Reconnaissance in a public cloud environment will take many different forms such as looking more broadly at open datasets and the vast array of publicly available that must exist in the cloud for many of the services to function.
In most cases our knowledge of the organization is limited to their email address or domain name but we still can gather some interesting information.
This step is so important as you will be able to determine what services are in use and also what assessts did the organization move to the cloud. We can determine things like AD connectivity, mail getwauys, web applications, file storages, etc.
This can be done by navigating to:
<NameSpaceType> is Managed, then you can tell the organization is using Azure AD.powershell> Install-Module AADInternals
powershell> Import_Module AADInternals
powershell> Invoke-AADIntReconAsOutsider -DomainName demosecurecompany.nl
Here's an example of what the output will look like:
Tenant brand: Demo Secura Company Inc.
Tenant name: demosecure
Tenant id: ca85a[......]313b
Tenant region: EU
DesktopSSO enabled: True
Name : demosecurecompany.nl
DNS : True
MX : True
SPF : True
DMARC : False
Type : Managed
STS :
Name : demosecurecompany.mail.onmicrosoft.com
[...]
Name : demosecurecompany.onmicrosoft.com
[...]
If DesktopSSO is enabled , it means that it can be used to check if a given user exists in the target organisation or not.
This is the process of finding sub-domains for one or more domains. It helps to broader the attack surface, find hidden applications, and forgotten subdomains. This can be done by using some tools like:
During this step we need to gather information about employees to be able to build a user list. Places to look and collect this kind of information are LinkedIn, Facebook, Twitter and Departement heads (HR, C-Level). Some website/Tools that can be used to collect information about the employees:
During this step we are attempting to enumerate or guess valid usernames or account identifiers in order to determine their existence or validity. This can be done using one of the following methods:
Some common formats are:
{first}.{last} :: jack.mark@demosecurecompany.nl
{f}{last} :: jmark@demosecurecompany.nl
{f}{m}.{last} :: jd.mark@demosecurecompany.nl
Try to login with the email address: https://login.microsoftonline.com/common/oauth2/
o365creeper: Python script used to validate email accounts that belong to Office 365 tenants.
python3> o365creeper.py -e victim@demosecurecompany.nl
python3> o365creeper.py -f email-list.txt -o valid.txt
em[.....]b.nl INVALID
ad[.....]b.nl INVALID
di[.....]b.nl - VALID
pa[.....]b.nl INVALID
ew[.....]b.nl INVALID
em[.....]b.nl INVALID
TeamFiltration: cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts.
cmd> TeamFiltration_Win.exe --enum --validate-teams --usernames email-list.txt --config
.\TeamFiltrationConfig_Example.json
As part of the recon process, we would want to see if the target company uses any Azure services.
An Azure storage account contains all of your Azure Storage data objects, including blobs, file shares, queue tables, and disks. The service allows you to store objects on the cloud.
Storage Account: The place where you are going to store your objects.
Container: The folders where you are going to store data.
Blob: The unstructured data, which includes email, video, and binary data.
powershell> import-module c:\MicroBurst\Misc\Invoke-EnumerateAzureSubDomains.ps1
powershell> Invoke-EnumerateAzureSubDomains -Base demosecurecompany -Verbose
Subdomain Service
--------- -------
demosecurecompany.onmicrosoft.com Microsoft Hosted Domain
demosecurecompany.blob.core.windows.net Storage Accounts - Blobs
demosecurecompany.file.core.windows.net Storage Accounts - Files
demosecurecompany.queue.core.windows.net Storage Accounts - Queues
demosecurecompany.table.core.windows.net Storage Accounts - Tables
powershell> import-module c:\MicroBurst\Misc\Invoke-EnumerateAzureBlobs.ps1
powershell> Invoke-EnumerateAzureBlobs -Base demosecurecompany -Verbose
[...]
Found Container - demosecurecompany.blob.core.windows.net/config
Public File Available: https://demosecurecompany.blob.core.windows.net/config/config.txt