb29-5f7b-48a4-87ce-fkk49d321
DesktopSSO enabled: False
Name : pp.onmicrosoft.com
DNS : True
MX : True
SPF : True
DMARC : False
Type : Managed
STS :Check if an email ID belongs to a tenant using o365creeper
C:\Python27\python.exe C:\AzAD\Tools\o365creeper\o365creeper.py -f C:\AzAD\Tools\emails.txt
[email protected] - VALID
pp.onmicrosoft.com - INVALIDCheck if an email ID belongs to a tenant using omnispray
python.exe omnispray.py --type enum -uf ../users.txt --module o365_enum_officeAzure Services Discovery
Azure services are available at specific domains and subdomains. We can enumerate services by finding subdomains.
MicroBurst
MicroBurst is a useful tool for security assessment for Azure. It uses Az, AzureAD, AzurRM ans MSOL tools and additional REST API calls.
Import-Module MicroBurst.psm1Enumerate Subdomains:
Invoke-EnumerateAzureSubDomains -Base pp -Verbose
VERBOSE: Found pp.onmicrosoft.com
VERBOSE: Found pp.onmicrosoft.com
VERBOSE: Found pp.onmicrosoft.com
VERBOSE: Found pp.mail.protection.outlook.com
VERBOSE: Found pp.mail.protection.outlook.com
VERBOSE: Found pp.mail.protection.outlook.comFind subdomains with AzSubEnum
python3 azsubenum.py -b megabigtech --thread 10Last updated