Enumerate Users and Domains

MS has a series of public APIs and DNS public suffixes that we can check during the enumeration phase.

Enumerating with Public APIs

These APIs can be used to find information about domain names, whether the domain is federated or not, if a specific user exists within the tenant and DNS records.

API	Information	AADInternals Function
login.microsoftonline.com/<domain>/.well-known/openid-configuration	Login information, including tenant ID	Get-AADIntTenantID -Domain <domain>
autodiscover-s.outlook.com/autodiscover/autodiscover.svc	All domains of the tenant	Get-AADIntTenantDomains -Domain <domain>
login.microsoftonline.com/GetUserRealm.srf?login=<UserName>	Login information of the tenant, including tenant Name and domain authentication type	Get-AADIntLoginInformation -UserName <UserName>
login.microsoftonline.com/common/GetCredentialType	Login information, including Desktop SSO information	Get-AADIntLoginInformation -UserName <UserName>

AAD also has some pre-defined DNS suffixes we can use to verify whether a domain is using Azure: for example if something.blog.core.windows.net exists then we know that the something domain uses Azure. We can see more suffixes here.

Another way to figure out if a domain is using AAD is to visit https://login.microsoftonline.com/getuserrealm.srf?login=username@<domain>.onmicrosoft.com&xml=1.

If we know a tenant exists we can get its tenant ID by visiting https://login.microsoftonline.com/<domain>/.well-known/openid-configuration.

Subdomain enumeration

To perform subdomain enumeration we can use MicroBurst

Import-Module .\MicroBurst.psm1
Invoke-EnumerateAzureSubdomains -Base something -verbose

Generating a username wordlist

A nice website to generate a wordlist is hunter.io which also returns the most common patterns used in the email structure.

Resource groups enumeration

If we have a subscription ID we are able to get more information about the resource groups contained in the subscription

# enumerate resource groups under a subscription
Get-AADIntAzureResourceGroups -AccessToken $at -SubscriptionId <id>
# enumerate VMs and what users have access to them
Get-AADIntAzureVMs

Other good tools for AAD enumeration

• Awesome Azure Pentest

• Cloud-Azure PayloadsAllTheThings

• AADInternals

• BlobHunter

• Cloud Enum

• MFASweep

• O365Recon

• AzureHound

• Custom Bloodhound Queries for Azure