DriveEnum - OneDrive User Enumeration Tool

A production-ready Python tool for enumerating valid Microsoft 365 users through OneDrive personal site URL validation. Features intelligent rate limiting, automatic state persistence, and comprehensive error handling.

Overview

DriveEnum validates user accounts by checking OneDrive personal site URLs without authentication. The tool identifies valid users based on HTTP response codes:

• 401/403: Valid user with active OneDrive
• 404: Invalid user or user without OneDrive initialized
• 429/503: Rate limiting detected (automatic pause/resume)

Features

Core Functionality

• Auto-Tenant Detection: Automatically extracts tenant from domain - no manual tenant lookup needed
• State Persistence: Optional resume capability - fresh start by default, resume with --resume flag
• Smart Retry Logic: Maximum 3 retry attempts per user, automatically skips repeatedly failing users
• Verbose Mode: Detailed response information including URLs, status codes, and headers for debugging
• Error Recovery: Continues scanning even when errors occur - never stops until all users processed
• Progress Tracking: Real-time console updates with statistics and ETA
• Comprehensive Reporting: Detailed reports with valid users, errors, and scan statistics

Advanced Anti-Detection

• Request Randomization: Random delays (jitter) between requests (0.5-3.0s default)
• Batch Randomization: Randomized batch sizes (450-550 default) and delays (25-35 min)
• User-Agent Rotation: Cycles through 6 realistic browser User-Agent strings
• Session Rotation: Creates new HTTP sessions every 100 requests to avoid fingerprinting
• User Order Shuffling: Randomizes enumeration order to avoid sequential patterns
• Exponential Backoff: Automatically increases delays after consecutive rate limits (2x, 4x, 8x...)
• Enhanced Headers: Mimics real browser behavior with Sec-Fetch-* headers, DNT, etc.
• Soft Failure Detection: Detects connection errors and timeouts as potential blocking indicators

Rate Limiting Protection

• Intelligent Rate Limiting: Configurable batch processing with automatic detection of Microsoft's throttling
• Automatic Pause/Resume: Honors Retry-After headers and implements smart backoff strategies
• Consecutive Limit Tracking: Monitors repeated rate limits and applies progressively longer delays
• Session Reset on Limits: Automatically rotates sessions after multiple consecutive rate limits

Installation

Requirements

• Python 3.7+
• Required packages: requests, urllib3

Setup

# Clone the repository
git clone https://github.com/hackandbackpack/driveenum.git
cd driveenum

# Install dependencies
pip install requests urllib3

# Verify installation
python driveenum.py --help

Configuration

The tool uses a config.json file for default settings. A default configuration is created automatically on first run.

Default Configuration

{
  "batch_size": 500,
  "batch_size_variance": 50,
  "batch_delay_minutes": 30,
  "batch_delay_variance": 5,
  "request_timeout": 10,
  "request_jitter_min": 0.5,
  "request_jitter_max": 3.0,
  "retry_after_multiplier": 1.5,
  "session_rotation_requests": 100,
  "exponential_backoff_base": 2.0,
  "max_backoff_minutes": 120,
  "shuffle_user_order": true,
  "rotate_user_agents": true,
  "verify_ssl": true
}

Configuration Options

Core Settings

• batch_size: Base number of users to check before automatic pause (default: 500)
• batch_size_variance: Random variance applied to batch size (default: ±50)
• batch_delay_minutes: Base minutes to wait between batches (default: 30)
• batch_delay_variance: Random variance applied to batch delay (default: ±5 minutes)
• request_timeout: HTTP request timeout in seconds (default: 10)

Anti-Detection Features

• request_jitter_min: Minimum random delay between requests in seconds (default: 0.5)
• request_jitter_max: Maximum random delay between requests in seconds (default: 3.0)
• shuffle_user_order: Randomize the order users are checked (default: true)
• rotate_user_agents: Rotate through different User-Agent strings (default: true)
• session_rotation_requests: Rotate HTTP session every N requests (default: 100)

Rate Limiting & Backoff

• retry_after_multiplier: Multiplier for Retry-After header values (default: 1.5)
• exponential_backoff_base: Base multiplier for exponential backoff (default: 2.0)
• max_backoff_minutes: Maximum backoff time in minutes (default: 120)

Other

• verify_ssl: Enable/disable SSL certificate verification (default: true)

Usage

Basic Usage

python driveenum.py -d <domain> -u <users_file>

Note: The tenant name is automatically extracted from the domain (e.g., "contoso.com" → "contoso").

