🦦
Otter's Notes
  • Introduction
  • Articles
    • Dumping data from the Microsoft Recall folder
    • Gaining persistence on Windows with Time Providers
    • Reverse engineering LSASS to decrypt DPAPI keys
    • Intro to Hypervisor Implants
    • In-depth Windows Telemetry
  • Notes
    • Active Directory
      • Active Directory Structure
      • Active Directory Terminology
      • Active Directory Objects
      • Active Directory Groups
      • Active Directory Functionality
      • Active Directory Protocols
      • Active Directory Rights and Privileges
      • Security in Active Directory
      • Users and Machine Accounts
      • NTLM
      • LDAP
      • Making a Target User List
      • Enumerating & Retrieving Password Policies
      • Enumerating Security Controls
      • Examining Group Policy
      • GPOs
      • LAPS
      • LLMNR & NBT-NS Poisoning
      • LOLBIN Enumeration
    • AAD
      • Useful Links
      • Overview of Azure & M365
      • Enumerate Users and Domains
      • Post-exploitation Reconnaissance
      • OAuth 2.0 Abuse
      • Abusing Device Code Authentication
      • Abusing Cloud Administrator Role
      • Abusing User Administrator Role
      • AAD Federated Backdoor
      • Service Principal Abuse
      • Compromising Azure Blobs and Storage Accounts
      • Malicious Device Join
      • Disabling Auditing (Unified Audit Logs)
      • Spoofing Azure Sign-In Logs
      • Registering Fake Agents for Log Spoofing
      • Pass the PRT
      • Pass the Cookie
      • Abusing Managed Identities
      • Virtual Machine Abuse
      • Attacking Key Vaults
    • Forest Trust Abuse
      • Parent-Child Trust Abuse
      • One-Way Inbound Trust Abuse
      • Foreign Group Membership
      • Foreign ACL Principals
      • SID History
      • SID Filter Bypass
      • Intra-Forest Attacks
        • Configuration Naming Context Replication
        • ADCS NC Replication Attack
        • GPO On-Site Attack
        • GoldenGMSA Attack
        • DNS Trust Attack
      • Cross-Forest Attacks
        • Trust Account Attack
        • Abusing SQL Linked Servers
        • Abusing PAM Trusts
    • Kerberos
      • Overview of Kerberos Authentication
      • Silver Tickets
      • Golden Tickets
      • Diamond Tickets
      • Kerberoasting
      • AS-REPRoasting
      • Resource-Based Constrained Delegation
      • Constrained Delegation
      • Unconstrained Delegation
      • S4U2Self & S4U2Proxy
      • Golden Certificates
    • DACL Abuse
      • DACL Overview
      • DACLs Enumeration
      • AddMembers
      • GPO Attacks
      • Granting Rights and Ownership
      • Logon Scripts
      • NoPAC
      • Password Abuse
      • SPN Jacking
      • Shadow Credentials
      • Targeted Kerberoasting
    • ADCS
      • Introduction to ADCS
      • ESC1
      • ESC2
      • ESC3
      • ESC4
      • ESC5
      • ESC6
      • ESC7
      • ESC8
      • ESC9
      • ESC10
      • ESC11
      • Certificate Mapping
    • PowerShell
      • PowerShell Basics
      • PowerShell Remoting
      • Alternate PowerShell Hosts
      • PowerShell Pipeline Runners
      • PowerShell Code Signing
      • Scriptblock Logging
      • PowerShell CLM
      • AMSI
      • PowerShell Reflection
      • WMI - Windows Management Instrumentation
      • Interfacing with AD
      • PowerShell Snippets
        • Bypass application whitelisting and CLM with runscripthelper and WMI
        • Create fake PowerShell logs
        • Enumerate AD ACLs
        • Enumerate WMI events
        • Enumerate Domain Trusts
        • Enumerate change metadata
        • Enumerate non-signed service binaries
        • Enumerate with GPOs
        • Find signed alternate PowerShell hosts
        • Get AMSI module
        • Group processes by user with WMI
        • Hide processes from Get-Process
        • Malware re-purposing with PowerShell reflection
        • Monitor PowerShell hosts with WMI
        • PowerShell reflection offensive use-case
        • Query PowerShell alternative hosts with WMI
        • Retrieve file certificate
        • Search LDAP for misconfigurations
        • Sign custom code with PowerShell
        • WMI service creation
        • Weak folder permission enumeration
    • AWS
      • AWS Organizations
      • AWS Principals
    • Binary Exploitation
      • Environment setup for Browser Exploitation
      • Browser Overview and Components
    • Kernel Development
      • Windows
        • Configuring a VM for driver development
Powered by GitBook
On this page
  • Enumerating with Public APIs
  • Subdomain enumeration
  • Generating a username wordlist
  • Resource groups enumeration
  • Other good tools for AAD enumeration
  1. Notes
  2. AAD

Enumerate Users and Domains

PreviousOverview of Azure & M365NextPost-exploitation Reconnaissance

Last updated 1 year ago

MS has a series of public APIs and DNS public suffixes that we can check during the enumeration phase.

Enumerating with Public APIs

These APIs can be used to find information about domain names, whether the domain is federated or not, if a specific user exists within the tenant and DNS records.

API
Information
AADInternals Function

login.microsoftonline.com/<domain>/.well-known/openid-configuration

Login information, including tenant ID

Get-AADIntTenantID -Domain <domain>

autodiscover-s.outlook.com/autodiscover/autodiscover.svc

All domains of the tenant

Get-AADIntTenantDomains -Domain <domain>

login.microsoftonline.com/GetUserRealm.srf?login=<UserName>

Login information of the tenant, including tenant Name and domain authentication type

Get-AADIntLoginInformation -UserName <UserName>

login.microsoftonline.com/common/GetCredentialType

Login information, including Desktop SSO information

Get-AADIntLoginInformation -UserName <UserName>

AAD also has some pre-defined DNS suffixes we can use to verify whether a domain is using Azure: for example if something.blog.core.windows.net exists then we know that the something domain uses Azure. We can see more suffixes .

Another way to figure out if a domain is using AAD is to visit https://login.microsoftonline.com/getuserrealm.srf?login=username@<domain>.onmicrosoft.com&xml=1.

If we know a tenant exists we can get its tenant ID by visiting https://login.microsoftonline.com/<domain>/.well-known/openid-configuration.

Subdomain enumeration

To perform subdomain enumeration we can use 

Import-Module .\MicroBurst.psm1
Invoke-EnumerateAzureSubdomains -Base something -verbose

Generating a username wordlist

A nice website to generate a wordlist is which also returns the most common patterns used in the email structure.

Resource groups enumeration

If we have a subscription ID we are able to get more information about the resource groups contained in the subscription

# enumerate resource groups under a subscription
Get-AADIntAzureResourceGroups -AccessToken $at -SubscriptionId <id>
# enumerate VMs and what users have access to them
Get-AADIntAzureVMs

Other good tools for AAD enumeration

here
MicroBurst
hunter.io
Awesome Azure Pentest
Cloud-Azure PayloadsAllTheThings
AADInternals
BlobHunter
Cloud Enum
MFASweep
O365Recon
AzureHound
Custom Bloodhound Queries for Azure