Catégorie : Divers

Azure | Enumerating Azure Services

Hi!

In this article, I will show you how you can leverage the MicroBurst tool to anonymously enumerating Azure Services.

Please find below a list of DNS suffixes associated with the Azure Services:

DNS SuffixAssociated Azure Service
file.core.windows.netStorage Accounts – Files
blob.core.windows.netStorage Accounts – Blobs
queue.core.windows.netStorage Accounts – Queues
table.core.windows.netStorage Accounts – Tables
azurewebsites.netApp Services and Function app
scm.azurewebsites.netApp Services – Management
database.windows.netDatabases – MSSQL
documents.azure.comDatabases – Cosmos DB
azurecontainer.ioContainer Instances
azurecr.ioContainer Registry
redis.cache.windows.netRedis
azureedge.netCDN
search.windows.netSearch Appliance
azure-api.netAPI Services
cloudapp.azure.comCustomer-assigned public IP DNS
vault.azure.netKey Vault

To conduct this enumeration, we will use the MicroBurst tool.

https://github.com/NetSPI/MicroBurst/blob/master/Misc/Invoke-EnumerateAzureSubDomains.ps1
git clone https://github.com/NetSPI/MicroBurst.git
Import-Module .\MicroBurst.psm1
Invoke-EnumerateAzureSubDomains -Base yourkeyword (you can also add a list of permutations with the parameter -Permutations ".\permutations.txt")

Maxime.

AAD | Password Spray Attack

Hi!

Previous articles:

In this article, I will show how you can run a Password Spray attack againt your Azure environment.

Password spray is one of the most popular attacks, accounting for more than a third of account compromise in organizations. In these attacks, bad actors try a few common passwords against many accounts from different organizations. Instead of trying many passwords against one user, they try to defeat lockout and detection by trying many users against one password. Effective forms of this attack are « low and slow,” where the bad actor uses thousands of IP addresses (such as from a botnet) to attack many tenants with a few common passwords. From any one tenant’s view, there are so few login attempts with such poor consistency that the attack is undetectable. A customer might only see one or two failed logins happen from these types of attacks once a day, so the attacks get lost in the noise of normal login patterns. They also bypass traditional protection like password lockout and malicious IP blocking. 

To conduct this attack, we will use the MSOLSpray tool.

Invoke-MSOLSpray -UserList .\userlist.txt -Password YourPassword

To detect this attack, I will invite you to use an Azure AD Premium P2 with the Azure Identity Protection feature : Password-spray detection risk alert.

Example of password spray attack

https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray

Maxime.

AAD | Enumerate valid emails/accounts

Hi!

Previous article: AAD | Enabled or not?

In this article, I will show you how you can enumerate valid emails/accounts of an Azure Active Directory. By making the POST request to ‘https://login.microsoftonline.com/common/GetCredentialType‘ with a JSON body containing the email id its possible to analyze the valid email id. If the « IfExistsResult » key value is 0 it means the user exists. Invalid accounts will return a 1.

Example in python:

import requests
body = '{"Username":"random.name@XYZ.com"}'
response = requests.post("https://login.microsoftonline.com/common/GetCredentialType", data=body).json()
if response["IfExistsResult"] == 0:
    print("Valid User")

To automate this enumeration, I will use o365creeper. This script takes either a single email address or a list of email addresses as input, sends a request to Office 365 without a password.

python o365creeper.py -e user@yourdomain.com

Maxime.