- Traditional host discovery still applies
- After host discovery resolve all names, then perforn whois lookups to determine where are they hosted.
- Microsoft, Amazon, Google IP space usually indicates cloud service usage.
- Check MX records. These can show cloud-hosted mail providers
- Recon-NG https://github.com/lanmaster53/recon
- OWASP Amass https://github.com/OWASP/Amass
- Spiderfoot https://www.spiderfoot.net/
- Gobuster https://github.com/OJ/gobuster
- Sublist3r https://github.com/aboul3la/Sublist3r
- Use search engine, bing, google are good places to start.
- Certificate transparency https://crt.sh/
- Shodan https://shodan.io
- Query examples: org:"Target name", net:"CIDR Range", PORT:"443"
- Censys https://censys.io
- Hackertarget https://hackertarget.com/
- Threatcrowd https://www.threatcrowd.org/
- DNSDumpster https://dnsdumpster.com/
- ARIN Searches https://whois.arin.net/ui/
- Check DNS Dumpster https://dnsdumpster.com/
gobuster dns -d <target domain> -w <wordlist>
- Azure Netblocks
- AWS Netblocks
- GCP Netblocks
cat iplist.txt | python ip2provider.py
- Add domain to following url, if exists there is a tenant:
https://#.microsoftonline.com/<TARGET DOMAIN>/v2.0/.well-known/openid-configuration
- Try to authenticate with a valid company email adress at gmail
- https://accounts.google.com/
- Check if any resources are being loaded from S3 buckets
- Using burp, navigate the webapp and check for any calls to
https://[bucketname].s3.amazonaws.com
or• https://s3-[region].amazonaws.com/[Org Name]
- Look for any login portals
- https://companyname.account.box.com
- Build a user list with linkedin
- Determine username scheme via public file metadata (PDF, DOCX, XLSX, etc)
- Azure can be performed at https://#.microsoft.com/common/oauth2/token
- This endpoint tells you if a user exists or not
- Detect invalid users while password spraying with MSOL spray
- Federation with Azure AD or O365 enables users to authenticate using on-premises credentials and access all resources in cloud.
https://#.microsoftonline.com/getuserrealm.srf?login=<USER>@<DOMAIN>&xml=1
https://#.microsoftonline.com/getuserrealm.srf?login=root@defcorphq.onmicrosoft.com&xml=1
https://#.microsoftonline.com/<DOMAIN>/.well-known/openid-configuration
https://#.microsoftonline.com/defcorphq.onmicrosoft.com/.well-known/openid-configuration
https://github.com/Gerenios/AADInternals https://o365blog.com/aadinternals/
import-module .\AADInternals.psd1
Invoke-AADIntReconAsOutsider -DomainName <DOMAIN>
Get-AADIntLoginInformation -UserName <RANDOM USER>@<DOMAIN>
Get-AADIntTenantID -Domain <DOMAIN>
Get-AADIntTenantDomains -Domain <DOMAIN>
- https://github.com/NetSPI/MicroBurst
- Edit the permutations.txt to add permutations such as career, hr, users, file and backup
Import-Module MicroBurst.psm1 -Verbose
Invoke-EnumerateAzureSubDomains -Base <SHORT DOMAIN NAME> -Verbose
- Add permutations to permutations.txt like common, backup, code in the misc directory.
Import-Module ./Microburst.psm1
Invoke-EnumerateAzureBlobs -Base <SHORT DOMAIN> -OutputFile azureblobs.txt
- https://github.com/LMGsec/o365creeper
- Could gather list of emails from something like harvester or hunter.io or smth and validate them!
- admin, root, test, contact (try those default for exam)
python o365creeper.py -f list_of_emails.txt -o validemails.txt
- Possible to use https://github.com/nyxgeek/onedrive_user_enum (Non-lab-tool)