-
-
Save m14r41/e3f2f0a506a98b7bd9143bd5d0f176e8 to your computer and use it in GitHub Desktop.
Azure Enum & Recon Cheat Sheet
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
echo "\033[1;32mEnter the domain to perform reconnaissance on:\033[0m"; read DOMAIN | |
echo "\033[1;32mEnter a username for credential type check:\033[0m"; read USERNAME | |
# Function to print in color | |
print_color() { | |
local color=$1 | |
shift | |
printf "\e[${color}m$@\e[0m\n" | |
} | |
# Check the getuserrealm.srf endpoint for domain information | |
print_color "1;34" "Checking getuserrealm.srf endpoint for domain information..." | |
curl_result=$(curl -s "https://login.microsoftonline.com/getuserrealm.srf?login=$DOMAIN&json=1" | jq .) | |
echo "User Realm Information:" | |
echo "$curl_result" | |
# Check autodiscover.$DOMAIN DNS entry | |
print_color "1;34" "Checking autodiscover.$DOMAIN DNS entry..." | |
autodiscover_result=$(host "autodiscover.$DOMAIN") | |
echo "Autodiscover DNS Entry:" | |
echo "$autodiscover_result" | |
# Test if the domain is managed or not. Check if it's an Azure/M365 tenant. Returns 'Unknown', 'Federated', or 'Managed' | |
print_color "1;34" "Testing if the domain is managed or not..." | |
managed_result=$(curl -s "https://login.microsoftonline.com/getuserrealm.srf?login=$DOMAIN&json=1" | jq .) | |
echo "Managed Status:" | |
echo "$managed_result" | |
# Return NameSpaceType - either "Unknown", "Managed", or "Federated" | |
print_color "1;34" "Getting NameSpaceType for the domain..." | |
namespace_type=$(curl -s "https://login.microsoftonline.com/getuserrealm.srf?login=$DOMAIN&json=1" | jq -r '.NameSpaceType') | |
echo "NameSpaceType: $namespace_type" | |
# Check for federation on the domain | |
print_color "1;34" "Checking for federation on the domain..." | |
federation_output=$(curl -s "https://login.microsoftonline.com/getuserrealm.srf?login=$DOMAIN&xml=1") | |
namespace_type=$(echo "$federation_output" | xmllint --xpath '//NameSpaceType/text()' - 2>/dev/null) | |
is_federated_ns=$(echo "$federation_output" | xmllint --xpath '//IsFederatedNS/text()' - 2>/dev/null) | |
echo "NameSpaceType: $namespace_type" | |
echo "IsFederatedNS: $is_federated_ns" | |
# Note: Look at NameSpaceType and IsFederated | |
# Get the TenantID for a managed domain | |
print_color "1;34" "Getting the TenantID for a managed domain..." | |
tenant_id=$(curl -s "https://login.microsoftonline.com/$DOMAIN/v2.0/.well-known/openid-configuration" | jq -r '.token_endpoint' | cut -d'/' -f4) | |
echo "TenantID: $tenant_id" | |
# Note: Look for the token endpoint. | |
# Check GetCredentialType endpoint for username enumeration | |
print_color "1;34" "Checking GetCredentialType endpoint for username enumeration..." | |
credential_result=$(curl -s -X POST "https://login.microsoftonline.com/common/GetCredentialType" --data "{\"Username\":\"$USERNAME@$DOMAIN\"}" | jq '.IfExistsResult') | |
echo "Credential Type Result for $USERNAME@$DOMAIN:" | |
echo "$credential_result" | |
# Note: Checking the user: $USERNAME@$DOMAIN | |
# Response Codes | |
# 1 - User Does Not Exist on Azure as Identity Provider | |
# 0 - Account exists for the domain using Azure as Identity Provider | |
# 5 - Account exists but uses a different IdP other than Microsoft | |
# 6 - Account exists and is set up to use the domain and an IdP other than Microsoft | |
# Check SPF record for domain | |
print_color "1;34" "Checking SPF record for the domain..." | |
spf_record=$(nslookup -type=txt $DOMAIN) | |
echo "SPF Record:" | |
echo "$spf_record" | |
# Check for open ports on the domain | |
print_color "1;34" "Checking for open ports on the domain (common ports)..." | |
for port in 80 443 21 22 25 3389; do | |
if timeout 1 bash -c "</dev/tcp/$DOMAIN/$port"; then | |
print_color "1;32" "Port $port open" | |
else | |
print_color "1;31" "Port $port closed" | |
fi | |
done | |
# ADFS Recon Google Dorks | |
print_color "1;34" "\nADFS Recon Google Dorks:" | |
echo "inurl://adfs/ls/idpinitiatedsignon" | |
echo "inurl://adfs/oauth2/authorize" | |
# Check for SMB (NetBIOS) information | |
print_color "1;34" "Checking for NetBIOS information..." | |
enum4linux_result=$(enum4linux $DOMAIN) | |
echo "NetBIOS Information:" | |
echo "$enum4linux_result" | |
# Enumerate Active Directory users using LDAP | |
print_color "1;34" "Enumerating Active Directory users using LDAP..." | |
ldap_users=$(ldapsearch -LLL -x -H ldap://$DOMAIN -b "dc=$DOMAIN" "(objectClass=user)" sAMAccountName | grep "sAMAccountName:" | cut -d" " -f2) | |
echo "LDAP Users:" | |
echo "$ldap_users" | |
# Enumerate Active Directory groups using LDAP | |
print_color "1;34" "Enumerating Active Directory groups using LDAP..." | |
ldap_groups=$(ldapsearch -LLL -x -H ldap://$DOMAIN -b "dc=$DOMAIN" "(objectClass=group)" sAMAccountName | grep "sAMAccountName:" | cut -d" " -f2) | |
echo "LDAP Groups:" | |
echo "$ldap_groups" | |
# Enumerate Active Directory computers using LDAP | |
print_color "1;34" "Enumerating Active Directory computers using LDAP..." | |
ldap_computers=$(ldapsearch -LLL -x -H ldap://$DOMAIN -b "dc=$DOMAIN" "(objectClass=computer)" sAMAccountName | grep "sAMAccountName:" | cut -d" " -f2) | |
echo "LDAP Computers:" | |
echo "$ldap_computers" | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment