# Az - Unauthenticated Enum & Initial Entry

{{#include ../../../banners/hacktricks-training.md}}

## Azure Tenant

### Tenant Enumeration

There are some **public Azure APIs** that just knowing the **domain of the tenant** an attacker could query to gather more info about it.\
You can query directly the API or use the PowerShell library [**AADInternals**](https://github.com/Gerenios/AADInternals) (`Install-Module AADInternals`):

- **Login information including tenant ID**
  - `Get-AADIntTenantID -Domain <domain>` (main API `login.microsoftonline.com/<domain>/.well-known/openid-configuration`)
- **All valid doimains in the tenant**
  - `Get-AADIntTenantDomains -Domain <domain>` (main API `autodiscover-s.outlook.com/autodiscover/autodiscover.svc`)
- **Login information of the user**. If `NameSpaceType` is `Managed`, it means EntraID is used
  - `Get-AADIntLoginInformation -UserName <UserName>` (main API `login.microsoftonline.com/GetUserRealm.srf?login=<UserName>`)

You can query all the information of an Azure tenant with **just one command from** [**AADInternals**](https://github.com/Gerenios/AADInternals):

```bash
# Doesn't work in macos because 'Resolve-DnsName' doesn't exist
Invoke-AADIntReconAsOutsider -DomainName corp.onmicrosoft.com | Format-Table

## Output Example of the Azure tenant info:

Tenant brand:       Company Ltd
Tenant name:        company
Tenant id:          1937e3ab-38de-a735-a830-3075ea7e5b39
DesktopSSO enabled: True

Name                           DNS   MX    SPF  Type      STS
----                           ---   --    ---  ----      ---
company.com                   True  True  True  Federated sts.company.com
company.mail.onmicrosoft.com  True  True  True  Managed
company.onmicrosoft.com       True  True  True  Managed
int.company.com              False False False  Managed
```

It's possible to observe details about the tenant's name, ID, and "brand" name. Additionally, the status of the Desktop Single Sign-On (SSO), also known as [**Seamless SSO**](https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso), is displayed. When enabled, this feature facilitates the determination of the presence (enumeration) of a specific user within the target organization.

Moreover, the output presents the names of all verified domains associated with the target tenant, along with their respective identity types. In the case of federated domains, the Fully Qualified Domain Name (FQDN) of the identity provider in use, typically an ADFS server, is also disclosed. The "MX" column specifies whether emails are routed to Exchange Online, while the "SPF" column denotes the listing of Exchange Online as an email sender. It is important to note that the current reconnaissance function does not parse the "include" statements within SPF records, which may result in false negatives.

### User Enumeration

> [!TIP]
> Note that even if a tenant is using several emails for the same user, the **username is unique**. This means that it'll noly work with the domain the user has associated and not with the other domains.

It's possible to **check if a username exists** inside a tenant. This includes also **guest users**, whose username is in the format:

```
<email>#EXT#@<tenant name>.onmicrosoft.com
```

The email is user’s email address where at “@” is replaced with underscore “\_“.

With [**AADInternals**](https://github.com/Gerenios/AADInternals), you can easily check if the user exists or not:

```bash
# Check does the user exist
Invoke-AADIntUserEnumerationAsOutsider -UserName "user@company.com"
```

Output:

```
UserName         Exists
--------         ------
user@company.com True
```

You can also use a text file containing one email address per row:

```
user@company.com
user2@company.com
admin@company.com
admin2@company.com
external.user_gmail.com#EXT#@company.onmicrosoft.com
external.user_outlook.com#EXT#@company.onmicrosoft.com
```

```bash
# Invoke user enumeration
Get-Content .\users.txt | Invoke-AADIntUserEnumerationAsOutsider -Method Normal
```

Currenlty there are **4 different enumeration methods** to choose from. You can find information in `Get-Help Invoke-AADIntUserEnumerationAsOutsider`:

It supports following enumeration methods: Normal, Login, Autologon, and RST2.

- The **Normal** method seems currently work with all tenants. Previously it required Desktop SSO (aka Seamless SSO) to be enabled for at least one domain. 
    
- The **Login** method works with any tenant, but enumeration queries will be logged to Azure AD sign-in log as failed login events!
    
- The **Autologon** method doesn't seem to work with all tenants anymore. Probably requires that DesktopSSO or directory sync is enabled.


After discovering the valid usernames you can get **info about a user** with:

```bash
Get-AADIntLoginInformation -UserName root@corp.onmicrosoft.com
```

The script [**o365spray**](https://github.com/0xZDH/o365spray) also allows you to discover **if an email is valid**.

```bash
git clone https://github.com/0xZDH/o365spray
cd o365spray
python3 -m pip install -r requirements.txt

# Check 1 email
python3 ./o365spray.py --enum -d carloshacktricks.onmicrosoft.com -u carlos
# Check a list of emails
python3 ./o365spray.py --enum -d carloshacktricks.onmicrosoft.com -U /tmp/users.txt
```

**User Enumeration via Microsoft Teams**

Another good source of information is Microsoft Teams.

The API of Microsoft Teams allows to search for users. In particular the "user search" endpoints **externalsearchv3** and **searchUsers** could be used to request general information about Teams-enrolled user accounts.

