Recon Azure AD
Can you monitor or prevent a reconnaissance or enumeration? Especially reconnaissance (recon) on the cloud? Mostly not, and it depends on the recon types. While recon for local (on-premises) resources can be challenging or more accessible (depends). The cloud recon provides much information about how we work inside our tenant and even how it connects with the on-prem. There are many ways to recon the cloud, whether the Microsoft Cloud, AWS, or Google. Etc. For each cloud provider, there are numerous ways to recon their resources.
This post focuses on cloud recon with the browser via known API and the AADInternals.
Recon Types
Passive Reconnaissance
Can you monitor or prevent a reconnaissance or enumeration? Especially reconnaissance (recon) on the cloud? Mostly not, and it depends on the recon types. While recon for local (on-premises) resources can be challenging or more accessible (depends). The cloud recon provides much information about how we work inside our tenant and even how it connects with the on-prem. There are many ways to recon the cloud, whether the Microsoft Cloud, AWS, or Google. Etc. For each cloud provider, there are numerous ways to recon their resources.
This post focuses on cloud recon with the browser via known API and the AADInternals.
Recon Types
Passive Reconnaissance
Passive reconnaissance is a type of reconnaissance that involves collecting information about a target or system without directly interacting with it. This type of reconnaissance typically involves gathering information from publicly available sources, such as social media, company websites, news articles, and other online resources.
Passive reconnaissance aims to gather as much information as possible about the target or system, including its architecture, infrastructure, software and hardware, and potential vulnerabilities. This information can then be used to develop a more detailed understanding of the target, which can help inform future attack strategies.
Passive reconnaissance is an important part of any comprehensive security strategy, as it can help identify potential vulnerabilities before they are exploited. By gathering information about a target or system, security professionals can identify potential weaknesses and take steps to address them before they are exploited by attackers.
Active Reconnaissance
Active reconnaissance is a type of reconnaissance that involves interacting directly with a target or system to gather information. Unlike passive reconnaissance, which relies on publicly available information, active reconnaissance involves actively probing and scanning a target to identify potential vulnerabilities and weaknesses.
Active reconnaissance can take many forms, including network scanning, port scanning, vulnerability scanning, and other types of testing. Security professionals or ethical hackers typically perform this type of reconnaissance to identify potential weaknesses in a system or network.
The goal of active reconnaissance is to identify potential vulnerabilities and weaknesses in a system or network that can be exploited by attackers. By actively probing and scanning a target, security professionals can identify potential weaknesses and take steps to address them before they are exploited by attackers.
It’s important to note that active reconnaissance can be risky, as it can trigger alarms and alerts that may alert defenders to an attacker’s presence. As such, active reconnaissance should only be performed with proper authorization and appropriate safeguards.
Passive Reconnaissance | Active Reconnaissance | |
---|---|---|
Methodology | Collects information without interacting directly | Interacts directly with the target or system being probed |
Goals | Gathers information about the target or system | Identifies potential vulnerabilities and weaknesses |
Sources | Publicly available sources such as websites | Probing and scanning tools |
Risks | Low risk of detection or triggering alarms | High risk of detection or triggering alarms |
Authorization | Can be conducted without authorization | Must be authorized and conducted with appropriate safeguards |
Example | Searching social media and company websites | Network scanning and vulnerability testing |
Cloud Perspective – When it comes to cloud security testing, penetration, red-teaming, and vulnerability scanning – information is everything. The more information we have about a targeted environment, the easier the cloud can be compromised. From a defensive perspective, the more information the security admin has about the cloud, the better it can protect and monitor. There are many ways to gather this required information, both passively as reconnaissance and actively as enumeration. Using standardized cloud services has brought challenges and new opportunities, which both offensive and defensive parties need to keep in mind. While the cloud environment has more security options, closing security issues and gaps is more complex.
The development of new and adapted reconnaissance, enumeration, and exploitation tools specialized in targeting public cloud providers has grown. Most levels of cloud adaptions, from IaaS up to SaaS and PaaS, can look similar from the outside, specifically where the reconnaissance originates. An exciting development from the offensive side is the use of bots that search sites like GitHub for uploaded code, accidentally containing cloud account access API keys. The impact of such a leak could be enormous to the account owner, so any organization needs to place security controls around the use of these sites.
Note: It’s only a specific high-level perspective on cloud recon and enum.
Reconnaissance is the key, Fuzz for the hole.
The Azure Threat Research Matrix
Microsoft provides an Azure Threat Research Matrix. For Reconnaissance – The adversary is trying to gather the information they can use to plan future operations.
The ID of AZT103 – Public Accessible Resource provides information only for resources such as:
- Network Interface
- Virtual Machine
The rest of the IDs provides more information for a user, application, and other resources.
But what if I need something on a specific cloud environment? and I want to recon the resources as an outsider? That will be more complex but achievable.
Azure AD External Attack Surface
The Microsoft Cloud (Azure, Office 365, and Dynamic CRM) information is available internally to the members or guests of a specific tenant. However, much information is publicly available to anyone who knows how to discover it. We often use tools that help us to recon the information, such as my favorite one: AADInternals. There are many other tools, such as Azurite, etc.
While we need tools to shorten our work, a level of publicity can be enumerated, such as Known API, with a specific artifact (known id) and the ones who came for default config or misconfig.
Azure AD Reconnaissance
You’ll know the company’s domain name for which you will perform a security test, and you’ll be able to get more information based on this information. Some of them are listed below:
- Tenant ID
- Tenant Name
- Domains
- Mailboxes or shared mailboxes
- Email IDs
- Valid or invalid Users
- Public Azure Blobs
- Any other Azure services that the organization uses
Note: In most cases, the Microsoft cloud is built on three primary components: Tenant, Core-Domain, and Subscription.
Recon Actions
There are various ways to recon and enum Microsoft Cloud, if by the known tools, manually, or any other tools. What can be a recon for Microsoft Cloud? we can start manually with the available APIs that will expose information about any Azure AD tenant, for example, with API:
The OpenID Configuration
Information type: Login information, token endpoint, device_authorization_endpoint. And much more
URL: https://login.microsoftonline.com/domain.com/.well-known/openid-configuration
The UserRealm
Information type: Login information of the tenant, including tenant Name and domain authentication type
URL: https://login.microsoftonline.com/GetUserRealm.srf?login=test@test.com
The CredentialType
Information type: Login information, including Desktop SSO information
URL: login.microsoftonline.com/common/GetCredentialType
To use this type, you need to call to POST request to ‘https://login.microsoftonline.com/common/GetCredentialType‘ with a JSON body containing the email id as below (use Python to run it)
import requests body = '{"Username":"test@domain.com"}' response = requests.post("https://login.microsoftonline.com/common/GetCredentialType", data=body).json() if response["IfExistsResult"] == 0: print("Valid User")
Note: You can use any other Public URL based on a specific service to recon information, such as mail, document, blob, etc.
Using AADInternals
First, we need to know that we can use an Outsider mode. An outsider refers to a user who has no access to the tenant of the target organization. Outsiders can extract information from any tenant using publicly available APIs and DNS queries. See the blog post for more details. The ultimate goal of an outsider is to gain a guest, user, or admin role.
The first will be AADIntLoginInformation returns login information for the given user or domain.
Run the following command with the targeted domain: Get-AADIntLoginInformation -Domain domain.com
With the AADInternals, it will be more straightforward because of the PowerShell module. The primary command will be
Get-AADIntTenantID
This function returns the tenant id for the user, domain, or Access Token.
Run the following command with the targeted domain: Get-AADIntTenantID -Domain domain.com
Get-AADIntOpenIDConfiguration
This function returns the open ID configuration for the given user or domain.
Run the following command with the targeted domain: Get-AADIntOpenIDConfiguration -Domain domain.com
Invoke-AADIntReconAsOutsider
Starts tenant recon of the given domain. Gets all verified tenant domains and extracts information such as their type.
You can add the parameters of –GetRelayingParties to get relaying trust parties.
The Invoke-AADIntReconAsOutsider command also works with external users and supports three enumeration methods:
Normal | Initially, it worked only if the user was in the tenant where Desktop SSO was enabled for any domain. |
Login | Works with any tenant, but enumeration queries will be logged to the Azure AD sign-in log as failed login events! |
Autologon | Works with any tenant, and enumeration queries are not logged. |
AADIntUserEnumerationAsOutsider with Content
Run the following command with the targeted domain: Get-Content /Users/admin/Documents/Code/aad-users.txt | Invoke-AADIntUserEnumerationAsOutsider -Method Normal
Are you looking for advanced ways to recon the cloud, especially the Microsoft Cloud? If you’ve got n application id,e the reconnaissance and scan all of the users in this tenant. We can use PowerShell with different modules and known client IDs to improve it. You can leverage
Note: Next post, I will describe an advanced way to run external recon the cloud and enumerate internal users.
References
https://aadinternals.com/aadkillchain/
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/Reconnaissance/