l33t-En0ugh
GithubTwitterMediumLinkedin
  • Android Pentesting
    • Bypass SSL Pinning for flutter apps using reFlutter Framework
    • Easy way to bypass SSL Pinning using apk-mitm tool
  • HackTheBox
    • Nunchucks - Easy
    • BountyHunter - Easy
    • Lame - Easy
    • Bashed - Easy
    • Netmon - Easy
    • Seal - Medium
    • Intelligence - Medium
    • Bastard - Medium
  • TryHackMe
    • Attacktive Directory
  • Offensive Lab
    • FunboxEasyEnum - Easy
    • BBSCute - Easy
  • Capture The Flag (CTF)
    • Binary Exploitation (Pwn)
    • Steganography - HTB
    • Cryptography - HTB
    • Forensics - HTB
  • Active Directory
    • HTB-Mantis (Hard)
  • Window Privilege Escalation
  • Linux Privilege Escalation
  • Buffer Overflow
  • Cloud Pentesting
    • Pentesting Azure Active Directory
  • Web Exploitation
    • Attacking JSON Web Token
Powered by GitBook
On this page
  • Unauthenticated Recon
  • User Email Enumeration
  • Valid Email Enumeration
  • Cloud Enum
  • Password Spraying
  • Authenticated Recon
  • Enumerating with Powershell
  1. Cloud Pentesting

Pentesting Azure Active Directory

PreviousBuffer OverflowNextAttacking JSON Web Token

Last updated 3 years ago

Unauthenticated Recon

User Email Enumeration

python3 onedrive_enum.py -U users.txt -d companyname.com -v 

If the output urls gave us 404 File Not Found , that mean it's a bad/invalid users or

If it redirect to sigin page, that mean it's a valid user account.

Valid Email Enumeration

python3 o365creeper.py -e test@email.com
python3 o365creeper.py -f email-list.txt -o validated-out-file.txt

Cloud Enum

python3 cloud_enum.py -k tesla --disable-aws --disable-gcp

Password Spraying

Import-Module .\MSQLSpray.ps1
Invoke-MSOLSpray -UserList .\mails.txt.txt -Password P@ssword123

Authenticated Recon

First, we need to install Azure Az powershell module

Import-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force

Connect Azure account with Connect-AzAccount

Enumerating with Powershell

# List current users context available
Get-AzContext -ListAvailable
# Getting subscription
Get-AzSubscription
# Current user's role assignment
Get-AzRoleAssignment
# List all the resources and group
Get-AzResource
Get-AzResourceGroup
# List storage accounts
Get-AzStorageAccount
# List all WebApp for exploit
Get-AzWebApp
# List Automation Account
Get-AzAutomationAccount
# Display all the virtual network
Get-AzVirtualNetwork
# Getting public ip address
Get-AzPublicIpAddress

Continues...

https://github.com/nyxgeek/onedrive_user_enum
https://github.com/LMGsec/o365creeper
https://github.com/initstring/cloud_enum
https://github.com/dafthack/MSOLSpray