Enumerate Users and Domains
MS has a series of public APIs and DNS public suffixes that we can check during the enumeration phase.
Enumerating with Public APIs
These APIs can be used to find information about domain names, whether the domain is federated or not, if a specific user exists within the tenant and DNS records.
API | Information | AADInternals Function |
---|---|---|
login.microsoftonline.com/<domain>/.well-known/openid-configuration |
Login information, including tenant ID | Get-AADIntTenantID -Domain <domain> |
autodiscover-s.outlook.com/autodiscover/autodiscover.svc |
All domains of the tenant | Get-AADIntTenantDomains -Domain <domain> |
login.microsoftonline.com/GetUserRealm.srf?login=<UserName> |
Login information of the tenant, including tenant Name and domain authentication type | Get-AADIntLoginInformation -UserName <UserName> |
login.microsoftonline.com/common/GetCredentialType |
Login information, including Desktop SSO information | Get-AADIntLoginInformation -UserName <UserName> |
AAD also has some pre-defined DNS suffixes we can use to verify whether a domain is using Azure: for example if something.blog.core.windows.net
exists then we know that the something
domain uses Azure. We can see more suffixes here.
Another way to figure out if a domain is using AAD is to visit https://login.microsoftonline.com/getuserrealm.srf?login=username@<domain>.onmicrosoft.com&xml=1
.
If we know a tenant exists we can get its tenant ID by visiting https://login.microsoftonline.com/<domain>/.well-known/openid-configuration
.
Subdomain enumeration
To perform subdomain enumeration we can use MicroBurst
Import-Module .\MicroBurst.psm1
Invoke-EnumerateAzureSubdomains -Base something -verbose
Generating a username wordlist
A nice website to generate a wordlist is hunter.io which also returns the most common patterns used in the email structure.
Resource groups enumeration
If we have a subscription ID we are able to get more information about the resource groups contained in the subscription
# enumerate resource groups under a subscription
Get-AADIntAzureResourceGroups -AccessToken $at -SubscriptionId <id>
# enumerate VMs and what users have access to them
Get-AADIntAzureVMs