Unauthenticated Recon

Attacking

Goals an outsider wants to enumerate:

  • User login information

  • Resources that exist

  • Desktop SSO Info

  • Domain names

  • Tenant names and information

Enumeration focuses on exposed APIs and public DNS suffixes assigned by Microsoft.

LogoJust looking: Azure Active Directory reconnaissance as an outsider
Public APIs to enumerate

List of publically exposed APIs

API
Information
AADInternals function

login.microsoftonline.com/<domain>/.well-known/openid-configuration

Login information, including tenant ID

Get-AADIntTenantID -Domain <domain>

autodiscover-s.outlook.com/autodiscover/autodiscover.svc

All domains of the tenant

Get-AADIntTenantDomains -Domain <domain>

login.microsoftonline.com/GetUserRealm.srf?login=<UserName>

Login information of the tenant, including tenant Name and domain authentication type

Get-AADIntLoginInformation -UserName <UserName>

login.microsoftonline.com/common/GetCredentialType

Login information, including Desktop SSO information

Get-AADIntLoginInformation -UserName <UserName>

DNS Suffixes

LogoReference list of Azure domainsMicrosoftLearn
Non-Comprehensive list of Azure domains

Determine if company is using AzureAD

Visit the following URL and replace DOMAIN with domain name.

https://login.microsoftonline.com/getuserrealm.srf?login=username@DOMAIN.onmicrosoft.com&xml=1
Using AzureAD
Not using AzureAD

Enumerate Commands

#Enumerate Usernames with list
Get-Content .\users.txt. | Invoke-AADIntUserEnumerationAsOutsider -Method Normal

Tenant ID is public information.

AzureAD Attack Tools

Awesome Azure Pentest

LogoGitHub - Kyuu-Ji/Awesome-Azure-Pentest: A collection of resources, tools and more for penetration testing and securing Microsofts cloud platform Azure.GitHub

Cloud-Azure PayloadsAllTheThings

LogoPayloadsAllTheThings/Cloud - Azure Pentest.md at master ยท swisskyrepo/PayloadsAllTheThingsGitHub

AADInternals by @DrAzureAD

LogoDocumentation

MicroBurst (NetSPI)

LogoGitHub - NetSPI/MicroBurst: A collection of scripts for assessing Microsoft Azure securityGitHub

BlobHunter (CyberArk)

LogoGitHub - cyberark/BlobHunter: Find exposed data in Azure with this public blob scannerGitHub

Cloud Enum

LogoGitHub - initstring/cloud_enum: Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud.GitHub

MFASweep

LogoGitHub - dafthack/MFASweep: A tool for checking if MFA is enabled on multiple Microsoft ServicesGitHub

O365Recon

LogoGitHub - nyxgeek/o365recon: retrieve information via O365 and AzureAD with a valid credGitHub

AzureHound

LogoGitHub - BloodHoundAD/AzureHoundGitHub

Custom Bloodhound Queries for Azure

LogoGitHub - hausec/Bloodhound-Custom-Queries: Custom Query list for the Bloodhound GUI based off my cheatsheetGitHub

Detecting/Defending

Is and Isn't detected

  • IS NOT LOGGED

    • DNS Queries are not logged in Azure.

    • API and Tenant ID queries won't be logged.

  • IS LOGGED

    • Account sign-in attempts.

Logging Location

Sign-in activity is recorded in

Active Directory/Entra ID > Monitoring > Sign-in logs

PreviousAuthenticated ReconNextPassword Spraying M365

Last updated