# Enumerate Users and Domains

MS has a series of public APIs and DNS public suffixes that we can check during the enumeration phase.

### Enumerating with Public APIs

These APIs can be used to find information about domain names, whether the domain is federated or not, if a specific user exists within the tenant and DNS records.

|                                  API                                  |                                      Information                                      |               AADInternals Function               |
| :-------------------------------------------------------------------: | :-----------------------------------------------------------------------------------: | :-----------------------------------------------: |
| `login.microsoftonline.com/<domain>/.well-known/openid-configuration` |                         Login information, including tenant ID                        |       `Get-AADIntTenantID -Domain <domain>`       |
|       `autodiscover-s.outlook.com/autodiscover/autodiscover.svc`      |                               All domains of the tenant                               |     `Get-AADIntTenantDomains -Domain <domain>`    |
|     `login.microsoftonline.com/GetUserRealm.srf?login=<UserName>`     | Login information of the tenant, including tenant Name and domain authentication type | `Get-AADIntLoginInformation -UserName <UserName>` |
|          `login.microsoftonline.com/common/GetCredentialType`         |                  Login information, including Desktop SSO information                 | `Get-AADIntLoginInformation -UserName <UserName>` |

AAD also has some pre-defined DNS suffixes we can use to verify whether a domain is using Azure: for example if `something.blog.core.windows.net` exists then we know that the `something` domain uses Azure. We can see more suffixes [here](https://learn.microsoft.com/en-us/azure/security/fundamentals/azure-domains).&#x20;

Another way to figure out if a domain is using AAD is to visit `https://login.microsoftonline.com/getuserrealm.srf?login=username@<domain>.onmicrosoft.com&xml=1`.

If we know a tenant exists we can get its tenant ID by visiting `https://login.microsoftonline.com/<domain>/.well-known/openid-configuration`.

### Subdomain enumeration

To perform subdomain enumeration we can use [MicroBurst](https://github.com/NetSPI/MicroBurst.git)

```powershell
Import-Module .\MicroBurst.psm1
Invoke-EnumerateAzureSubdomains -Base something -verbose
```

### Generating a username wordlist

A nice website to generate a wordlist is [hunter.io](https://hunter.io) which also returns the most common patterns used in the email structure.

### Resource groups enumeration

If we have a subscription ID we are able to get more information about the resource groups contained in the subscription

```powershell
# enumerate resource groups under a subscription
Get-AADIntAzureResourceGroups -AccessToken $at -SubscriptionId <id>
# enumerate VMs and what users have access to them
Get-AADIntAzureVMs
```

### Other good tools for AAD enumeration

* [Awesome Azure Pentest](https://github.com/Kyuu-Ji/Awesome-Azure-Pentest#enumeration)
* [Cloud-Azure PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md)
* [AADInternals](https://o365blog.com/aadinternals/)
* [BlobHunter](https://github.com/cyberark/blobhunter)
* [Cloud Enum](https://github.com/initstring/cloud_enum)
* [MFASweep](https://github.com/dafthack/MFASweep)
* [O365Recon](https://github.com/nyxgeek/o365recon)
* [AzureHound](https://github.com/BloodHoundAD/AzureHound)
* [Custom Bloodhound Queries for Azure](https://github.com/hausec/Bloodhound-Custom-Queries)