Cookie's Red Team Recipe
test
Testing
  • Mixing...
  • General
    • Transferring Files
      • Serving Your Files
      • Transferring Files To Linux
      • Transferring Files To Windows
    • File Types
      • .vhd
    • Password Cracking
      • Hashcat
        • Wordlists
        • Wordlist + Rules
        • Masks
        • Mask Files
        • Combinator
        • Hybrid
        • Keyboard Walks
    • Trash to sift through
      • Cookie 3.1.24.ctd
    • Tools
      • Nuclei
      • GoWitness
    • Reflective DLL Injection
  • Cloud
    • General
      • Enumeration
        • JWT
        • SEC 588
        • Tools and Procedures
      • Containers
        • Docker
        • Kubernetes
    • Azure
      • Discovery
        • Mapping URLS
        • Snaffpoint
      • Initial Access
        • Password Spray
        • Illicit Consent Grant
        • App Service Abuse
          • Insecure File Upload
          • SSTI
          • OS Command Injection
        • Blob Storage
        • Evilginx3
      • Enumeration
        • MG Module
        • Az PowerShell
        • Azure CLI
        • Tokens
        • ROADTools
        • StormSpotter
        • AzureHound
      • Privilege Escalation
        • Automation Account
        • Managed Identity Command Execution
        • Key Vault
        • ARM Templates
        • Function App
      • Lateral Movement
        • Custom Script Extension
        • User Data
        • Pass The PRT
        • Endpoint Manager
        • Dynamic Groups
        • Application Proxy
        • Password Hash Sync
      • Persistance
        • Pass-Through Authentication
        • Seamless SSO
        • Federation
    • AWS
      • Discovery
        • Mapping URLs
        • Authentication
        • Username Harvesting
        • Password Spraying
        • Storage
        • Pacu
      • Enumeration
        • Scanning
        • Copy of Pacu
      • Privilege Escalation
        • Instance Metadata Service
        • Copy of Pacu
      • Lateral Movement
        • Userdata
        • Pacu
        • Callbacks and Shells
      • KMS
      • CI/CD
        • Deployment Pipeline
        • SSRF
        • Lambda
    • GCP
  • OSINT
    • Checklist
  • Web Applications
    • Checklist
    • Web Vulnerabilities
      • SSRF (Server Side Request Forgery)
      • Blind Data Exfiltration via DNS
      • XSS
      • XXE
      • XPath Injection
    • APIs
      • Web API Indicators
      • Passive Reconnaissance
      • Active API Reconnaissance
  • Enumeration
  • Exploitation
  • Active Directory
    • Reconnaissance
      • PowerView
      • SharpView
      • ADSearch
    • Cobalt Strike
      • User Impersonation
        • Pass the Hash
        • Pass the Ticket
        • Overpass the Hash
        • Token Impersonation
        • Token Store
        • Make Token
        • Process Injection
      • Lateral Movement
        • Windows Remote Management
        • PsExec
        • Windows Management Instrumentation (WMI)
        • CoInitializeSecurity
        • DCOM
      • Kerberos
        • Kerberoasting
        • ASREP Roasting
        • Unconstrained Delegation
        • Constrained Delegation
        • Alternate Service Name
        • S4U2Self Abuse
        • Resource-Based Constrained Delegation
        • Shadow Credentials
        • Kerberos Relay Attacks
      • Pivoting
        • SOCKS Proxies
        • Linux Tools For Proxies
        • Windows Tools For Proxies
        • Pivoting with Kerberos
        • Pivoting A Browser
        • Reverse Port Forwards
        • NTLM Relaying
        • Relaying WebDAV
      • AD Certificate Services
        • Find Certificate Authorities
        • Misconfigured Certificate Templates
        • NTLM Relaying to ADCS HTTP Endpoints
        • User & Computer Persistence
      • Group Policy
        • Modify Existing GPO
        • Create & Link a GPO
      • MS SQL Servers
        • MS SQL Impersonation
        • MS SQL Command Execution
        • MS SQL Lateral Movement
        • MS SQL Privilege Escalation
      • Configuration Manager
        • Enumeration
        • Network Access Account Credentials
        • Lateral Movement
      • Domain Dominance
        • Silver Tickets
        • Golden Ticket
        • Diamond Tickets
        • Forged Certificates
      • Forest & Domain Trusts
        • Parent/Child
        • One-Way Inbound
        • One-Way Outbound
      • LAPS (Local Administrator Password Solution)
        • Reading ms-Mcs-AdmPwd
        • Password Expiration Protection
        • LAPS Backdoors
  • Escalation
    • Windows
    • Linux
  • Report
    • Templates
  • Phishing
    • Techniques
      • Jscript
      • Word Document
        • Manual
        • Generated
      • HTML Smuggling
  • C2
    • Cobalt Strike
      • Starting
        • Profile
        • Artifact Kit Changes
        • Resource Kit Changes
        • Start CS as a Service
        • Manual AMSI Bypass
        • Set Anti-Behavioural Detections
        • Generating Payloads
        • Listener Management
        • Prepare For Command Line Detections
      • Tools
        • Application Whitelisting
          • Policy Enumeration
          • Writeable Paths
          • Binaries, Scripts, and Libraries
          • PowerShell CLM
          • Beacon DLL
        • Credentials
          • Credential Manager
          • Scheduled Task Credentials
        • Session Passing
          • Beacon Passing
          • Foreign Listener
          • Spawn & Inject
        • DCSync
        • Extracting Kerberos Tickets
        • Mimikatz
          • NTLM Hashes
          • Kerberos Encryption Keys
          • Security Account Manager
          • Domain Cached Credentials
        • Take Screenshot
        • Evading Windows Defender
          • Artifact Kit
          • Malleable C2
          • Resource Kit
          • AMSI vs Post-Exploitation
          • Manual AMSI Bypasses
          • Behavioural Detections
          • Parent/Child Relationships
          • Command Line Detections
        • Pivot Listeners
    • Sliver
      • Post-Exploitation
        • Proxy
    • Brute Ratel
    • Domains
    • Mythic
Powered by GitBook
On this page
  • AADInternals
  • o365creeper
  • MicroBurst
  1. Cloud
  2. Azure

