Last active
April 15, 2024 19:53
-
-
Save iknowjason/ac3afb89a51e38603650b21f91626643 to your computer and use it in GitHub Desktop.
Azure Enum & Recon Cheat Sheet
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Start with a DNS domain as seed, and do some recon to check if domain is M365 / Azure tenant hosted | |
| # Insert your domain environment variable below | |
| DOMAIN="microsoft.com" | |
| # Check the getuserrealm.srf endpoint for domain information | |
| # Check autodiscover.$DOMAIN DNS entry | |
| host autodiscover.$DOMAIN | |
| # Note: Checks autodiscover forward lookup ~ you should see a CNAME record for autodiscover.$DOMAIN pointing to autodiscover.otulook.com | |
| # Test if domain is managed or not. Check if it's a Azure/M365 tenant. Returns 'Unknown', 'Federated', or 'Managed' | |
| curl -s https:///login.microsoftonline.com/getuserrealm.srf\?login\=$DOMAIN\&\json\=1 | |
| # Note: Look for NameSpaceType | |
| # Return NameSpaceType - either "Unknown", "Managed", or "Federated" | |
| curl -s https:///login.microsoftonline.com/getuserrealm.srf\?login\=$DOMAIN\&\json\=1 | jq -r '.NameSpaceType' | |
| # Check for federation on the domain | |
| curl -s https:///login.microsoftonline.com/getuserrealm.srf\?login\=$DOMAIN\&\xml\=1 | |
| # Note: Look at <NameSpaceType> and <IsFederated> | |
| # Get the TenantID for a managed domain | |
| curl -s https:///login.microsoftonline.com/$DOMAIN/v2.0/.well-known/openid-configuration | |
| # Note: Look for the token endpoint. Example response: | |
| # "token_endpoint":"https://login.microsoftonline.com/9d9817d9-f209-4430-8f4f-cc03332848cb/oauth2/v2.0/token | |
| # '9d9817d9-f209-4430-8f4f-cc03332848cb' is the TenantId | |
| # Check GetCredentialType endpoint for username enumeration | |
| # Once on a managed domain, check individual users | |
| # Credit and props to Brian Thomas for helping to validate this. Thanks Brian! | |
| # Verify that the getuserrealm.srf returns a "Managed" value for NameSpaceType | |
| # If it does, the 0 or 1 below is correct. IF it doesn't, unmanaged domains can return 0, leading to false positives | |
| curl -s -X POST https:///login.microsoftonline.com/common/GetCredentialType --data '{"Username":"user1@example.com"}' | jq '.IfExistsResult' | |
| # Note: Checking the user: user1@example.com | |
| # Response Codes | |
| #-1 An unknown error | |
| #0 The account exists, and uses that domain for authentication | |
| #1 The account doesn’t exist | |
| #2 The response is being throttled | |
| #4 Some server error | |
| #5 The account exists, but is set up to authenticate with a different identity provider. This could indicate the account is only used as a personal account | |
| #6 The account exists, and is set up to use both the domain and a different identity provider | |
| # ADFS Recon Google Dorks | |
| inurl://adfs/ls/idpinitiatedsignon | |
| inurl://adfs/oauth2/authorize |
I'm not sure what happened to their site, but yeah it looks like it went down over the weekend. Here is an archive:
Though its not an official source, this aligns to some of the results I've seen in testing.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@Mike-Crowley I made the update to the gist. It's what I recall reading. But I still can't find an official reference.