Enumerating Azure Federated Domains
May 09, 2018Enumeration Introduction
There are a wealth of blog posts and tools for enumerating domains. This is often the first step of an engagement and can allow things to play out like this:
- Your target is lolware.net
- You cannot find any vulnerabilities at https://lolware.net
- There is a waiting vulnerability at https://ctadvisor.lolware.net, if only you knew the domain existed
Most of the automated tooling however is focused on subdomains.
Outside the Subdomain
Several notable write ups have identified totally separate domains utilising sheer luck. For example, looking at any facebook.com page will probably lead an attacker to knowing about the existence of fbcdn.net.
Enter Microsoft Exchange Federation
Microsoft Exchange includes a “Federation” feature. Microsoft document the feature here: https://technet.microsoft.com/en-us/library/dd335047(v=exchg.150).aspx
Although this is an optional feature for Exchange on-premises, the advantage we have is:
- Workers are increasingly requesting this feature
- It is enabled by default in Exchange Online
Federation Involves Telling the World What You Have
The crux of this article is in the form of the Get-FederationInformation command.
Simply connect to Exchange Online, or open Powershell on any Exchange server.
PS > $UserCredential = Get-Credential
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
PS > $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office36
5.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
PS > Import-PSSession $SessionAnd with that in place, let’s run the command against a domain currently making front page news:
PS > $fedinfo = Get-FederationInformation -DomainName amp.com.au
PS > $fedinfo.DomainNames
mws-email.amp.com.au
amp.com.au
ampadvice.com.au
ampbanking.com.au
ampcapital.com
hillross.com.au
ipac.com.auIf you were pentesting AMP, you have a range of domains to be throwing traditional subdomain enumeration tools at right there.
For a particularly interesting example look at Microsoft - just be aware the command will lag your session for a while.
PS > $fedinfo = Get-FederationInformation -DomainName microsoft.com
PS > $fedinfo.DomainNames
microsoft.onmicrosoft.com
microsoft.com
service.microsoft.com
xbox.com
microsoft.mail.onmicrosoft.com
skype.net
perceptivepixel.com
healthvault.com
nuvolarosa.eu
fieldone.com
adxstudio.com
msfts2.mail.onmicrosoft.com
microsoftstudios.com
shadmorris.com
linkedin.com
domains.microsoft
acompli.com
Intentional.com