Enumerate Users and Domains
Last updated
Last updated
MS has a series of public APIs and DNS public suffixes that we can check during the enumeration phase.
These APIs can be used to find information about domain names, whether the domain is federated or not, if a specific user exists within the tenant and DNS records.
login.microsoftonline.com/<domain>/.well-known/openid-configuration
Login information, including tenant ID
Get-AADIntTenantID -Domain <domain>
autodiscover-s.outlook.com/autodiscover/autodiscover.svc
All domains of the tenant
Get-AADIntTenantDomains -Domain <domain>
login.microsoftonline.com/GetUserRealm.srf?login=<UserName>
Login information of the tenant, including tenant Name and domain authentication type
Get-AADIntLoginInformation -UserName <UserName>
login.microsoftonline.com/common/GetCredentialType
Login information, including Desktop SSO information
Get-AADIntLoginInformation -UserName <UserName>
AAD also has some pre-defined DNS suffixes we can use to verify whether a domain is using Azure: for example if something.blog.core.windows.net
exists then we know that the something
domain uses Azure. We can see more suffixes .
Another way to figure out if a domain is using AAD is to visit https://login.microsoftonline.com/getuserrealm.srf?login=username@<domain>.onmicrosoft.com&xml=1
.
If we know a tenant exists we can get its tenant ID by visiting https://login.microsoftonline.com/<domain>/.well-known/openid-configuration
.
To perform subdomain enumeration we can use
A nice website to generate a wordlist is which also returns the most common patterns used in the email structure.
If we have a subscription ID we are able to get more information about the resource groups contained in the subscription