Resources for Azure Penetration Testing
https://login.microsoftonline.com/getuserrealm.srf?login=username@someco.onmicrosoft.com&xml=1
NameSpaceType = Managed ==> PHS or PTA is used
NameSpaceType = Federated ==> Federation provider is used
https://login.microsoftonline.com/something.com/v2.0/.well-known/openid-configuration
Provides tenant ID. Useful when SPN credentials are found.
https://github.com/trufflesecurity/truffleHog
https://github.com/michenriksen/gitrob
https://github.com/zricethezav/gitleaks
- PowerMeta
- FOCA
https://login.microsoftonline.com/common/oauth2/token
https://login.microsoftonline.com/common/GetCredentialType
# Source: https://o365blog.com/post/desktopsso/
# Set the user names to a variable (or read from .csv etc)
$users=@("valid.user@company.com","valid.user@company.onmicrosoft.com","invalid.user@company.com","valid.user_gmail.com#EXT#@company.onmicrosoft.com")
# Loop trough all users
foreach($user in $users)
{
$exists = Invoke-RestMethod -Uri "https://login.microsoftonline.com/common/GetCredentialType" -ContentType "application/json" -Method POST -Body (@{"username"="$user"; "isOtherIdpSupported" = $true}|ConvertTo-Json) | Select -ExpandProperty IfExistsResult
$properties = [ordered]@{"Username"=$user; "Exists"=$($exists -eq 0 -or $exists -eq 6)}
New-Object -TypeName PSObject -Property $properties
}NOTE: This will take a while!
Install-Module -Name Az
Connect-AzAccount
Get-Module -ListAvailable Az.*
Get-Command -Module Az.AccountsGet-AzDomain
Get-AzSubscription
Get-AzTenantGet-Command -Verb Get -Module Az.* | Select-String VM
Get-AzVMGet-Command -Verb Get -Module Az.* | Select-String "IP"
Get-AzPublicIpAddressGet-AzPublicIpAddress | Select-Object Name,IPAddress,PublicIPAllocationMethod