Comment on page
Az - Unauthenticated Enum & Initial Entry
- If you want to see your company advertised in HackTricks or if you want access to the latest version of the PEASS or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
There are some public Azure APIs that just knowing the domain of the tenant an attacker could query to gather more info about it.
You can query directly the API or use the PowerShell library AADInternals:
API | Information | AADInternals function |
|---|---|---|
login.microsoftonline.com/<domain>/.well-known/openid-configuration | Login information, including tenant ID | Get-AADIntTenantID -Domain <domain> |
autodiscover-s.outlook.com/autodiscover/autodiscover.svc | All domains of the tenant | Get-AADIntTenantDomains -Domain <domain> |
login.microsoftonline.com/GetUserRealm.srf?login=<UserName> | Login information of the tenant, including tenant Name and domain authentication type | Get-AADIntLoginInformation -UserName <UserName> |
login.microsoftonline.com/common/GetCredentialType | Login information, including Desktop SSO information | Get-AADIntLoginInformation -UserName <UserName> |
You can query all the information of an Azure tenant with just one command of the AADInternals library:
Invoke-AADIntReconAsOutsider -DomainName corp.onmicrosoft.com | Format-Table
Output Example of the Azure tenant info:
Tenant brand: Company Ltd
Tenant name: company
Tenant id: 05aea22e-32f3-4c35-831b-52735704feb3
DesktopSSO enabled: True
Name DNS MX SPF Type STS
---- --- -- --- ---- ---
company.com True True True Federated sts.company.com
company.mail.onmicrosoft.com True True True Managed
company.onmicrosoft.com True True True Managed
int.company.com False False False Managed
From the output we can see the tenant information of the target organisation, including the tenant name, id and the “brand” name. We can also see whether the Desktop SSO (aka Seamless SSO) is enabled. If enabled, we can find out whether a given user exists in the target organisation or not (user enumeration).
We can also see the names of all (verified) domains and their identity types of the target tenant. For federated domains, the FQDN of the used identity provider (usually ADFS server) is also shown. The MX column indicates whether the email is send to Exchange online or not. The SPF column indicates whether Exchange online is listed as an email sender. Note! Currently the recon function does not follow the include statements of SPF records, so there can be false-negatives.
It's possible to check if a username exists inside a tenant. This includes also guest users, whose username is in the format:
<email>#EXT#@<tenant name>.onmicrosoft.com
The email is user’s email address where at “@” is replaced with underscore “_“.
# Check does the user exist
Invoke-AADIntUserEnumerationAsOutsider -UserName "[email protected]"
Output:
You can also use a text file containing one email address per row:
external.user_gmail.com#EXT#@company.onmicrosoft.com
external.user_outlook.com#EXT#@company.onmicrosoft.com
# Invoke user enumeration
Get-Content .\users.txt | Invoke-AADIntUserEnumerationAsOutsider -Method Normal
There are three different enumeration methods to choose from:
Method | Description |
|---|---|
Normal | This refers to the GetCredentialType API mentioned above. The default method. |
Login | This method tries to log in as the user.
Note: queries will be logged to sign-ins log. |
Autologon | This method tries to log in as the user via autologon endpoint.
Queries are not logged to sign-ins log! As such, works well also for password spray and brute-force attacks. |
After discovering the valid usernames you can get info about a user with:
Get-AADIntLoginInformation -UserName root@corp.onmicrosoft.com
# Put in emails.txt emails such as:
python.exe .\o365creeper\o365creeper.py -f .\emails.txt -o validemails.txt
Know that we know the domains the Azure tenant is using is time to try to find Azure services exposed.
You can use a method from MicroBust for such goal. This function will search the base domain name (and a few permutations) in several azure service domains:
Import-Module .\MicroBurst\MicroBurst.psm1 -Verbose
Invoke-EnumerateAzureSubDomains -Base corp -Verbose
You could discover open storage with a tool such as InvokeEnumerateAzureBlobs.ps1 which will use the file
Microburst/Misc/permitations.txt to generate permutations (very simple) to try to find open storage accounts.Import-Module .\MicroBurst\MicroBurst.psm1
Invoke-EnumerateAzureBlobs -Base corp
[...]
https://corpcommon.blob.core.windows.net/secrets?restype=container&comp=list
[...]
# Access https://corpcommon.blob.core.windows.net/secrets?restype=container&comp=list
# Check: <Name>ssh_info.json</Name>
# Access then https://corpcommon.blob.core.windows.net/secrets/ssh_info.json
A shared access signature (SAS) URL is an URL that provides access to certain part of a Storage account (could be a full container, a file...) with some specific permissions (read, write...) over the resources. If you find one leaked you could be able to access sensitive information, they look like this (this is to access a container, if it was just granting access to a file the path of the URL will also contain that file):
https://<storage_account_name>.blob.core.windows.net/newcontainer?sp=r&st=2021-09-26T18:15:21Z&se=2021-10-27T02:14:21Z&spr=https&sv=2021-07-08&sr=c&sig=7S%2BZySOgy4aA3Dk0V1cJyTSIf1cW%2Fu3WFkhHV32%2B4PE%3D- If you want to see your company advertised in HackTricks or if you want access to the latest version of the PEASS or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Last modified 1yr ago