# 1. Perform Reconnaissance on Azure

## 1. Azure Reconnaissance with AADInternals

AADInternals is primarily focused on auditing and attacking Azure Active Directory (AAD) environments, it can still be utilized as part of a broader cloud reconnaissance effort. This tool has several features such as user enumeration, credential extraction, token extraction and manipulation, privilege escalation, etc.

{% embed url="<https://github.com/Gerenios/AADInternals>" %}

In the PowerShell window run **Install-Module AADInternals** command to install AADInternals module.

```
 Install-Module AADInternals
```

Now, run **Import-Module AADInternals** command, to import **AADInternals** module

```
Import-Module AADInternals
```

<figure><img src="https://2218819509-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrUBnODuUX4EQ8P27uc5D%2Fuploads%2FWi0ES1H6EakyjYyIBboD%2Fimage.png?alt=media&#x26;token=cac3c4be-9033-4c67-8336-5dbf69923fbb" alt=""><figcaption></figcaption></figure>

Now, we will gather the publicly available information of a target Azure AD such as Tenant brand, Tenant name, Tenant ID along with the names of the verified domains.

In the PowerShell window run the follwoing command.

```
Invoke-AADIntReconAsOutsider -DomainName company.com | Format-table
```

> In the above command replace the company.com with the target company's domain (here, we are using eccouncil.org).

<figure><img src="https://2218819509-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrUBnODuUX4EQ8P27uc5D%2Fuploads%2FufooIaIrAWVqjZpt4idu%2Fimage.png?alt=media&#x26;token=ad96fa8c-80fe-4773-b83a-07058d3957fe" alt=""><figcaption></figcaption></figure>

From the above screenshot we can gather information such as **DNS**, **MX**, **SPF**, **DMARC**, **DKIM** etc.

Now, we will perform user enumeration in Azure AD, in the PowerShell window type

```
 Invoke-AADIntUserEnumerationAsOutsider -UserName user@company.com
```

<figure><img src="https://2218819509-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrUBnODuUX4EQ8P27uc5D%2Fuploads%2FcNq7mtHvJdyaKzMJmTP0%2Fimage.png?alt=media&#x26;token=608c563c-5291-42f3-a780-b83333b535c5" alt=""><figcaption></figcaption></figure>

We can see that the result appears, **True** under **Exists** field which implies that the Azure account with the given username exists and the attacker can perform further attacks. We can also perform the user enumeration by placing the usernames in a text file, by running

```
Get-Content .\users.txt | Invoke-AADIntUserEnumerationAsOutsider -Method Normal
```

Where the users.txt file contains the target email addresses

Now, to get login information for a domain type.

```
Get-AADIntLoginInformation -Domain company.com
```

<figure><img src="https://2218819509-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrUBnODuUX4EQ8P27uc5D%2Fuploads%2FqCmXoqIit4FseJ9Tjef5%2Fimage.png?alt=media&#x26;token=2a639aaa-9c3a-4844-a963-4ff99bb63f25" alt=""><figcaption></figcaption></figure>

Now, to get login information for a user type

```
Get-AADIntLoginInformation -Domain user@company 
```

To get the tenant ID for the given user, domain, or Access Token, type

```
Get-AADIntTenantID -Domain company.com
```

To get registered domains from the tenant of the given domain

```
Get-AADIntTenantDomains -Domain company.com
```

Alternatively you can visit the following website and perform the same actions

{% embed url="<https://aadinternals.com/osint/>" %}

### CEHv13 Prep Course

{% embed url="<https://www.udemy.com/course/ethical-hacker-practical/?referralCode=289CF01CF51246BCAD6C>" %}