Enumeration
Last updated
Last updated
Use for unauthenticated enumeration.
Use and .
Enumerate publicly accessible aws resources with OSINT tools like cloud_enum.py
.
Search for to obtain Service Account JSON file.
"" section include techniques for unauthenticated enumeration of Azure Instances.
Get Federation info for target domain:
Get Tenant ID for a target domain:
domain>/v2.0/.well-known/openidconfiguration
EWS endpoint is usually located at:
Try to enumerate active directory through their exposed portal
The Autodiscover service in Microsoft Exchange is used to automatically configure client endpoints with necessary settings to comunicate with the Exchange server.
The web api gives away a ton of info.
python3 check_mdi.py -d domain.com
git clone https://github.com/NetSPI/MicroBurst
Import-Module .\MicroBurst.psm1
Enumerate publicly available azure services point to subdomain:
Invoke-EnumerateAzureSubDomains -Base "example" -Verbose
Enumerate publicly accessible azure blob storage service point to subdomain:
Invoke-EnumerateAzureBlobs -Base "example"
Get the information about tenant id of a target organization.
curl https://login.windows.net/example.com/.well-known/openid-configuration
Download information from publicly open blob:
Azure Storage Explorer > Storage Accounts > Connect to Azure Storage > Blob Container > Anonymously > Type obtained URL
Portal:
Azure Resource Manager Portal
O365 / M365 Admin Center
O365 / M365 User Portal
Credentials:
Username + Password - Long Term Access:
Azure AD Users (Cloud Only)
Sync Users (On-Premise)
SSO Users (Federated Identity): SSO (Single Sign-On) allows users to log in once and gain access to multiple systems without needing to re-enter credentials.
External Users
CLI:
Az CLI [Cross Platform]
Az PowerShell [PowerShell Module]
Microsoft Graph PowerShell [MgGraph Module]
Credentials:
Username + Password - Long Term Access:
Az CLI: az login
Az PowerShell: Connect-AzAccount
, Connect-AzureAD
, Connect-MgGraph
To potentially get around MFA:
$credential = Get-Credential
Connect-AzAccount -Credential $credential
MgGraph PowerShell: Connect-MgGraph -Scopes "Directory.Read.All"
MSOnline PowerShell: Connect-MsolService
To potentially get around MFA:
$credential = Get-Credential
Connect-MsolService -Credential $credential
Service Principal (App ID + Password or Certificate) - Long Term Access:
Az CLI: az login --service-principal -u ApplicationID -p Password --tenant TenantID
Az PowerShell:
$cred = Get-Credential # Where, Username = Application ID & Password = Client Secret
Connect-AzAccount -ServicePrincipal -Tenant TenantID -Credential $cred
Access Token (Account ID + Access Token) - Short Term Access:
Az CLI: az account get-access-token --resource=https://management.azure.com
Az PowerShell:
$token = “AccessToken”
Connect-AzAccount -AccessToken $token -AccountId {SubscriptionID}
MgGraph PowerShell:
az account get-access-token --resource https://graph.microsoft.com
Connect-MgGraph -AccessToken {TOKEN}
To check if the target organization is using Entra ID as an IDP (Identity Provider):
Import a context file:
Import-AzContext -Profile 'C:\hola\Token.json'
Export a context file:
Save-AzContext -Path C:\hola\AzureAccessToken.json
To get currently logged-in session information:
Get-MgContext
Get-AzContext -ListAvailable
Get-AzContext -ListAvailable
To get context details:
$context = Get-AzContext
$context.Name
$context.Account
To list Company Information:
Get-MSolCompanyInformation
To get a list of all directory roles:
Get-MgDirectoryRole | ConvertTo-Json
To get the current user's role assignment:
Get-AzRoleAssignment
To get role assignments for a specific principal:
Get-AzRoleAssignment -ObjectId {PrincipalID-ManagedIdentity}
To get a list of members of a directory role:
Get-MgDirectoryRoleMember -DirectoryRoleId {DirectoryRoleID} -All | ConvertTo-Json
To get a list of users in Entra ID:
Get-MgUser
Get-MSolUser -All
To get the User ID of a specific user:
Get-MgUser -Filter "startswith(displayName,'{DisplayName}')"
To list all user attributes:
Get-MSolUser –All | fl
One-liner to search all Azure AD user attributes for passwords:
$users = Get-MsolUser; foreach ($user in $users) { $props = @(); $user | Get-Member -MemberType Properties | foreach-object { $props += $_.Name }; foreach ($prop in $props) { if ($user.$prop -like "*password*") { Write-Output ("[*]" + $user.UserPrincipalName + "[" + $prop + "]" + ": " + $user.$prop) } } }
To get a list of the groups that a user is a member of:
Get-MgUserMemberOf -UserId {UserID}
List of all objects owned by logged-in user:
Get-MgUserOwnedObject -UserId {UserID} | ConvertTo-Json
To retrieves the object ID of the specified user:
Get-AzureADUser -SearchString "{user we are}"
Lists memberships and permissions of a specified user object:
Get-AzureADUserMembership -Objectld {user object ID} | ConvertTo-Json -Depth 3
List storage accounts:
Get-AzStorageAccount
To list all groups in Entra ID:
Get-MgGroup
Get-MSolGroup -All
To get members of a group:
Get-MgGroupMember -GroupId {GroupID} | ConvertTo-Json
Get-MsolRole -RoleName "Group Name"
Get-MSolGroupMember –GroupObjectId $GUID
Get the list of all applications:
Get-MgApplication
Get-AzureADApplication
To get an application object ID and app ID:
Get-MgApplication -Filter "startswith(displayName,'{example-app}')"
Get the details about a specific application:
Get-MgApplication -ApplicationId {ApplicationObjectID} | ConvertTo-Json
Get the detail about the owner of a specific application:
