# 1. Perform Reconnaissance on Azure

## 1. Azure Reconnaissance with AADInternals

AADInternals is primarily focused on auditing and attacking Azure Active Directory (AAD) environments, it can still be utilized as part of a broader cloud reconnaissance effort. This tool has several features such as user enumeration, credential extraction, token extraction and manipulation, privilege escalation, etc.

{% embed url="<https://github.com/Gerenios/AADInternals>" %}

In the PowerShell window run **Install-Module AADInternals** command to install AADInternals module.

```
 Install-Module AADInternals
```

Now, run **Import-Module AADInternals** command, to import **AADInternals** module

```
Import-Module AADInternals
```

<figure><img src="/files/y5tpyoevsF8P9V4VN5KI" alt=""><figcaption></figcaption></figure>

Now, we will gather the publicly available information of a target Azure AD such as Tenant brand, Tenant name, Tenant ID along with the names of the verified domains.

In the PowerShell window run the follwoing command.

```
Invoke-AADIntReconAsOutsider -DomainName company.com | Format-table
```

> In the above command replace the company.com with the target company's domain (here, we are using eccouncil.org).

<figure><img src="/files/DhoKw2kqaBNyHJXKXSyJ" alt=""><figcaption></figcaption></figure>

From the above screenshot we can gather information such as **DNS**, **MX**, **SPF**, **DMARC**, **DKIM** etc.

Now, we will perform user enumeration in Azure AD, in the PowerShell window type

```
 Invoke-AADIntUserEnumerationAsOutsider -UserName user@company.com
```

<figure><img src="/files/KCYQbxsisfrGGAtgyzyl" alt=""><figcaption></figcaption></figure>

We can see that the result appears, **True** under **Exists** field which implies that the Azure account with the given username exists and the attacker can perform further attacks. We can also perform the user enumeration by placing the usernames in a text file, by running

```
Get-Content .\users.txt | Invoke-AADIntUserEnumerationAsOutsider -Method Normal
```

Where the users.txt file contains the target email addresses

Now, to get login information for a domain type.

```
Get-AADIntLoginInformation -Domain company.com
```

<figure><img src="/files/0qU0cAQA8XxKEQi3MiNy" alt=""><figcaption></figcaption></figure>

Now, to get login information for a user type

```
Get-AADIntLoginInformation -Domain user@company 
```

To get the tenant ID for the given user, domain, or Access Token, type

```
Get-AADIntTenantID -Domain company.com
```

To get registered domains from the tenant of the given domain

```
Get-AADIntTenantDomains -Domain company.com
```

Alternatively you can visit the following website and perform the same actions

{% embed url="<https://aadinternals.com/osint/>" %}

### CEHv13 Prep Course

{% embed url="<https://www.udemy.com/course/ethical-hacker-practical/?referralCode=289CF01CF51246BCAD6C>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ceh-practical.cavementech.com/module-19.-cloud-computing/1.-perform-reconnaissance-on-azure.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.