Information Gathering / Reconnaissance

Introduction

We can use public API's to reveal information about an organizations Azure environment. The goal of our information gathering / reconnaissance is to determine the following:

  • Domain names

  • User login information

  • Desktop SSO information

  • Tenant names and additional information

  • Any resources that exist on the azure environment

DNS Suffixes

There is a long list of DNS suffixes that we can use to perform reconnaissance on a target to determine if certain resources exist within a tenant.

Azure AD reconnaissance

AADInternals is a great tool to perform reconnaissance on any Azure AD tenant:

There are several publicly available APIs which will expose information of any Azure AD tenant:

API
Information
AADInternals function

login.microsoftonline.com/<domain>/.well-known/openid-configuration

Login information, including tenant ID

Get-AADIntTenantID -Domain <domain>

autodiscover-s.outlook.com/autodiscover/autodiscover.svc

All domains of the tenant

Get-AADIntTenantDomains -Domain <domain>

login.microsoftonline.com/GetUserRealm.srf?login=<UserName>

Login information of the tenant, including tenant Name and domain authentication type

Get-AADIntLoginInformation -UserName <UserName>

login.microsoftonline.com/common/GetCredentialType

Login information, including Desktop SSO information

Get-AADIntLoginInformation -UserName <UserName>

Last updated