Required Arguments

• -d, --domain: Email domain (e.g., "contoso.com") - tenant auto-detected
• -u, --users: File containing usernames (one per line)

Optional Arguments

• -c, --config: Custom configuration file (default: config.json)
• -s, --state: State file for saving progress (default: state.json)
• -o, --output: Output directory for reports (default: results)
• --resume [FILE]: Resume from previous scan (optionally specify state file)
• -v, --verbose: Show response details for every user checked

Examples

Basic Enumeration (Fresh Start)

python driveenum.py -d contoso.com -u users.txt

Verbose Mode (Show All Responses)

python driveenum.py -d contoso.com -u users.txt -v

Resume Previous Scan

python driveenum.py -d contoso.com -u users.txt --resume

Resume from Specific State File

python driveenum.py -d contoso.com -u users.txt --resume old_scan_state.json

Custom Configuration

python driveenum.py -d contoso.com -u users.txt -c custom_config.json

User Input File Format

Create a text file with one username or email per line:

# Lines starting with # are ignored
john.doe
jane.smith
admin
test.user@contoso.com

The tool accepts both username-only format and full email addresses. If an email is provided, the username is automatically extracted.

Anti-Detection Mechanisms

DriveEnum implements multiple layers of protection against detection and blocking:

1. Request Randomization

Problem: Perfectly timed requests create detectable patterns Solution: Random "jitter" delays of 0.5-3.0 seconds between each request, making timing appear human-like

2. Batch Size Randomization

Problem: Exactly 500 requests followed by exactly 30-minute pause = obvious bot Solution: Batch sizes vary between 450-550, delays vary between 25-35 minutes (configurable)

3. User-Agent Rotation

Problem: Same User-Agent for thousands of requests is suspicious Solution: Rotates through 6 realistic browser User-Agent strings including Chrome, Edge, Firefox, and Safari

4. Session Rotation

Problem: Reusing same HTTP session creates identifiable connection fingerprint Solution: Creates fresh session every 100 requests (configurable), clearing cookies and resetting connections

5. Order Randomization

Problem: Sequential enumeration (user1, user2, user3) reveals automated scanning Solution: Shuffles user list before enumeration begins, creating unpredictable patterns

6. Enhanced Headers

Problem: Missing browser headers reveal non-browser traffic Solution: Includes modern browser headers:

• Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, Sec-Fetch-User
• DNT (Do Not Track)
• Upgrade-Insecure-Requests
• Realistic Accept headers with quality values

7. Exponential Backoff

Problem: Consistent retry timing after rate limits increases detection risk Solution: Implements exponential backoff on consecutive rate limits:

• 1st rate limit: Base delay (e.g., 30 minutes)
• 2nd consecutive: 2x delay (60 minutes)
• 3rd consecutive: 4x delay (120 minutes, capped at max_backoff_minutes)

8. Soft Failure Detection

Problem: Hard blocks manifest as timeouts/connection errors, not just 429 responses Solution: Detects and logs connection errors and timeouts as potential blocking indicators

Detection Risk Levels

Low Risk (Default Configuration):

• Random delays: 0.5-3.0s between requests
• Batch variance: ±50 users
• Delay variance: ±5 minutes
• Session rotation: Every 100 requests
• Result: Appears like slow, inconsistent user activity

Medium Risk (Faster Scanning):

{
  "request_jitter_min": 0.2,
  "request_jitter_max": 1.0,
  "batch_size": 1000,
  "batch_delay_minutes": 15
}

High Risk (Maximum Speed):

{
  "request_jitter_min": 0,
  "request_jitter_max": 0.5,
  "batch_size": 2000,
  "batch_delay_minutes": 5,
  "shuffle_user_order": false,
  "rotate_user_agents": false
}

⚠️ Not recommended - easily detected and blocked

How It Works

Enumeration Technique

DriveEnum exploits the predictable structure of OneDrive personal site URLs:

https://<tenant>-my.sharepoint.com/personal/<username>_<domain>_com/_layouts/15/onedrive.aspx

The tool makes HTTP HEAD requests to these URLs and interprets the response codes:

1. 403 Forbidden or 401 Unauthorized: Indicates a valid user account with OneDrive access
2. 404 Not Found: Indicates either an invalid user or a valid user who hasn't initialized OneDrive
3. 429 Too Many Requests: Microsoft's rate limiting - triggers automatic pause
4. 503 Service Unavailable: Server overload - triggers automatic pause

Rate Limiting Detection & Avoidance

Microsoft actively monitors and throttles excessive OneDrive enumeration attempts. DriveEnum handles this through multiple strategies:

1. Pre-emptive Batching: Processes users in configurable batches (default: 500) with delays between batches (default: 30 minutes)
2. Automatic Detection: Immediately identifies 429/503 responses indicating rate limiting
3. Retry-After Honor: Respects Microsoft's Retry-After header when provided
4. Exponential Backoff: Multiplies wait times on repeated rate limiting (configurable)
5. State Preservation: Saves progress before each pause, enabling seamless resume

State Persistence

The tool maintains a state.json file that tracks:

• Users already checked
• Valid users found (with timestamps and status codes)
• Errors encountered
• Current batch number
• Scan statistics

This enables:

• Resuming scans after interruption (Ctrl+C, crashes, rate limiting)
• Avoiding duplicate checks
• Retry capability for errored users
• Progress persistence across sessions

State files use atomic writes to prevent corruption.

Output & Reporting

Console Output

Real-time progress display includes:

• Progress percentage and user count
• Valid/invalid/error statistics
• Current scan rate (users/second)
• Estimated time remaining (ETA)
• Current user being checked

Report Files

Generated in the results/ directory:

1. valid_users_YYYYMMDD_HHMMSS.txt: List of valid users found

   # Valid OneDrive Users
   # Generated: 2025-01-15T10:30:45
   # Total: 42
   
   john.doe@contoso.com     (Status: 403)
   jane.smith@contoso.com   (Status: 401)
   ...
   

2. report_YYYYMMDD_HHMMSS.txt: Detailed scan report

   • Scan metadata (tenant, domain, timestamps)
   • Summary statistics
   • Complete list of valid users
   • Error details for failed checks

Rate Limiting Best Practices

Recommended Settings

For stealth operations (avoiding detection):

{
  "batch_size": 250,
  "batch_delay_minutes": 45
}

For faster scans (higher risk of detection):

{
  "batch_size": 1000,
  "batch_delay_minutes": 15
}

For maximum stealth (very slow, minimal detection risk):

{
  "batch_size": 100,
  "batch_delay_minutes": 60
}

Understanding Microsoft's Throttling

Microsoft's throttling is based on:

• Number of requests from a single IP
• Time window of requests
• Number of non-existent resources accessed
• Overall SharePoint/OneDrive service load

Key Indicators of Imminent Throttling:

• Increased response times
• Occasional 503 errors
• Retry-After headers appearing

When Throttled:

• The tool automatically pauses
• Wait time is calculated from Retry-After header or config
• State is saved before pausing
• Countdown timer displays remaining wait time
• Scan resumes automatically after wait period

Troubleshooting

Issue: "Rate limited" errors appearing frequently

Solution: Increase batch delay or decrease batch size in config.json:

{
  "batch_size": 250,
  "batch_delay_minutes": 45
}

Issue: Connection timeouts

Solution: Increase request timeout in config.json:

{
  "request_timeout": 20
}

Issue: SSL verification errors

Solution: Disable SSL verification (not recommended for production):

{
  "verify_ssl": false
}

Issue: State file corrupted

Solution: Delete state.json and restart scan with --fresh flag:

rm state.json
python driveenum.py -t contoso -d contoso.com -u users.txt --fresh

Issue: Want to check only errored users from previous scan

Solution: Extract errored usernames from state.json errors array and create new input file, or manually edit state.json to remove checked_users entries for users you want to recheck.

Security & Ethical Considerations

Legal & Ethical Use

This tool is designed for authorized security assessments only. Ensure you have:

• Written permission from the target organization
• Clear scope definition in your engagement contract
• Approval from relevant stakeholders

Disclaimer

DriveEnum is provided for educational and authorized security testing purposes only. Unauthorized enumeration of user accounts may violate:

• Computer Fraud and Abuse Act (CFAA)
• Unauthorized Access laws
• Microsoft Terms of Service
• Organization security policies

Users are solely responsible for ensuring their use complies with all applicable laws and regulations.

Detection Concerns

While OneDrive enumeration is generally considered passive:

• Microsoft logs all requests to their infrastructure
• Excessive requests may trigger security alerts
• Large-scale enumeration may be detected through behavioral analysis
• Always follow engagement rules and stay within scope

Technical Details

Architecture

DriveEnum
├── ConfigManager       # Configuration loading and validation
├── StateManager        # State persistence and recovery
├── OneDriveEnumerator  # Core HTTP enumeration engine
├── ProgressDisplay     # Real-time console output
├── ReportGenerator     # Report creation and file I/O
└── DriveEnum           # Main orchestrator

Dependencies

• requests: HTTP library with retry logic and session management
• urllib3: Advanced HTTP features and connection pooling

Python Version

• Minimum: Python 3.7
• Recommended: Python 3.9+
• Tested on: Python 3.9, 3.10, 3.11

Development

Contributing

Contributions are welcome! Please:

1. Fork the repository
2. Create a feature branch
3. Make your changes
4. Add tests if applicable
5. Submit a pull request

Testing

# Test with a small user list first
python driveenum.py -t contoso -d contoso.com -u test_users.txt

# Verify state persistence
# 1. Start a scan
# 2. Press Ctrl+C to interrupt
# 3. Restart with same command
# 4. Verify it resumes from saved position

FAQ

Q: How long does a typical scan take? A: Depends on user count and batch settings. With defaults (500 users/30min), expect ~1 hour per 1000 users.

Q: Can I run multiple instances simultaneously? A: Not recommended from the same IP - increases throttling risk. Use separate IPs if needed.

Q: What if my user list has duplicates? A: The tool doesn't automatically deduplicate input, but state tracking prevents rechecking users in resumed scans.

Q: Can I pause and resume manually? A: Yes, press Ctrl+C to interrupt. Run the same command to resume.

Q: Does this work for GCC High or other Microsoft clouds? A: Currently designed for commercial OneDrive. May require URL pattern adjustments for other clouds.

Q: What's the success rate for user enumeration? A: Depends on organization settings. 403 indicates confirmed valid users with OneDrive. 404 could be invalid OR valid without OneDrive initialized.

Changelog

Version 1.0.0 (Initial Release)

• Core enumeration engine
• Intelligent rate limiting with auto-pause
• State persistence for resume capability
• Configurable batch processing
• Real-time progress display
• Comprehensive reporting
• Error recovery and retry logic

License

This project is provided as-is for educational and authorized security testing purposes.

Credits

Inspired by research from:

• TrustedSec - OneDrive to Enum Them All
• nyxgeek/onedrive_user_enum

Contact

For issues, questions, or contributions:

• GitHub Issues: https://github.com/hackandbackpack/driveenum/issues
• Pull Requests: https://github.com/hackandbackpack/driveenum/pulls

---

Remember: Always obtain proper authorization before conducting security assessments.