Unauthenticated Reconnaissance
Last updated
Was this helpful?
Last updated
Was this helpful?
Unauthenticated reconnaissance is the first step in assessing an Azure AD environment. This phase involves gathering information about the target organization's Azure presence without requiring any authentication credentials. The goal is to identify valid domains, user accounts, and potential entry points that can be leveraged in subsequent phases of an engagement.
Before starting any Azure AD enumeration, it's important to verify if the target company is actually using Azure AD. This can be done through various methods.
If the NameSpaceType
indicates "Managed", then the company is using Azure AD.
if the NameSpaceType
indicates "Federated", then the company is using Active Directory Federation Services (AD FS) .
Tenant enumeration involves gathering information about the Azure AD tenant configuration, including domain names, authentication methods, and tenant-specific details. This information can be obtained through various public APIs and tools.
Organizations often use various Azure services that can be discovered through DNS enumeration or by checking common Azure subdomains.
The GetCredentialType API can be used for username enumeration.
We can query all the information of an Azure tenant with just one command from (Powershell).
We can retreive the Tenant ID using (Powershell).
We can enumerate additional domains using (Powershell).
It's possible to try to find Azure services exposed in common azure subdomains like the ones documented in this .
(Powershell) can be used to achieve that goal, and enumerate Azure Subdomains.
The same can be acheive using (python)
are Microsoft's cloud storage solution, similar to Amazon S3. It includes several services like the , for unstructured data (images, videos, and documents..).
(Powershell) can then be used to brute-force storage account names, containers, and files (blobs):
Use to access the data
The goal is to, aiming to identify valid accounts using tools and techniques below.
Ensure that the domain is managed () to guarantee accurate results when using this technique. If it doesn't, unmanaged domains can return 0, leading to false positives
(python) is a username enumeration and password spraying tool aimed at Microsoft Office 365 (O365). It can be used to validate users trough various methods: autologon, oauth2, office, onedrive, rst
(Python) is a script that performs email address validation against Office 365 without submitting login attempts. It use the GetCredentialType
API and check for the IfExistsResult
field.
(Python) can be used to validate O365 users trough the OneDrive API.
We can check if a user exists in a tenant using (Powershell).