Reconnaissance

Network discovery

• Nmap
• Masscan

DNS reconnaissance

DNS reconnaissance

• GitHub - aboul3la/Sublist3r: Fast subdomains enumeration tool for penetration testers
• GitHub - rbsec/dnscan
• nslookup, host, dig
• GitHub - darkoperator/dnsrecon: DNS Enumeration Script
• GitHub - lanmaster53/recon-ng: Open Source Intelligence gathering tool aimed at reducing the time spent harvesting information from open sources.

Certificate transparency

• crt.sh | Certificate Search

Miscellaneous

Shodan

Eyewitness

GitHub - FortyNorthSecurity/EyeWitness: EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.

Azure Discovery

Finding tenantID

• https://enterpriseregistration.windows.net/company.com/enrollmentserver/contract?api-version=1.4

• https://login.microsoftonline.com/getuserrealm.srf?login=username@company.com&xml=1

• AADInternals

• Invoke-AADIntReconAsOutsider -DomainName company.com
• Get-AADIntTenantDomains -Domain company.com
• Invoke-AADIntReconAsOutsider -DomainName company.com

Azure IP ranges

Download Azure IP Ranges and Service Tags – Public Cloud from Official Microsoft Download Center

OpenID configuration document

• https://login.microsoftonline.com/\/v2.0/.well-known/openid-configuration

Scrape Azure Resources

GitHub - lutzenfried/CloudScraper: CloudScraper: Tool to enumerate targets in search of cloud resources. S3 Buckets, Azure Blobs, Digital Ocean Storage Space.

Google Dorks

• Reveal the Cloud with Google Dorks | by Mike Takahashi | Feb, 2023 | InfoSec Write-ups (infosecwriteups.com)
• Useful Google Dorks for Open Source Intelligence Investigations - Maltego

Public repositories and leaked credentials

• gitleaks (https://github.com/zricethezav/gitleaks)
• trufflehog (https://github.com/trufflesecurity/truffleHog)
• git-secrets (https://github.com/awslabs/git-secrets)
• shhgit (https://github.com/eth0izzle/shhgit)
• gitrob (https://github.com/michenriksen/gitrob)
• dumpsterdiver GitHub - securing/DumpsterDiver: Tool to search secrets in various filetypes.

Enumeration

Public Storage Accounts Enumeration

• Public Buckets (osint.sh)
• Public Buckets by GrayhatWarfare
• GitHub - initstring/cloud_enum: Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud.
• Microburst: Invoke-EnumerateAzureBlobs
• https://storagename.blob.core.windows.net/CONTAINERNAME?restype=container&comp=list (https://docs.microsoft.com/en-us/rest/api/storageservices/list-containers2)
• GitHub - cyberark/BlobHunter: Find exposed data in Azure with this public blob scanner

OneDrive Enumeration

• GitHub - nyxgeek/onedrive_user_enum: onedrive user enumeration - pentest tool to enumerate valid o365 users
• https://www.trustedsec.com/blog/achieving-passive-user-enumeration-with-onedrive/

Service Enumeration

• PS C:\ > Invoke-EnumerateAzureSubDomains -Base \ -Verbose
• GitHub - 0xsha/CloudBrute: Awesome cloud enumerator

Subdomain Takeover

• Subdomain Takeover in Azure: making a PoC | GoDiego

User enumeration

• GitHub - LMGsec/o365creeper: Python script that performs email address validation against Office 365 without submitting login attempts.
• https://login.microsoftonline.com/getuserrealm.srf?login=\&xml=1
• GitHub - dirkjanm/ROADtools: A collection of Azure AD tools for offensive and defensive security purposes (authenticated)
• GitHub - nyxgeek/o365recon: retrieve information via O365 and AzureAD with a valid cred
• GitHub - DanielChronlund/DCToolbox: Tools for Microsoft cloud fans

Shadow Admin / Privileged Users Enumeration

• GitHub - cyberark/SkyArk: SkyArk helps to discover, assess and secure the most privileged entities in Azure and AWS

Secrets in Azure

Not sure if this still works: GitHub - FSecureLABS/Azurite: Enumeration and reconnaissance activities in the Microsoft Azure Cloud. 

Find credentials in

• Environment variables or source code (Azure Function)
• .publishsettings
• Web & app config

 $users = Get-MsolUser -All; foreach($user in $users){$props = @();$user | Get-Member | foreach-object{$props+=$_.Name}; foreach($prop in $props){if($user.$prop -like "*password*"){Write-Output ("[*]" + $user.UserPrincipalName + "[" + $prop + "]" + " : " + $user.$prop)}}}

Initial Access Attack

Password spraying

• GitHub - SecurityRiskAdvisors/msspray: Password attacks and MFA validation against various endpoints in Azure and Office 365
• GitHub - dafthack/MSOLSpray: A password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled.
• GitHub - MarkoH17/Spray365: Spray365 makes spraying Microsoft accounts (Office 365 / Azure AD) easy through its customizable two-step password spraying approach. The built-in execution plan features options that attempt to bypass Azure Smart Lockout and insecure conditional access policies.

Bypass conditional access

• The Attackers Guide to Azure AD Conditional Access – Daniel Chronlund Cloud Security Blog
• How to Find MFA Bypasses in Conditional Access Policies - YouTube
• Getting started with ROADrecon · dirkjanm/ROADtools Wiki · GitHub

Instance Metadata Service

• Steal Secrets with Azure Instance Metadata Service? Don’t Oversight Role-based Access Control | by Marcus Tee | Marcus Tee Anytime | Medium

Phishing

• Illicit Consent Grant Attack
• Abusing Device Code Flow: - OAuth’s Device Code Flow Abused in Phishing Attacks | Secureworks
• Evilginx2: - GitHub - kgretzky/evilginx2: Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication

Lateral movement

Privilege escalation

Persistence

Last update: 2023-11-09
Created: November 9, 2023 18:17:11