search
Infiltr8ForumGitHub
githubEdit

Unauthenticated Reconnaissance

hashtag
Theory

Unauthenticated reconnaissance is the first step in assessing an Azure AD environment. This phase involves gathering information about the target organization's Azure presence without requiring any authentication credentials. The goal is to identify valid domains, user accounts, and potential entry points that can be leveraged in subsequent phases of an engagement.

hashtag
Practice

hashtag
Check if Company is Using Azure AD

Before starting any Azure AD enumeration, it's important to verify if the target company is actually using Azure AD. This can be done through various methods.

If the NameSpaceType indicates "Managed", then the company is using Azure AD.

if the NameSpaceType indicates "Federated", then the company is using Active Directory Federation Services (AD FS) .

# Replace <DOMAIN> with the actual target FQDN
curl -s "https://login.microsoftonline.com/getuserrealm.srf?login=username@<DOMAIN>&json=1" | jq

hashtag
Tenant Enumeration

Tenant enumeration involves gathering information about the Azure AD tenant configuration, including domain names, authentication methods, and tenant-specific details. This information can be obtained through various public APIs and tools.

hashtag
TenantID

We can retreive the Tenant ID by quering the OpenID Configuration API endpoint

curl -s https://login.microsoftonline.com/ocd-testing.com/.well-known/openid-configuration | jq .token_endpoint

hashtag
Domains

We can enumerate additional domains associated with the tenant using the Autodiscover service:

domain="example.com";curl -s https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc -H "Content-Type: text/xml" -d @- << EOF |xq
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:exm="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:ext="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <soap:Header>
    <a:Action soap:mustUnderstand="1">http://schemas.microsoft.com/exchange/2010/Autodiscover/Autodiscover/GetFederationInformation</a:Action>
    <a:To soap:mustUnderstand="1">https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc</a:To>
    <a:ReplyTo>
      <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
    </a:ReplyTo>
  </soap:Header>
  <soap:Body>
    <GetFederationInformationRequestMessage xmlns="http://schemas.microsoft.com/exchange/2010/Autodiscover">
      <Request>
        <Domain>$domain</Domain>
      </Request>
    </GetFederationInformationRequestMessage>
  </soap:Body>
</soap:Envelope>
EOF

hashtag
Services Enumeration

Organizations often use various Azure services that can be discovered through DNS enumeration or by checking common Azure subdomains.

chevron-rightEnumerate Azure SubDomainshashtag

It's possible to try to find Azure services exposed in common azure subdomains like the ones documented in this postarrow-up-right.

MicroBurstarrow-up-right (Powershell) can be used to achieve that goal, and enumerate Azure Subdomains.

The same can be acheive using cloud_enumarrow-up-right (python)

chevron-rightEnumerate Azure Storage Accounts & Blobshashtag

hashtag
Open Storage

Azure Storage Account are Microsoft's cloud storage solution, similar to Amazon S3. It includes several services like the Blob storagearrow-up-right, for unstructured data (images, videos, and documents..).

Anonymous read access may be enabled by a public access policies for blobs. Furthermore, storage resources follow predictable URL patterns at core.windows.net:

  • storage-account-name.blob.core.windows.net

  • storage-account-name.file.core.windows.net

  • storage-account-name.table.core.windows.net

  • storage-account-name.queue.core.windows.net

MicroBurstarrow-up-right (Powershell) can then be used to brute-force storage account names, containers, and files (blobs):

hashtag
SAS URLs

A shared access signature (SAS) URL is an URL that provides access to certain part of a Storage account (could be a full container, a file...) with some specific permissions (read, write...) over the resources. If you find one leaked you could be able to access sensitive information, they look like this (this is to access a container, if it was just granting access to a file the path of the URL will also contain that file):

https://<storage_account_name>.blob.core.windows.net/newcontainer?sp=r&st=2021-09-26T18:15:21Z&se=2021-10-27T02:14:21Z&spr=https&sv=2021-07-08&sr=c&sig=7S%2BZySOgy4aA3Dk0V1cJyTSIf1cW%2Fu3WFkhHV32%2B4PE%3D

Use Storage Explorerarrow-up-right to access the data

chevron-rightEnumerate Azure Container Registry (ACR)hashtag

By default, access to pull or push images from an Azure Container Registry is only available to authenticated users. But it's possible to allow anonymous pull access.

circle-exclamation

Authorizing anonymous pulls can be done as follows (need permissions)

If we know such registry name and images, we can pull it as follows

hashtag
User Enumeration

The goal is to compile a list of possible valid email addresses for the targeted company, aiming to identify valid accounts using tools and techniques below.

The GetCredentialType API can be used for username enumeration.

triangle-exclamation

Ensure that the domain is managed (refer to this section) to guarantee accurate results when using this technique. If it doesn't, unmanaged domains can return 0, leading to false positives

hashtag
Resources

LogoCARTP-cheatsheet/recon.md at main · 0xJs/CARTP-cheatsheetGitHubchevron-right
LogoAz - Unauthenticated Enum & Initial Entry - HackTricks Cloudcloud.hacktricks.wikichevron-right

Last updated