-
-
Save jakuta-tech/5e10c2a6763e8127e63a4303449933e4 to your computer and use it in GitHub Desktop.
Azure Enum & Recon Cheat Sheet
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Start with a DNS domain as seed, and do some recon to check if domain is M365 / Azure tenant hosted | |
# Insert your domain environment variable below | |
$DOMAIN = "microsoft.com" | |
# Check the getuserrealm.srf endpoint for domain information | |
# Check autodiscover.$DOMAIN DNS entry | |
host autodiscover.$DOMAIN | |
# Note: Checks autodiscover forward lookup ~ you should see a CNAME record for autodiscover.$DOMAIN pointing to autodiscover.otulook.com | |
# Test if domain is managed or not. Check if it's a Azure/M365 tenant. Returns 'Unknown', 'Federated', or 'Managed' | |
curl -s https:///login.microsoftonline.com/getuserrealm.srf\?login\=$DOMAIN\&\json\=1 | |
# Note: Look for NameSpaceType | |
# Return NameSpaceType - either "Unknown", "Managed", or "Federated" | |
curl -s https:///login.microsoftonline.com/getuserrealm.srf\?login\=$DOMAIN\&\json\=1 | jq -r '.NameSpaceType' | |
# Check for federation on the domain | |
curl -s https:///login.microsoftonline.com/getuserrealm.srf\?login\=$DOMAIN\&\xml\=1 | |
# Note: Look at <NameSpaceType> and <IsFederated> | |
# Get the TenantID for a managed domain | |
curl -s https:///login.microsoftonline.com/$DOMAIN/v2.0/.well-known/openid-configuration | |
# Note: Look for the token endpoint. Example response: | |
# "token_endpoint":"https://login.microsoftonline.com/9d9817d9-f209-4430-8f4f-cc03332848cb/oauth2/v2.0/token | |
# '9d9817d9-f209-4430-8f4f-cc03332848cb' is the TenantId | |
# Check GetCredentialType endpoint for username enumeration | |
# Once on a managed domain, check individual users | |
# Credit and props to Brian Thomas for helping to validate this. Thanks Brian! | |
# Verify that the getuserrealm.srf returns a "Managed" value for NameSpaceType | |
# If it does, the 0 or 1 below is correct. IF it doesn't, unmanaged domains can return 0, leading to false positives | |
curl -s -X POST https:///login.microsoftonline.com/common/GetCredentialType --data '{"Username":"user1@example.com"}' | jq '.IfExistsResult' | |
# Note: Checking the user: user1@example.com | |
# Response Codes | |
# 1 - User Does Not Exist on Azure as Identity Provider | |
# 0 - Account exists for domain using Azure as Identity Provider | |
# 5 - Account exists but uses different IdP other than Microsoft | |
# 6 - Account exists and is setup to use the domain and an IdP other than Microsoft | |
# ADFS Recon Google Dorks | |
inurl://adfs/ls/idpinitiatedsignon | |
inurl://adfs/oauth2/authorize |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment