Unauthenticated Enumeration
Basically, we’re searching for potential entry points into the azure tenant.
Semi-Manual Checks
We can do some manual checks:
#check if organisation is on azure
# - username can be anything, doesn't matter
# - if namespacetype: managed, organisation is on azure
https://login.microsoftonline.com/getuserrealm.srf?login=[email protected]&xml=1
# get tenant ID
# UUID in token-endpoint is the tenant id
https://login.microsoftonline.com/retailcorp.onmicrosoft.com/.well-known/openid-configuration
# Validate Email ID by sending requests to
POST https://login.microsoftonline.com/common/GetCredentialTypeUsing AADInternals]
Import-Module .\AADInternals\AADInternals.psd1
Invoke-AADIntReconAsOutsider -DomainName defcorphq.onmicrosoft.com
Tenant brand: Defense Corporation
Tenant name: defcorphq
Tenant id: 2d50cb29-5f7b-48a4-87ce-fe75a941adb6
DesktopSSO enabled: False
Name : defcorphq.onmicrosoft.com
DNS : True
MX : True
SPF : True
DMARC : False
Type : Managed
STS :Enumerate subdomains (using MicroBust)
# try to find subdomains (takes forever)
Invoke-EnumerateAzureSubDomainsEnumerate Blob Storage (using MicroBust)
PS C:\AzAD\Tools\MicroBurst> Invoke-EnumerateAzureBlobs -base defcorp
Found Storage Account - defcorpcodebackup.blob.core.windows.net
Found Storage Account - defcorpcommon.blob.core.windows.net
Found Container - defcorpcommon.blob.core.windows.net/backup
Empty Public Container Available: https://defcorpcommon.blob.core.windows.net/backup?restype=container&comp=listvalidate email addresses (using o365creeper)
use python 2.7 instead of python3, use full email address in file
PS C:\AzAD\Tools> C:\Python27\python.exe .\o365creeper\o365creeper.py -f C:\users\studentuser64\Documents\emails.txt
[email protected] - VALID
[email protected] - VALID
[email protected] - INVALID
[email protected] - INVALID
[email protected] - INVALID