Discovery

PreviousAzureNextMapping URLS

Last updated 3 months ago

Even if we only know the domain name or email addresses of the target organization

  • defcorphq

We can extract some interesting information:

– If the target organization uses Azure tenant

– Tenant ID

– Tenant name

– Authentication type (Federation or not)

– Domains

– Azure Services used by the target organization

– Guess email IDs

Context
Command
Example Output

Get if Azure tenant is in use, tenant name and Federation

Get the Tenant ID

https://login.microsoftonline.com/[DOMAIN]/.well- known/openid-configuration

Validate Email ID by sending requests to

AADInternals

Use AADInternals tool from for recon.

Import-Module C:\AzAD\Tools\AADInternals\AADInternals.psd1 -Verbose

1

Get tenant name, authentication, brand name (usually same as directory name) and domain name. The username can be even a non-existent one in the defcorphq tenant.

Get-AADIntLoginInformation -UserName root@defcorphq.onmicrosoft.com
2

Get tenant ID

Get-AADIntTenantID -Domain defcorphq.onmicrosoft.com
3

Get tenant domains

Get-AADIntTenantDomains -Domain defcorphq.onmicrosoft.com
Get-AADIntTenantDomains -Domain deffin.onmicrosoft.com
Get-AADIntTenantDomains -Domain microsoft.com
4

Get all information

Invoke-AADIntReconAsOutsider -DomainName defcorphq.onmicrosoft.com

o365creeper

Examples:
o365creeper.py -e test@example.com
o365creeper.py -f emails.txt
o365creeper.py -f emails.txt -o validemails.txt

This tool is still using Python 2.7

MicroBurst

Import-Module C:\AzAD\Tools\MicroBurst\MicroBurst.psm1 -Verbose
1

Enumerate all subdomains for an organization specified using the '-Base' parameter:

Invoke-EnumerateAzureSubDomains -Base defcorphq -Verbose

We can use o365creeper () to check if an email ID belongs to a tenant. It makes requests to the GetCredentialType API that we saw earlier.

Azure services are available at specific domains and subdomains. We can enumerate if the target organization is using any of the services by looking for such subdomains. The tool that we will use for this is MicroBurst (). Microburst is a useful tool for security assessment of Azure. It uses Az, AzureAD, AzurRM and MSOL tools and additional REST API calls!

https://github.com/Gerenios/AADInternals
https://github.com/LMGsec/o365creeper
https://github.com/NetSPI/MicroBurst
https://login.microsoftonline.com/getuserrealm.srf?login=%5bUSERNAME@DOMAIN%5d&xml=1
https://login.microsoftonline.com/common/GetCredentialType