Depending on the API response it is possible to distinguish between non-existing users and existing users that have a valid Teams subscription.

The script [**TeamsEnum**](https://github.com/sse-secure-systems/TeamsEnum) could be used to validate a given set of usernames against the Teams API but you need access to a user with Teams access to use it.

```bash
# Install
git clone https://github.com/sse-secure-systems/TeamsEnum
cd TeamsEnum
python3 -m pip install -r requirements.txt

# Login and ask for password
python3 ./TeamsEnum.py -a password -u <username> -f inputlist.txt -o teamsenum-output.json
```

Output:

```
[-] user1@domain - Target user not found. Either the user does not exist, is not Teams-enrolled or is configured to not appear in search results (personal accounts only)
[+] user2@domain - User2 | Company (Away, Mobile)
[+] user3@domain - User3 | Company (Available, Desktop)
```

Furthermore it is possible to enumerate availability information about existing users like the following:

- Available
- Away
- DoNotDisturb
- Busy
- Offline

If an **out-of-office message** is configured, it's also possible to retrieve the message using TeamsEnum. If an output file was specified, the out-of-office messages are automatically stored within the JSON file:

```
jq . teamsenum-output.json
```

Output:

```json
{
  "email": "user2@domain",
  "exists": true,
  "info": [
    {
      "tenantId": "[REDACTED]",
      "isShortProfile": false,
      "accountEnabled": true,
      "featureSettings": {
        "coExistenceMode": "TeamsOnly"
      },
      "userPrincipalName": "user2@domain",
      "givenName": "user2@domain",
      "surname": "",
      "email": "user2@domain",
      "tenantName": "Company",
      "displayName": "User2",
      "type": "Federated",
      "mri": "8:orgid:[REDACTED]",
      "objectId": "[REDACTED]"
    }
  ],
  "presence": [
    {
      "mri": "8:orgid:[REDACTED]",
      "presence": {
        "sourceNetwork": "Federated",
        "calendarData": {
          "outOfOfficeNote": {
            "message": "Dear sender. I am out of the office until March 23rd with limited access to my email. I will respond after my return.Kind regards, User2",
            "publishTime": "2023-03-15T21:44:42.0649385Z",
            "expiry": "2023-04-05T14:00:00Z"
          },
          "isOutOfOffice": true
        },
        "capabilities": ["Audio", "Video"],
        "availability": "Away",
        "activity": "Away",
        "deviceType": "Mobile"
      },
      "etagMatch": false,
      "etag": "[REDACTED]",
      "status": 20000
    }
  ]
}
```

### Password Spraying / Brute-Force

{{#ref}}
az-password-spraying.md
{{#endref}}

## Azure Services using domains

It's also possible to try to find **Azure services exposed** in common azure subdomains like the ones documented in this [post:
](https://www.netspi.com/blog/technical-blog/cloud-penetration-testing/enumerating-azure-services/)

- App Services: `azurewebsites.net`
- App Services – Management: `scm.azurewebsites.net`
- App Services: `p.azurewebsites.net`
- App Services: `cloudapp.net`
- Storage Accounts-Files: `file.core.windows.net`
- Storage Accounts-Blobs: `blob.core.windows.net`
- Storage Accounts-Queues: `queue.core.windows.net`
- Storage Accounts-Tables: `table.core.windows.net`
- Databases-Redis: `redis.cache.windows.net`
- Databases-Cosmos DB: `documents.azure.com`
- Databases-MSSQL: `database.windows.net`
- Key Vaults: `vault.azure.net`
- Microsoft Hosted Domain: `onmicrosoft.com`
- Email: `mail.protection.outlook.com`
- SharePoint: `sharepoint.com`
- CDN: `azureedge.net`
- Search Appliance: `search.windows.net`
- API Services: `azure-api.net`

You can use a method from [**MicroBust**](https://github.com/NetSPI/MicroBurst) for such goal. This function will search the base domain name (and a few permutations) in several **azure domains:**

```bash
Import-Module .\MicroBurst\MicroBurst.psm1 -Verbose
Invoke-EnumerateAzureSubDomains -Base corp -Verbose
```

## Phishing

- [**Common Phishing**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html) for credentials or via [OAuth Apps](az-oauth-apps-phishing.md)
- [**Device Code Authentication** Phishing](az-device-code-authentication-phishing.md)

## Filesystem Credentials

The **`az cli`** stores a lot of interesting information inside **`<HOME>/.Azure`**:
- **`azureProfile.json`** contains info about logged in users from the past
- **`clouds.config`** contains info about subscriptions
- **`service_principal_entries.json`** contains applications **credentials** (tenant id, clients and secret)
- **`msal_token_cache.json`** contains **access tokens and refresh tokens**

Note that in macOS and linux these files are **unprotected** stored in clear text.



## References

- [https://aadinternals.com/post/just-looking/](https://aadinternals.com/post/just-looking/)
- [https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/](https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/)
- [https://www.netspi.com/blog/technical-blog/cloud-penetration-testing/enumerating-azure-services/](https://www.netspi.com/blog/technical-blog/cloud-penetration-testing/enumerating-azure-services/)

{{#include ../../../banners/hacktricks-training.md}}