Skip to content

Instantly share code, notes, and snippets.

@jakuta-tech
Forked from iknowjason/az-enum.sh
Created February 17, 2023 02:47
Show Gist options
  • Save jakuta-tech/5e10c2a6763e8127e63a4303449933e4 to your computer and use it in GitHub Desktop.
Save jakuta-tech/5e10c2a6763e8127e63a4303449933e4 to your computer and use it in GitHub Desktop.
Azure Enum & Recon Cheat Sheet
# Start with a DNS domain as seed, and do some recon to check if domain is M365 / Azure tenant hosted
# Insert your domain environment variable below
$DOMAIN = "microsoft.com"
# Check the getuserrealm.srf endpoint for domain information
# Check autodiscover.$DOMAIN DNS entry
host autodiscover.$DOMAIN
# Note: Checks autodiscover forward lookup ~ you should see a CNAME record for autodiscover.$DOMAIN pointing to autodiscover.otulook.com
# Test if domain is managed or not. Check if it's a Azure/M365 tenant. Returns 'Unknown', 'Federated', or 'Managed'
curl -s https:///login.microsoftonline.com/getuserrealm.srf\?login\=$DOMAIN\&\json\=1
# Note: Look for NameSpaceType
# Return NameSpaceType - either "Unknown", "Managed", or "Federated"
curl -s https:///login.microsoftonline.com/getuserrealm.srf\?login\=$DOMAIN\&\json\=1 | jq -r '.NameSpaceType'
# Check for federation on the domain
curl -s https:///login.microsoftonline.com/getuserrealm.srf\?login\=$DOMAIN\&\xml\=1
# Note: Look at <NameSpaceType> and <IsFederated>
# Get the TenantID for a managed domain
curl -s https:///login.microsoftonline.com/$DOMAIN/v2.0/.well-known/openid-configuration
# Note: Look for the token endpoint. Example response:
# "token_endpoint":"https://login.microsoftonline.com/9d9817d9-f209-4430-8f4f-cc03332848cb/oauth2/v2.0/token
# '9d9817d9-f209-4430-8f4f-cc03332848cb' is the TenantId
# Check GetCredentialType endpoint for username enumeration
# Once on a managed domain, check individual users
# Credit and props to Brian Thomas for helping to validate this. Thanks Brian!
# Verify that the getuserrealm.srf returns a "Managed" value for NameSpaceType
# If it does, the 0 or 1 below is correct. IF it doesn't, unmanaged domains can return 0, leading to false positives
curl -s -X POST https:///login.microsoftonline.com/common/GetCredentialType --data '{"Username":"user1@example.com"}' | jq '.IfExistsResult'
# Note: Checking the user: user1@example.com
# Response Codes
# 1 - User Does Not Exist on Azure as Identity Provider
# 0 - Account exists for domain using Azure as Identity Provider
# 5 - Account exists but uses different IdP other than Microsoft
# 6 - Account exists and is setup to use the domain and an IdP other than Microsoft
# ADFS Recon Google Dorks
inurl://adfs/ls/idpinitiatedsignon
inurl://adfs/oauth2/authorize
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment