CYBERDOM

Just another day of IR, Threat-Hunting & Microsoft Security

Recon Azure AD

by · January 14, 2023

Can you monitor or prevent a reconnaissance or enumeration? Especially reconnaissance (recon) on the cloud? Mostly not, and it depends on the recon types. While recon for local (on-premises) resources can be challenging or more accessible (depends). The cloud recon provides much information about how we work inside our tenant and even how it connects with the on-prem. There are many ways to recon the cloud, whether the Microsoft Cloud, AWS, or Google. Etc. For each cloud provider, there are numerous ways to recon their resources.

This post focuses on cloud recon with the browser via known API and the AADInternals.

Post Contents Show

Recon Types

Passive Reconnaissance

Can you monitor or prevent a reconnaissance or enumeration? Especially reconnaissance (recon) on the cloud? Mostly not, and it depends on the recon types. While recon for local (on-premises) resources can be challenging or more accessible (depends). The cloud recon provides much information about how we work inside our tenant and even how it connects with the on-prem. There are many ways to recon the cloud, whether the Microsoft Cloud, AWS, or Google. Etc. For each cloud provider, there are numerous ways to recon their resources.

This post focuses on cloud recon with the browser via known API and the AADInternals.

Recon Types

Passive Reconnaissance

Passive reconnaissance is a type of reconnaissance that involves collecting information about a target or system without directly interacting with it. This type of reconnaissance typically involves gathering information from publicly available sources, such as social media, company websites, news articles, and other online resources.

Passive reconnaissance aims to gather as much information as possible about the target or system, including its architecture, infrastructure, software and hardware, and potential vulnerabilities. This information can then be used to develop a more detailed understanding of the target, which can help inform future attack strategies.

Passive reconnaissance is an important part of any comprehensive security strategy, as it can help identify potential vulnerabilities before they are exploited. By gathering information about a target or system, security professionals can identify potential weaknesses and take steps to address them before they are exploited by attackers.

Active Reconnaissance

Active reconnaissance is a type of reconnaissance that involves interacting directly with a target or system to gather information. Unlike passive reconnaissance, which relies on publicly available information, active reconnaissance involves actively probing and scanning a target to identify potential vulnerabilities and weaknesses.

Active reconnaissance can take many forms, including network scanning, port scanning, vulnerability scanning, and other types of testing. Security professionals or ethical hackers typically perform this type of reconnaissance to identify potential weaknesses in a system or network.

The goal of active reconnaissance is to identify potential vulnerabilities and weaknesses in a system or network that can be exploited by attackers. By actively probing and scanning a target, security professionals can identify potential weaknesses and take steps to address them before they are exploited by attackers.

It’s important to note that active reconnaissance can be risky, as it can trigger alarms and alerts that may alert defenders to an attacker’s presence. As such, active reconnaissance should only be performed with proper authorization and appropriate safeguards.

Passive Reconnaissance Active Reconnaissance
Methodology Collects information without interacting directly Interacts directly with the target or system being probed
Goals Gathers information about the target or system Identifies potential vulnerabilities and weaknesses
Sources Publicly available sources such as websites Probing and scanning tools
Risks Low risk of detection or triggering alarms High risk of detection or triggering alarms
Authorization Can be conducted without authorization Must be authorized and conducted with appropriate safeguards
Example Searching social media and company websites Network scanning and vulnerability testing

Cloud Perspective – When it comes to cloud security testing, penetration, red-teaming, and vulnerability scanning – information is everything. The more information we have about a targeted environment, the easier the cloud can be compromised. From a defensive perspective, the more information the security admin has about the cloud, the better it can protect and monitor. There are many ways to gather this required information, both passively as reconnaissance and actively as enumeration. Using standardized cloud services has brought challenges and new opportunities, which both offensive and defensive parties need to keep in mind. While the cloud environment has more security options, closing security issues and gaps is more complex.

The development of new and adapted reconnaissance, enumeration, and exploitation tools specialized in targeting public cloud providers has grown. Most levels of cloud adaptions, from IaaS up to SaaS and PaaS, can look similar from the outside, specifically where the reconnaissance originates. An exciting development from the offensive side is the use of bots that search sites like GitHub for uploaded code, accidentally containing cloud account access API keys. The impact of such a leak could be enormous to the account owner, so any organization needs to place security controls around the use of these sites.

Note: It’s only a specific high-level perspective on cloud recon and enum.

Reconnaissance is the key, Fuzz for the hole.

The Azure Threat Research Matrix

Microsoft provides an Azure Threat Research Matrix. For Reconnaissance – The adversary is trying to gather the information they can use to plan future operations.

The ID of AZT103 – Public Accessible Resource provides information only for resources such as:

  • Network Interface
  • Virtual Machine

The rest of the IDs provides more information for a user, application, and other resources.

But what if I need something on a specific cloud environment? and I want to recon the resources as an outsider? That will be more complex but achievable.

Azure AD External Attack Surface

The Microsoft Cloud (Azure, Office 365, and Dynamic CRM) information is available internally to the members or guests of a specific tenant. However, much information is publicly available to anyone who knows how to discover it. We often use tools that help us to recon the information, such as my favorite one: AADInternals. There are many other tools, such as Azurite, etc.

While we need tools to shorten our work, a level of publicity can be enumerated, such as Known API, with a specific artifact (known id) and the ones who came for default config or misconfig.

Azure AD Reconnaissance

You’ll know the company’s domain name for which you will perform a security test, and you’ll be able to get more information based on this information. Some of them are listed below:

  • Tenant ID
  • Tenant Name
  • Domains
  • Mailboxes or shared mailboxes
  • Email IDs
  • Valid or invalid Users
  • Public Azure Blobs
  • Any other Azure services that the organization uses

Note: In most cases, the Microsoft cloud is built on three primary components: Tenant, Core-Domain, and Subscription. 

Recon Actions

There are various ways to recon and enum Microsoft Cloud, if by the known tools, manually, or any other tools. What can be a recon for Microsoft Cloud? we can start manually with the available APIs that will expose information about any Azure AD tenant, for example, with API:

The OpenID Configuration 

Information type: Login information, token endpoint, device_authorization_endpoint. And much more

URL: https://login.microsoftonline.com/domain.com/.well-known/openid-configuration

The UserRealm

Information type: Login information of the tenant, including tenant Name and domain authentication type

URL: https://login.microsoftonline.com/GetUserRealm.srf?login=test@test.com

The CredentialType

Information type: Login information, including Desktop SSO information

URL: login.microsoftonline.com/common/GetCredentialType

To use this type, you need to call to POST request to ‘https://login.microsoftonline.com/common/GetCredentialType‘ with a JSON body containing the email id as below (use Python to run it)

import requests
body = '{"Username":"test@domain.com"}'
response = requests.post("https://login.microsoftonline.com/common/GetCredentialType", data=body).json()
if response["IfExistsResult"] == 0:
    print("Valid User")

Note: You can use any other Public URL based on a specific service to recon information, such as mail, document, blob, etc. 

Using AADInternals

First, we need to know that we can use an Outsider mode. An outsider refers to a user who has no access to the tenant of the target organization. Outsiders can extract information from any tenant using publicly available APIs and DNS queries. See the blog post for more details. The ultimate goal of an outsider is to gain a guest, user, or admin role.

The first will be AADIntLoginInformation returns login information for the given user or domain.

Run the following command with the targeted domain: Get-AADIntLoginInformation -Domain domain.com

With the AADInternals, it will be more straightforward because of the PowerShell module. The primary command will be

Get-AADIntTenantID

This function returns the tenant id for the user, domain, or Access Token.

Run the following command with the targeted domain: Get-AADIntTenantID -Domain domain.com

Get-AADIntOpenIDConfiguration

This function returns the open ID configuration for the given user or domain.

Run the following command with the targeted domain: Get-AADIntOpenIDConfiguration -Domain domain.com

Invoke-AADIntReconAsOutsider

Starts tenant recon of the given domain. Gets all verified tenant domains and extracts information such as their type.

You can add the parameters of –GetRelayingParties to get relaying trust parties.

The Invoke-AADIntReconAsOutsider command also works with external users and supports three enumeration methods:

Normal Initially, it worked only if the user was in the tenant where Desktop SSO was enabled for any domain.
Login Works with any tenant, but enumeration queries will be logged to the Azure AD sign-in log as failed login events!
Autologon Works with any tenant, and enumeration queries are not logged.

AADIntUserEnumerationAsOutsider with Content

Run the following command with the targeted domain: Get-Content /Users/admin/Documents/Code/aad-users.txt | Invoke-AADIntUserEnumerationAsOutsider -Method Normal

Are you looking for advanced ways to recon the cloud, especially the Microsoft Cloud?  If you’ve got n application id,e the reconnaissance and scan all of the users in this tenant. We can use PowerShell with different modules and known client IDs to improve it. You can leverage

Note: Next post, I will describe an advanced way to run external recon the cloud and enumerate internal users.

References

https://aadinternals.com/aadkillchain/

https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/Reconnaissance/

Tags:

Leave a Reply

error: Content is Protected !!

Discover more from CYBERDOM

Subscribe now to keep reading and get access to the full archive.

Continue reading