Get-MgApplicationOwner -ApplicationId {ApplicationObjectID} | ConvertTo-Json
Get the details about application permissions for an application:
$app= Get-MgApplication -ApplicationId {ApplicationObjectID}
$app.RequiredResourceAccess
Get the details of App Role for Microsoft Graph API:
$res=Get-MgServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"
$res.AppRoles | Where-Object {$_.ID -eq '{AppRoleID}'} | ConvertTo-Json
Get the details about delegation permission for an application:
$app= Get-MgApplication -ApplicationId {ApplicationObjectID}
$app.Oauth2RequirePostResponse | ConvertTo-Json
As an app owner, create an application credential:
Add-MgApplicationPassword -ApplicationId "{AppObjectID}" | ConvertTo-Json
Check the directory role assigned to an application:
Get-MgDirectoryRoleMemberAsServicePrincipal -DirectoryRoleId {MgDirectoryRole output GUID} | ConvertTo-Json
Retrieves detailed information about a specific application;
$app = Get-AzureADApplication -Objectld {app object ID}
$app.Required ResourceAccess | ConvertTo-Json -Depth 3
To list Service Principals:
Get-MsolServicePrincipal
Lists service principals and retrieves roles associated with specified resource access:
$sp = Get-AzureADServicePrincipal -All $true | Where-Object {$.Appld -eq '{ResourceAppId}"}
$sp.AppRoles | Where-Object {$.Id -eq '{ResourceAccess > Id}'}
Get details about currently logged in session:
az account show
Get the list of all available subscriptions:
az account list
az account list --all
Get-AzSubscription
Get the details of a subscription:
az account show -s {Subscription-ID/Name}
Select-AzSubscription -SubscriptionID "SubscriptionID"
Get the list of available resource groups in the current subscription:
az group list -s {Subscription-ID/Name}
Get the list of available resource groups in a specified subscription:
az group list -s {Subscription-ID/Name}
Get-AzResource
Get-AzResourceGroup
Get the list of available resources in the current subscription:
az resource list
Get the list of available resources in a specified resource group:
az resource list --resource-group {ResourceGroupName}
To list the hostnames of all Azure Function Apps:
Get-AzFunctionApp | ForEach-Object { $_.EnabledHostnames }
To extract specific configuration details from all Function Apps across all subscriptions:
Lists of roles assigned in a specified subscription:
az role assignment list --subscription {Subscription-ID/Name}
Lists of roles assigned in the current subscription and inherited:
az role assignment list --all
List of all roles assigned to an identity (user, service principal, managed identity):
az role assignment list --assignee {ObjectID/Sign-InEmail/ServicePrincipal} --all
az role assignment list --assignee '{Email}' --all
Lists of roles with assigned permissions (Role Definition - For Built-in and Custom Roles):
az role definition list
Get the full information about a specified role:
az role definition list -n {RoleName}
Lists of custom roles with assigned permissions:
az role definition list --custom-role-only
Get the list of available virtual machines:
az vm list
To get list VMs and get OS details:
Get-AzVM
$vm = Get-AzVM -Name "VM Name"
$vm.OSProfile
Get the list of IP addresses for a specified virtual machine:
az vm list-ip-addresses --name {VM-Name} --resource-group {ResourceGroupName}
Script to extract VM UserData:
List virtual networks:
Get-AzVirtualNetwork
List public IP addresses assigned to virtual NICs:
Get-AzPublicIpAddress
Get Azure ExpressRoute (VPN) Info:
Get-AzExpressRouteCircuit
Get Azure VPN Info:
Get-AzVpnConnection
List Azure web applications:
Get-AzAdApplication
Get-AzWebApp
List SQL servers:
Get-AzSQLServer
Individual databases can be listed with information retrieved from the previous command:
Get-AzSqlDatabase -ServerName $ServerName -ResourceGroupName $ResourceGroupName
List SQL Firewall rules:
Get-AzSqlServerFirewallRule –ServerName $ServerName -ResourceGroupName $ResourceGroupName
List SQL Server AD Admins:
Get-AzSqlServerActiveDirectoryAdminstrator -ServerName $ServerName -ResourceGroupName $ResourceGroupName
List Azure Runbooks
Get-AzAutomationAccount
Get-AzAutomationRunbook -AutomationAccountName <AutomationAccountName> -ResourceGroupName <ResourceGroupName>
To export a runbook:
Export-AzAutomationRunbook -AutomationAccountName $AccountName -ResourceGroupName $ResourceGroupName -Name $RunbookName -OutputFolder .\Desktop\
Script to export all runbooks from all subscriptions:
Script to export all job outputs:
Tool to identify if MFA is enabled.
This script attempts to login to the provided account TEN (10) different times (11 if you include ADFS).
Import-Module MFASweep.ps1
Invoke-MFASweep -Username targetuser@targetdomain.com -Password Winter2020
ROADrecon is a tool for exploring Azure AD environments.
Framework to interact with Azure AD.
MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping.
To look for open storage blobs:
Invoke-EnumerateAzureBlobs -Base $BaseName
Export SSL/TLS certs:
Get-AzPasswords -ExportCerts Y
Azure Container Registry dump:
Get-AzPasswords
Get-AzACR
Tool to graphing Azure and Azure AD objects to visualize the attack surface and pivot opportunities within a tenant.
To run AzureHound with a refresh token:
./azurehound -r "0.ARwA6Wg..." list --tenant "tenant ID" -v 2 -o output.json
Autodiscover Interrogation -> ckeck_mdi.py ()
To just figure out if a company runs Microsoft Defender for Identity:
Information Gathering Functions:
Operational Functions: