Recon

The goal of external recon for Azure/O365 environments should be to determine the following about a client:

Tenant ID
Tenant name
Azure services, such as storage accounts and associated containers
Valid email addresses/IDs

Automated Recon

The AADInternals PowerShell module can handle the majority of external recon about a tenant. There is an online version of the basic recon cmdlet hosted at https://osint.aadinternals.com/.

# Full recon
Invoke-AADIntReconAsOutsider -DomainName jotter.onmicrosoft.com

# Tenant name, authentication type, domain name
Get-AADIntLoginInformation -UserName root@defcorphq.onmicrosoft.com

# Tenant ID
Get-AADIntTenantID -Domain defcorphq.onmicrosoft.com

MicroBurst allows for the enumeration of Azure Services through subdomain lookups.

# DO NOT INCLUDE TLD
Invoke-EnumerateAzureSubDomains -Base jotter -Verbose
Invoke-EnumerateAzureBlobs -Base jotter

It's possible to discover a publicly accessible storage account, but further access to blobs or files requires enumeration of account containers. Basicblobfinder is a straightforward tool for this process.

You can always confirm attribution of a storage account with a tenant ID via a curl request.

# Edit namelist.txt
storageaccountname:containername

# Spray
python3 basicblobfinder.py namelist.txt

# Confirming attribution via Tenant ID in headers
curl -v -x GET "https://mystorageaccount.blob.core.windows.net" -H "x-ms-version: 2019-12-12"

TREVORspray is a great tool to enumerate valid emails via OneDrive. Keep in mind that not all users in an Entra tenant may have OneDrive, but these are typically your most important targets regardless.

trevorspray --recon evilcorp.com -u emails.txt --threads 10

PreviousAzure/O365 NextInitial Access, Tokens, and MFA

Last updated 4 months ago

hashtagAutomated Recon

Automated Recon