Discovery
Even if we only know the domain name or email addresses of the target organization
defcorphq
We can extract some interesting information:
– If the target organization uses Azure tenant
– Tenant ID
– Tenant name
– Authentication type (Federation or not)
– Domains
– Azure Services used by the target organization
– Guess email IDs
Get if Azure tenant is in use, tenant name and Federation
Get the Tenant ID
https://login.microsoftonline.com/[DOMAIN]/.well- known/openid-configuration
AADInternals
Use AADInternals tool (a PowerShell module that we will use for multiple attacks against AzureAD) from https://github.com/Gerenios/AADInternals for Recon.
Get tenant name, authentication, brand name (usually same as directory name) and domain name. The username can be even a non-existent one in the defcorphq tenant.
Get tenant ID
o365creeper
We can use o365creeper (https://github.com/LMGsec/o365creeper) to check if an email ID belongs to a tenant. It makes requests to the GetCredentialType API that we saw earlier.
This tool is still using Python 2.7
MicroBurst
Azure services are available at specific domains and subdomains. We can enumerate if the target organization is using any of the services by looking for such subdomains. The tool that we will use for this is MicroBurst (https://github.com/NetSPI/MicroBurst). Microburst is a useful tool for security assessment of Azure. It uses Az, AzureAD, AzurRM and MSOL tools and additional REST API calls!
Enumerate all subdomains for an organization specified using the '-Base' parameter:
Last updated