Skip to content

Latest commit

 

History

History
159 lines (135 loc) · 5.09 KB

recon.md

File metadata and controls

159 lines (135 loc) · 5.09 KB

Recon on the target

Index

Recon steps for cloud asset discovery

  1. Traditional host discovery still applies
  2. After host discovery resolve all names, then perforn whois lookups to determine where are they hosted.
  3. Microsoft, Amazon, Google IP space usually indicates cloud service usage.
  4. Check MX records. These can show cloud-hosted mail providers

Recon tools

Recon techniques

Finding subdomains

Bruteforce subdomains

gobuster dns -d <target domain> -w <wordlist>

Check cloud usage

Check for IP Netblocks

ip2provider

cat iplist.txt | python ip2provider.py

O365 usage

  • Add domain to following url, if exists there is a tenant:
https://login.microsoftonline.com/<TARGET DOMAIN>/v2.0/.well-known/openid-configuration

Google Workspace Usage

AWS usage

  • Check if any resources are being loaded from S3 buckets
  • Using burp, navigate the webapp and check for any calls to https://[bucketname].s3.amazonaws.com or • https://s3-[region].amazonaws.com/[Org Name]

Box.om usage

Recon employees

User enumeration

Azure

Manually

Get if tenant is in use and if fedaration is in use.

  • Federation with Azure AD or O365 enables users to authenticate using on-premises credentials and access all resources in cloud.
https://login.microsoftonline.com/getuserrealm.srf?login=<USER>@<DOMAIN>&xml=1
https://login.microsoftonline.com/[email protected]&xml=1

Get the Tenant ID

https://login.microsoftonline.com/<DOMAIN>/.well-known/openid-configuration
https://login.microsoftonline.com/defcorphq.onmicrosoft.com/.well-known/openid-configuration

AADinternals

https://github.com/Gerenios/AADInternals https://o365blog.com/aadinternals/

Import the AADinternals module

import-module .\AADInternals.psd1

Get all the information of the tenant

Invoke-AADIntReconAsOutsider -DomainName <DOMAIN>

Get tenant name, authentication, brand name (usually same as directory name) and domain name

Get-AADIntLoginInformation -UserName <RANDOM USER>@<DOMAIN>

Get tenant ID

Get-AADIntTenantID -Domain <DOMAIN>

Get tenant domains

Get-AADIntTenantDomains -Domain <DOMAIN>

Microburst

Enumerate used services

Import-Module MicroBurst.psm1 -Verbose
Invoke-EnumerateAzureSubDomains -Base <SHORT DOMAIN NAME> -Verbose

Enumerate Azureblobs

  • Add permutations to permutations.txt like common, backup, code in the misc directory.
Import-Module ./Microburst.psm1
Invoke-EnumerateAzureBlobs -Base <SHORT DOMAIN> -OutputFile azureblobs.txt

Valid emails

Check for Email ID's

python o365creeper.py -f list_of_emails.txt -o validemails.txt